Post by: alinato on August 01, 2008, 09:30:22 AM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> The problem is that I didn't open ie or firefox yet.... Look below:
C:\>netstat
Active Connections
Proto Local Address Foreign Address State
TCP LaptopPro:9984 216.239.59.99:http ESTABLISHED
TCP LaptopPro:10665 84.53.178.64:http ESTABLISHED
TCP LaptopPro:10668 84.53.178.64:http ESTABLISHED
TCP LaptopPro:10675 gv-in-f127.google.com:http ESTABLISHED
TCP LaptopPro:11178 66.244.142.41:smtp ESTABLISHED
TCP LaptopPro:11183 b.mx.mm-interactive.com:smtp ESTABLISHED
TCP LaptopPro:11185 mx2.cityofchicago.org:smtp ESTABLISHED
TCP LaptopPro:11187 mail.hbsp.harvard.edu:smtp SYN_SENT
TCP LaptopPro:11192 mediaport-jp.com:smtp ESTABLISHED
TCP LaptopPro:11193 smtp.localtvllc.com:smtp ESTABLISHED
TCP LaptopPro:11199 mxecd09.gs.com:smtp ESTABLISHED
TCP LaptopPro:11204 s6a2.psmtp.com:smtp CLOSE_WAIT
TCP LaptopPro:11206 server111.appriver.com:smtp ESTABLISHED
TCP LaptopPro:11210 hyperthink.valuetech.net:smtp ESTABLISHED
TCP LaptopPro:11211 mx7.its.rochester.edu:smtp ESTABLISHED
TCP LaptopPro:11212 host6-112-static.53-88-b.business.telecomitalia.
it:smtp ESTABLISHED
TCP LaptopPro:11218 mta.auna.com:smtp ESTABLISHED
TCP LaptopPro:11221 bay0-mc12-f.bay0.Email Removed.com:smtp ESTABLISHED
TCP LaptopPro:11226 server51.appriver.com:smtp ESTABLISHED
TCP LaptopPro:11231 smtpin-vip.houston.hp.com:smtp CLOSE_WAIT
TCP LaptopPro:11234 mail6.ruraltel.net:smtp CLOSE_WAIT
TCP LaptopPro:11236 s003.hostway.ro:smtp ESTABLISHED
TCP LaptopPro:11238 bay0-mc7-f.bay0.Email Removed.com:smtp ESTABLISHED
TCP LaptopPro:11246 lxmail.objectwareinc.com:smtp ESTABLISHED
TCP LaptopPro:11247 fwmail01.sickkids.on.ca:smtp ESTABLISHED
TCP LaptopPro:11250 takara-sangyo.co.jp:smtp ESTABLISHED
TCP LaptopPro:11252 eforward4.name-services.com:smtp ESTABLISHED
TCP LaptopPro:11253 semailgw1.logitall.com:smtp ESTABLISHED
TCP LaptopPro:11257 server57.appriver.com:smtp ESTABLISHED
TCP LaptopPro:11258 mail2.jxe.com:smtp SYN_SENT
TCP LaptopPro:11259 mgw.jbic.go.jp:smtp CLOSE_WAIT
TCP LaptopPro:11262 relay-jpn.vanhosp.bc.ca:smtp ESTABLISHED
TCP LaptopPro:11263 salembc.com:smtp ESTABLISHED
TCP LaptopPro:11265 db.rehost.com.ua:smtp ESTABLISHED
TCP LaptopPro:11266 server25.appriver.com:smtp ESTABLISHED
TCP LaptopPro:11268 207.159.120.164:smtp ESTABLISHED
TCP LaptopPro:11270 mx1.empal.com:smtp CLOSE_WAIT
TCP LaptopPro:11271 conceptsoftware.net:smtp ESTABLISHED
TCP LaptopPro:11272 server93.appriver.com:smtp ESTABLISHED
TCP LaptopPro:11273 mx2.terra.com.br:smtp CLOSE_WAIT
TCP LaptopPro:11274 nmta02.telering.at:smtp ESTABLISHED
TCP LaptopPro:11275 www.dnskentmedya.com:smtp (http://\"http://www.dnskentmedya.com:smtp\") ESTABLISHED
TCP LaptopPro:11276 gs18.inmotionhosting.com:smtp ESTABLISHED
TCP LaptopPro:11277 smtp-test.indigo.ie:smtp ESTABLISHED
TCP LaptopPro:11278 server56.appriver.com:smtp ESTABLISHED
TCP LaptopPro:11279 relay1.logient.com:smtp ESTABLISHED
TCP LaptopPro:11280 mailgw11.dol.com.tr:smtp CLOSE_WAIT
TCP LaptopPro:11281 dfw7-1.relay.mail.uu.net:smtp ESTABLISHED
TCP LaptopPro:11282 tpamail5.verizon.com:smtp SYN_SENT
TCP LaptopPro:11283 emh2.hqda.pentagon.mil:smtp ESTABLISHED
TCP LaptopPro:11284 server86.appriver.com:smtp ESTABLISHED
TCP LaptopPro:9882 localhost:9885 ESTABLISHED
TCP LaptopPro:9885 localhost:9882 ESTABLISHED
TCP LaptopPro:9924 localhost:9925 ESTABLISHED
TCP LaptopPro:9925 localhost:9924 ESTABLISHED
C:\>
I think I have a trojan/spyware/adware on my computer....
Could you please help. The following is the hijackthis log.
Thanks in advance,,,,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:32 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O3 - Toolbar: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: fdkowvbp - {BF53502D-3BEF-4273-9925-89D7526A5F87} - C:\WINDOWS\fdkowvbp.dll (file missing)
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VRS] "C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [AdwareAlert] "C:\Program Files\AdwareAlert\AdwareAlert.exe" -boot
O4 - HKCU\..\RunOnce: [SpybotDeletingB3621] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7342] cmd /c del "C:\WINDOWS\system32\ntos.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1169] command /c del "C:\WINDOWS\system32\ntos.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ProtocolDefaults: '@ivt' ("") protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab (http://\"http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177338566265 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177338566265\")
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab (http://\"http://www.crucial.com/controls/cpcScanner.cab\")
O20 - Winlogon Notify: opnkhhh - opnkhhh.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VOIPAX - Macrovision - C:\PROGRA~1\VOIPAX\VOIPAX\VOIPAX.exe
O23 - Service: VRS Recording System (VRSService) - NCH Software - C:\Program Files\NCH Swift Sound\VRS\vrs.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9995 bytes
Post by: guestolo on August 03, 2008, 05:50:40 PM
Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] (http://\"http://deckard.geekstogo.com/dss.exe\") to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.
Post back the Whole contents of Main.txt and Extra.txt
Post by: alinato on August 11, 2008, 09:22:48 PM
main.txt:
Deckard's System Scanner v20071014.68
Run by Ahmed Hawwa on 2008-08-12 03:27:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
System Restore is disabled; attempting to re-enable...success.
-- Last 1 Restore Point(s) --
1: 2008-08-12 02:27:47 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
[color=\"red\"]Total Physical Memory: 448 MiB (512 MiB recommended).[/color]
-- HijackThis (run as Ahmed Hawwa.exe) -----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:05 AM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FireLion Softwares\Link Sniffer\sLinkSniffer.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Documents and Settings\Ahmed Hawwa\My Documents\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ahmed Hawwa.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O3 - Toolbar: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: fdkowvbp - {BF53502D-3BEF-4273-9925-89D7526A5F87} - C:\WINDOWS\fdkowvbp.dll (file missing)
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ProtocolDefaults: '@ivt' ("") protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab (http://\"http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177338566265 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177338566265\")
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab (http://\"http://www.crucial.com/controls/cpcScanner.cab\")
O20 - Winlogon Notify: opnkhhh - opnkhhh.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: [FireLion] Link Sniffer Service (linksnifferservice) - FireLion Co., Ltd - C:\Program Files\FireLion Softwares\Link Sniffer\sLinkSniffer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (snoopfreesvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VOIPAX - Macrovision - C:\PROGRA~1\VOIPAX\VOIPAX\VOIPAX.exe
O23 - Service: VRS Recording System (VRSService) - NCH Software - C:\Program Files\NCH Swift Sound\VRS\vrs.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8987 bytes
-- File Associations -----------------------------------------------------------
[color=\"red\"].js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7[/color]
[color=\"red\"].js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"[/color]
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 NICM (Novell InterService Communication Driver) - c:\windows\system32\drivers\nicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:\windows\system32\netware\nwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R0 snoopfree (SnoopFree Driver) - c:\windows\system32\drivers\snopfree.sys
R0 SSFS0509 (Spy Sweeper File System Filer Driver: 0509) - c:\windows\system32\drivers\ssfs0509.sys <Not Verified; Webroot Software Inc (www.webroot.com (http://\"http://www.webroot.com\")); Spy Sweeper SDK>
R0 SSHRMD (Spy Sweeper Hookrack MiniDriver) - c:\windows\system32\drivers\sshrmd.sys <Not Verified; Webroot Software Inc (www.webroot.com (http://\"http://www.webroot.com\")); Spy Sweeper SDK>
R0 SSIDRV (Spy Sweeper Interdiction Driver) - c:\windows\system32\drivers\ssidrv.sys <Not Verified; Webroot Software Inc (www.webroot.com (http://\"http://www.webroot.com\")); Spy Sweeper SDK>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 NetwareWorkstation (Novell Client for Windows) - c:\windows\system32\netware\nwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWDHCP (Novell DHCP Inform Client) - c:\windows\system32\netware\nwdhcp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\windows\system32\netware\nwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 RESMGR (Novell NetWare Resource Manager) - c:\windows\system32\netware\resmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 SRVLOC (Novell Service Location) - c:\windows\system32\netware\srvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWDNS (Novell DNS Name Space Service Provider) - c:\windows\system32\netware\nwdns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWHOST (Novell Host File Name Space Service Provider) - c:\windows\system32\netware\nwhost.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSAP (Novell SAP Name Space Provider) - c:\windows\system32\netware\nwsap.sys
R3 NWSLP (Novell SLP Name Space Service Provider) - c:\windows\system32\netware\nwslp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 SSKBFD (Webroot Spy Sweeper Keylogger Shield Keyboard Filter) - c:\windows\system32\drivers\sskbfd.sys <Not Verified; Webroot Software Inc (www.webroot.com (http://\"http://www.webroot.com\")); Spy Sweeper SDK>
R3 TVALD (Toshiba Mobile PC Service) - c:\windows\system32\drivers\nbsmi.sys <Not Verified; Toshiba Corporation; Toshiba Notebook PC SMI Service>
S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing)
S3 NWSNS (Novell Simple Naming Services) - c:\windows\system32\netware\nwsns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 SiwvidStart - c:\docume~1\ahmedh~1\locals~1\temp\_istmp1.dir\_istmp0.dir\siwvid.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(tm)>
R2 linksnifferservice ([FireLion] Link Sniffer Service) - c:\program files\firelion softwares\link sniffer\slinksniffer.exe <Not Verified; FireLion Co., Ltd; [FireLion] Link Sniffer Service>
R2 snoopfreesvc (Snoop Free Service) - system32\snoopfreesvc.exe
S2 VOIPAX - c:\progra~1\voipax\voipax\voipax.exe -zglaxservice voipax <Not Verified; Macrovision; LaunchAnywhere>
S3 cusrvc (Client Update Service for Novell) - c:\windows\system32\cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 VRSService (VRS Recording System) - "c:\program files\nch swift sound\vrs\vrs.exe" -service <Not Verified; NCH Software; >
S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" (file missing)
S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-08-12 03:00:03 508 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2008-08-05 08:39:00 276 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2008-06-19 14:57:11 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-06-22 08:39:17 350 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2007-04-24 12:41:45 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
-- Files created between 2008-07-12 and 2008-08-12 -----------------------------
2008-08-10 06:07:41 0 d-------- C:\Program Files\FireLion Softwares
2008-08-09 01:30:40 0 d-------- C:\Program Files\Common Files\Download Manager
2008-08-09 00:44:29 0 d-------- C:\Program Files\Flash Movie Player
2008-08-03 04:21:33 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 02:29:17 90112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2008-08-03 02:29:17 9472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2008-08-03 02:29:17 221184 --a------ C:\WINDOWS\SnoopFreeUI.exe <Not Verified; SnoopFree Software; SnoopFree Privacy Shield>
2008-08-03 02:29:17 45056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2008-07-28 12:36:36 0 d-------- C:\Documents and Settings\Ahmed Hawwa\Application Data\TmpRecentIcons
2008-07-28 12:09:52 348160 --a------ C:\WINDOWS\nfavxwdbsxb.dll
2008-07-28 12:09:46 0 d-------- C:\Program Files\PCHealthCenter
2008-07-28 12:09:43 0 d--hs---- C:\Documents and Settings\NetworkService\Application Data\wsnpoem
2008-07-28 12:08:59 85050 --a------ C:\WINDOWS\system32\drivers\cb3de552.sys
2008-07-28 12:08:56 22383 --a------ C:\WINDOWS\system32\sklh.dat
2008-07-15 00:23:57 0 d-------- C:\Documents and Settings\Ahmed Hawwa\Application Data\Grisoft
2008-07-15 00:23:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-15 00:10:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-14 23:54:02 0 d-------- C:\Program Files\Trend Micro
2008-07-14 18:53:44 18432 --a------ C:\WINDOWS\system32\nvfilter.dll
-- Find3M Report ---------------------------------------------------------------
2008-08-12 03:00:12 0 d-------- C:\Documents and Settings\Ahmed Hawwa\Application Data\AdwareAlert
2008-08-11 05:27:00 0 d-------- C:\Program Files\Symantec AntiVirus
2008-08-10 16:57:15 0 d-------- C:\Documents and Settings\Ahmed Hawwa\Application Data\uTorrent
2008-08-09 01:30:40 0 d-------- C:\Program Files\Common Files
2008-08-05 01:34:32 0 d-------- C:\Documents and Settings\Ahmed Hawwa\Application Data\Adobe
2008-08-01 15:06:23 0 d-------- C:\Program Files\AdwareAlert
2008-07-21 20:24:23 0 d-------- C:\Program Files\eMule
2008-07-21 17:10:34 0 d-------- C:\Program Files\DivX
2008-07-15 02:14:56 0 d-------- C:\Program Files\Common Files\{2C80106C-0B76-2057-0910-040405130001}
2008-07-14 23:10:43 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-14 23:07:57 0 d-------- C:\Program Files\Google
2008-07-09 15:42:46 0 d-------- C:\Program Files\SPSS Evaluation
2008-07-09 15:38:27 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2008-06-30 22:38:06 0 d--h----- C:\Program Files\Zero G Registry
2008-06-30 22:37:07 0 d-------- C:\Program Files\VOIPAX
2008-06-28 22:08:50 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-28 22:01:08 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-25 01:55:52 0 d-------- C:\Documents and Settings\Ahmed Hawwa\Application Data\iSilo
2008-06-24 17:52:53 0 d-------- C:\Documents and Settings\Ahmed Hawwa\Application Data\U3
2008-06-11 01:07:20 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 01:03:26 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-06-11 01:03:26 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-11 01:03:20 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-06-11 01:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-11 01:03:20 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-11 01:03:20 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-11 01:03:18 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-22 23:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-19 20:46:33 0 --a------ C:\WINDOWS\system32\ssprs.dll
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
05/21/2008 12:43 AM 1526296 --a------ C:\Program Files\thechatterbox.cc\tbthec.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{00B8E20C-5C71-4C2F-85A5-6AD541500DF0}"= C:\Program Files\thechatterbox.cc\tbthec.dll [05/21/2008 12:43 AM 1526296]
[-HKEY_CLASSES_ROOT\CLSID\{00B8E20C-5C71-4C2F-85A5-6AD541500DF0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [03/12/2002 10:37 AM C:\WINDOWS\system32\nwtray.exe]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [08/16/2004 05:08 PM]
"TPSMain"="TPSMain.exe" [08/11/2004 06:28 PM C:\WINDOWS\system32\TPSMain.exe]
"SnoopFreeUI"="SnoopFreeUI.exe" [08/03/2008 02:29 AM C:\WINDOWS\SnoopFreeUI.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"NoDispCPL"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoLogOff"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe "
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkhhh]
opnkhhh.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ahmed Hawwa^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Ahmed Hawwa\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe acrobat speed launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acrobat assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adwarealert]
"C:\Program Files\AdwareAlert\AdwareAlert.exe" -boot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eprc]
"C:\DOCUME~1\AHMEDH~1\APPLIC~1\STEM~1\logonui.exe" -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\cvvygbug.dll",realset
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vrs]
"C:\Program Files\NCH Swift Sound\VRS\vrs.exe" -logon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"DomainService"=2 (0x2)
"Bonjour Service"=2 (0x2)
"gusvc"=3 (0x3)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"SavRoam"=2 (0x2)
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com (http://\"http://www.007guard.com\")
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com (http://\"http://www.008k.com\")
127.0.0.1 008k.com
127.0.0.1 www.00hq.com (http://\"http://www.00hq.com\")
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com (http://\"http://www.032439.com\")
127.0.0.1 032439.com
8784 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-08-12 03:31:08 ------------
extra.txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel® Celeron® CPU 2.93GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 447.48 MiB / 149.48 MiB
Pagefile Memory (total/avail): 1056.68 MiB / 748.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.95 MiB
C: is Fixed (NTFS) - 37.25 GiB total, 10.82 GiB free.
D: is CDROM (No Media)
F: is CDROM (No Media)
\\.\PHYSICALDRIVE0 (http://\"http://file://\.PHYSICALDRIVE0\") - FUJITSU MHT2040AT - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\rwducleb.exe"="C:\\WINDOWS\\system32\\rwd"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\winlogon.exe"="C:\\WINDOWS\\winlogon.exe"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\Documents and Settings\\Ahmed Hawwa\\My Documents\\Downloads\\utorrent.exe"="C:\\Documents and Settings\\Ahmed Hawwa\\My Documents\\Downloads\\utorrent.exe:*:Enabled:µTorrent"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ahmed Hawwa\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAPTOPPRO
ComSpec=C:\WINDOWS\system32\cmd.exe
CPU=i386
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\
INCLUDE=C:\Program Files\DevStudio\DF\INCLUDE;C:\Program Files\DevStudio\VC\INCLUDE;C:\Program Files\Microsoft Visual Studio\DF98\IMSL\INCLUDE;C:\Program Files\Microsoft Visual Studio\DF98\INCLUDE;C:\Program Files\Microsoft Visual Studio\VC98\INCLUDE
LIB=C:\Program Files\DevStudio\DF\LIB;C:\Program Files\DevStudio\VC\LIB;C:\Program Files\Microsoft Visual Studio\DF98\IMSL\LIB;C:\Program Files\Microsoft Visual Studio\DF98\LIB;C:\Program Files\Microsoft Visual Studio\VC98\LIB
LINK_F90=sstatd.lib sstats.lib smathd.lib smaths.lib sf90mp.lib
LOGONSERVER=\\LAPTOPPRO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\CambridgeSoft\ChemOffice2005\Common\DLLs;C:\Program Files\DevStudio\SharedIDE\BIN;C:\Program Files\DevStudio\DF\BIN;C:\Program Files\DevStudio\VC\BIN;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\Common\Msdev98\BIN;C:\Program Files\Microsoft Visual Studio\DF98\BIN;C:\Program Files\Microsoft Visual Studio\VC98\BIN;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\WINDOWS\system32\nls;C:\WINDOWS\system32\nls\ENGLISH;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Bitvise Tunnelier;C:\Program Files\Nmap
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\AHMEDH~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\AHMEDH~1\LOCALS~1\Temp
USERDOMAIN=LAPTOPPRO
USERNAME=ahmed hawwa
USERPROFILE=C:\Documents and Settings\Ahmed Hawwa
VNI_F90_MSG=C:\Program Files\Microsoft Visual Studio\DF98\IMSL\MESSAGE
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Ahmed Hawwa (admin)
eMule_Secure
eMule_Secure (new local)
eMule_Secure.LAPTOPPRO (new local)
administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.isu"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
[FireLion] Link Sniffer --> "C:\Program Files\FireLion Softwares\Link Sniffer\unins000.exe"
Adobe Acrobat 7.0 Professional - English, Français, Deutsch --> msiexec /I {AC76BA86-1033-F400-7760-000000000002}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> C:\Program Files\Common Files\Adobe\Installers\7328fdfcb73660ec8b11d5a3d5c6232\Setup.exe
Adobe Dreamweaver CS3 --> MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A70000000000}
Adobe Setup --> MsiExec.exe /I{0650BB10-BCF4-400A-85EE-04097E3046C6}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AdwareAlert --> MsiExec.exe /X{EB67231F-6AF2-410E-BA22-A802D6EA0EE2}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Atheros Wireless LAN MiniPCI card Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}\Setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bazooka Scanner --> "C:\Program Files\Bazooka Scanner\Uninstall.exe" "C:\Program Files\Bazooka Scanner\install.log"
Beyond Compare Version 2.4.3 --> "C:\Program Files\Beyond Compare 2\unins000.exe"
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
ChemOffice Ultra 2005 --> MsiExec.exe /I{3FBBA0CA-540B-4473-BBE4-735434BD733C}
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eMule --> "C:\Program Files\eMule\Uninstall.exe"
File Builder v3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{AB044657-9DE0-4BDF-BF57-54A7DD4DF15B}
Flash Movie Player 1.5 --> C:\Program Files\Flash Movie Player\uninst.exe
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InterVideo WinDVD for Toshiba --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java(tm) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(tm) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(tm) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Metasploit Framework 3.0 --> C:\Program Files\Metasploit\Framework3\uninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Premium --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
NICI (Shared) U.S./Worldwide (128 bit) (2.7.0-2) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe" -uninst
Nmap 4.22SOC5 --> "C:\Program Files\Nmap\uninstall.exe"
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
Novell Client for Windows --> %SystemRoot%\system32\rundll32 nwsetup.dll NWUninstallClient
ophcrack 2.2 --> "C:\Program Files\ophcrack\unins000.exe"
OriginPro 7.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECE12161-B445-48FA-9056-FD54D8A72459}\setup.exe"
PCI 1620 Cardbus Controller and Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{AE2310DC-B261-4D84-BE03-BD318EB41B78} /l1033
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\SETUP.EXE" -l0x9 REMOVE
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SMSC IrCC V5.1.3600.3 SP1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}\setup.exe" -l0x9 UNINSTALL
SnoopFree Privacy Shield --> SnoopFreeUI.exe /U
Sony Ericsson PC Suite 1.20.173 --> MsiExec.exe /I{C5ADA65A-7828-4D85-B071-ECC52B51F794}
SPSS 15.0 for Windows Evaluation Version --> MsiExec.exe /X{EE48D800-A3B5-43E3-B846-1CC556B8170D}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
thechatterbox.cc Toolbar --> C:\PROGRA~1\THECHA~1.CC\UNWISE.EXE C:\PROGRA~1\THECHA~1.CC\INSTALL.LOG
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Hotkey Utility for Display Devices --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Toshiba Applet\TFNF5.isu" -c"C:\Program Files\Toshiba\Toshiba Applet\TF5Unist.dll"
TOSHIBA Manuals --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{188BA1CC-F3A1-49B0-A34D-8C861C64E1AE}\Setup.exe" -l0x9
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\system32\TPSDel.dll"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Utilities --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\TOSHIBA Applet\TSBUTIL.isu"
TOSHIBA Zooming Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\setup.exe"
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3470FBE6-B743-420F-B5CE-0D27FA749C16}\Setup.exe" -l0x9
VideoLAN VLC media player 0.8.6b --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Visual Fortran 5.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\DevStudio\DeIsL1.isu"
VOIPAX --> "C:\Program Files\VOIPAX\VOIPAX\Uninstall_VOIPAX\Uninstall VOIPAX.exe"
VRS Recording System --> C:\Program Files\NCH Swift Sound\VRS\uninst.exe
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
winpcap-nmap 4.01 --> "C:\Program Files\WinPcap\uninstall.exe"
WinPcap 4.0.2 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Write-N-Cite --> C:\PROGRA~1\Refworks\UNWISE.EXE C:\PROGRA~1\Refworks\INSTALL.LOG
-- Application Event Log -------------------------------------------------------
Event Record #/Type20984 / Warning
Event Submitted/Written: 08/10/2008 07:44:04 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Scan could not open file C:\WINDOWS\system32\drivers\sptd.sys [00000003]
Event Record #/Type20983 / Warning
Event Submitted/Written: 08/10/2008 07:44:04 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Scan could not open file C:\WINDOWS\system32\drivers\SnopFree.sys [00000003]
Event Record #/Type20982 / Warning
Event Submitted/Written: 08/10/2008 07:43:51 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Scan could not access path C:\WINDOWS\system32\drivers\cb3de552.sys
Event Record #/Type20981 / Warning
Event Submitted/Written: 08/10/2008 07:42:51 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Scan could not open file C:\WINDOWS\system32\config\system.LOG [00000003]
Event Record #/Type20980 / Warning
Event Submitted/Written: 08/10/2008 07:42:51 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Scan could not open file C:\WINDOWS\system32\config\system [00000003]
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type20128 / Warning
Event Submitted/Written: 08/12/2008 00:42:18 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type20127 / Warning
Event Submitted/Written: 08/11/2008 02:29:26 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type20126 / Warning
Event Submitted/Written: 08/11/2008 08:15:21 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type20125 / Warning
Event Submitted/Written: 08/11/2008 07:19:35 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type20124 / Warning
Event Submitted/Written: 08/11/2008 06:52:17 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
-- End of Deckard's System Scanner: finished at 2008-08-12 03:31:08 ------------
Looking forward to hearing from u soon.
Thanks,
Alinato
Post by: guestolo on August 11, 2008, 09:51:28 PM
I suggest that you access your Add and Remove Programs and Remove
AdwareAlert
Remain in Add and Remove programs and remove all these older versions of Java
Do this with all browser windows closed
We'll update it in a bit
Remove
Java 2 Runtime Environment, SE v1.4.2_05
Javaâ„¢ 6 Update 2
Javaâ„¢ 6 Update 3
Javaâ„¢ SE Runtime Environment 6 Update 1
Don't reboot yet if prompted by Windows
Instead, please do the following. Come back here
Download a copy of ComboFix from [color=\"#FF0000\"]> HERE <[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")[/url]
Save it ONLY to your desktop
Don't run it yet
We need to disable some of your protection software, so it won't interfere with the next steps
disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Click Allow Change box if prompted
Close Spybot
After you disabled Teatimer, download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat (http://\"http://downloads.subratam.org/ResetTeaTimer.bat\")
to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.
Disable
SPY SWEEPER
* Open Spy Sweeper and click on Options > Program Options and uncheck "load at windows startup".
* On the left click "shields" and then uncheck everything there.
* Uncheck "home page shield".
* Uncheck "automatically restore default without notification".
* Exit the program.
Also, temporarily disable the AutoProtect component of Norton AntiVirus
Do a "System scan only" with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: fdkowvbp - {BF53502D-3BEF-4273-9925-89D7526A5F87} - C:\WINDOWS\fdkowvbp.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O15 - ProtocolDefaults: '@ivt' ("") protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O20 - Winlogon Notify: opnkhhh - opnkhhh.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on ComboFix.exe to run it
Follow the prompts
NOTE:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Normally this fix takes 10 to 30 minutes
When finished, it shall produce a log for you with the name C:\ComboFix.txt..
I'll need to see that log later
If the system is rebooted, the log will be produced after a few minutes after rebooting
[color=\"blue\"]Updating Java:[/color]
- Download the latest version of Java Runtime Environment (JRE) 6 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
- Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
- Click the "Download" button to the right.
- In the Window that opens, select Windows, >> check the "agree" box and click Continue.
- Click on the link to download Windows Offline Installation and save to your desktop.
- Then from your desktop double-click on jre-6u7-windows-i586-p.exe that you downloaded to install the newest version.
In addition, run a fresh scan and save logfile with Hijackthis and post that log too
Post by: alinato on August 12, 2008, 05:32:07 PM
I suggest that you access your Add and Remove Programs and Remove
AdwareAlert
Remain in Add and Remove programs and remove all these older versions of Java
Do this with all browser windows closed
We'll update it in a bit
Remove
Java 2 Runtime Environment, SE v1.4.2_05
Javaâ„¢ 6 Update 2
Javaâ„¢ 6 Update 3
Javaâ„¢ SE Runtime Environment 6 Update 1
Don't reboot yet if prompted by Windows
Instead, please do the following. Come back here
Download a copy of ComboFix from [color=\"#ff0000\"]> HERE <[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")[/url]
Save it ONLY to your desktop
Don't run it yet
We need to disable some of your protection software, so it won't interfere with the next steps
disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Click Allow Change box if prompted
Close Spybot
After you disabled Teatimer, download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat (http://\"http://downloads.subratam.org/ResetTeaTimer.bat\")
to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.
Disable
SPY SWEEPER
* Open Spy Sweeper and click on Options > Program Options and uncheck "load at windows startup".
* On the left click "shields" and then uncheck everything there.
* Uncheck "home page shield".
* Uncheck "automatically restore default without notification".
* Exit the program.
Also, temporarily disable the AutoProtect component of Norton AntiVirus
Do a "System scan only" with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: fdkowvbp - {BF53502D-3BEF-4273-9925-89D7526A5F87} - C:\WINDOWS\fdkowvbp.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O15 - ProtocolDefaults: '@ivt' ("") protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O20 - Winlogon Notify: opnkhhh - opnkhhh.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on ComboFix.exe to run it
Follow the prompts
NOTE:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Normally this fix takes 10 to 30 minutes
When finished, it shall produce a log for you with the name C:\ComboFix.txt..
I'll need to see that log later
If the system is rebooted, the log will be produced after a few minutes after rebooting
[color=\"blue\"]Updating Java:[/color]
- Download the latest version of Java Runtime Environment (JRE) 6 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
- Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
- Click the "Download" button to the right.
- In the Window that opens, select Windows, >> check the "agree" box and click Continue.
- Click on the link to download Windows Offline Installation and save to your desktop.
- Then from your desktop double-click on jre-6u7-windows-i586-p.exe that you downloaded to install the newest version.
In addition, run a fresh scan and save logfile with Hijackthis and post that log too[/quote]
Post by: guestolo on August 12, 2008, 05:34:52 PM
Please just do the instructions and then use the ADD REPLY button to post back the info I need please
Post by: alinato on August 12, 2008, 05:42:10 PM
1. Uninstalled: AdwareAlert
2. Uninstalled:
Java 2 Runtime Environment, SE v1.4.2_05
Javaâ„¢ 6 Update 2
Javaâ„¢ 6 Update 3
Javaâ„¢ SE Runtime Environment 6 Update 1
3. Disabled SpybotSD TeaTimer
4. Disabled SPY SWEEPER
5. I'm stuck here...
I can't disable the the AutoProtect component of Norton AntiVirus
It is locked even when I logged as the administrator. How to unlock it.
I have xp home edition, so I restarted into the safemode and logged into the administrator account and accessed "Symantec Anti-Virus Corporate Edition 9" but still it is locked...
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> I remember that I asked a guy to install it on my laptop but I didn't see him when he was doing it... Is there a certain password I need to know of.??? /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> Thanks in advance..
alinato
Post by: alinato on August 12, 2008, 05:44:55 PM
Thanks
Alinato
Post by: guestolo on August 12, 2008, 11:29:29 PM
Post any logs your capable of posting
Post by: alinato on August 15, 2008, 08:35:00 PM
compofix.exe couldn't make it to completion. It was stuck at stage 16 for about 2 hours...
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> I had to force system shutdown and repteat this for 4 times.. Last time was stuck at stage 10...
Carried on to next step (HijackThis scan):
Results are below...
Please help... Is my system badly infected??
/ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' /> Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:47, on 2008-08-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FireLion Softwares\Link Sniffer\sLinkSniffer.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O3 - Toolbar: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ProtocolDefaults: '@ivt' ("") protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab (http://\"http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177338566265 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177338566265\")
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab (http://\"http://www.crucial.com/controls/cpcScanner.cab\")
O16 - DPF: {cafeefac-0014-0002-0005-abcdeffedcba} (Java Plug-in 1.4.2_05) -
O16 - DPF: {cafeefac-0016-0000-0001-abcdeffedcba} (Java Plug-in 1.6.0_01) -
O16 - DPF: {cafeefac-0016-0000-0002-abcdeffedcba} -
O16 - DPF: {cafeefac-0016-0000-0003-abcdeffedcba} -
O16 - DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: [FireLion] Link Sniffer Service (linksnifferservice) - FireLion Co., Ltd - C:\Program Files\FireLion Softwares\Link Sniffer\sLinkSniffer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (snoopfreesvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VOIPAX - Macrovision - C:\PROGRA~1\VOIPAX\VOIPAX\VOIPAX.exe
O23 - Service: VRS Recording System (VRSService) - NCH Software - C:\Program Files\NCH Swift Sound\VRS\vrs.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8599 bytes
Post by: guestolo on August 16, 2008, 10:52:08 AM
Delete your copy of ComboFix from desktop
Then REDownload a copy of ComboFix from [color=\"#FF0000\"]> HERE <[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")[/url]
Save it ONLY to your desktop
Don't run it yet
Reboot into Safe mode and sign in with your normal account
Try running ComboFix from safe mode and see if it will complete
If it does, post the log from ComboFix
If it doesn't, then please run Dss.exe again and post the new log from Main.txt
Post by: alinato on August 26, 2008, 12:38:11 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> . I've done it in safe-mode as you said then it was automatically shutdown.
When restarted in normal-mode it reprorted the log file. I copied it in the following along with hijackthis log file:
Please advice on the next step....
Thanks in advance,
Alinato
ComboFix 08-08-25.01 - ahmed hawwa 2008-08-26 15:09:06.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239 [GMT 1:00]
Running from: C:\Documents and Settings\Ahmed Hawwa\Desktop\ComboFix2.exe
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\bin.clearspring.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\interclick.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\interclick.com\ud.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0204\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0206\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0210\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0213\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0214\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0233\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0234\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0237\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0242\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0248\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0253\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0254\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0255\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0257\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0259\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0260\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0261\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0268\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0270\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0272\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0275\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0277\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0279\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0281\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0282\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0284\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0287\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0288\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0290\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0304\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0305\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0312\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\static.youku.com\v1.0.0314\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\v.youku.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\v.youku.com\v1.0.0153\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\www.youku.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\#SharedObjects\ZYGWY4BT\www.youku.com\v1.0.0153\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#v.youku.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#v.youku.com\settings.sol
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youku.com
C:\Documents and Settings\Ahmed Hawwa\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youku.com\settings.sol
C:\Documents and Settings\Ahmed Hawwa\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Application Data\wsnpoem
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll
C:\Program Files\Common Files\{2C801~1
C:\WINDOWS\nfavxwdbsxb.dll
C:\WINDOWS\system32\byjfkadl.ini
C:\WINDOWS\system32\drivers\cb3de552.sys
C:\WINDOWS\system32\gubgyvvc.ini
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini2
C:\WINDOWS\system32\lsprst7.dll
.
---- Previous Run -------
.
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\WINDOWS\SNMPAPI.DLL
C:\WINDOWS\system32\vav.cpl
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_cb3de552
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.
2008-08-25 06:12 . 2008-08-25 06:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-25 06:12 . 2008-08-25 06:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-25 02:36 . 2008-08-25 04:09 <DIR> d-------- C:\Documents and Settings\Ahmed Hawwa\Application Data\FileZilla
2008-08-25 02:35 . 2008-08-25 02:36 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-08-16 01:59 . 2008-08-16 02:00 <DIR> d-------- C:\ComboFix
2008-08-13 01:47 . 2008-05-01 15:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 03:27 . 2008-08-12 03:27 <DIR> d-------- C:\Deckard
2008-08-10 06:07 . 2008-08-10 06:07 <DIR> d-------- C:\Program Files\FireLion Softwares
2008-08-09 01:30 . 2008-08-09 01:30 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-03 04:21 . 2008-08-03 04:21 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 02:29 . 2008-08-03 02:29 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2008-08-03 02:29 . 2008-08-03 02:29 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2008-08-03 02:29 . 2008-08-03 02:29 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2008-08-03 02:29 . 2008-08-03 02:29 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2008-07-28 12:08 . 2008-07-28 12:08 22,383 --a------ C:\WINDOWS\system32\sklh.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 13:56 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-12 21:58 --------- d-----w C:\Program Files\Java
2008-08-12 02:00 --------- d-----w C:\Documents and Settings\Ahmed Hawwa\Application Data\AdwareAlert
2008-08-10 15:57 --------- d-----w C:\Documents and Settings\Ahmed Hawwa\Application Data\uTorrent
2008-07-21 19:24 --------- d-----w C:\Program Files\eMule
2008-07-21 16:10 --------- d-----w C:\Program Files\DivX
2008-07-15 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\SysMon
2008-07-14 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-14 23:23 --------- d-----w C:\Documents and Settings\Ahmed Hawwa\Application Data\Grisoft
2008-07-14 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-14 23:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-14 22:54 --------- d-----w C:\Program Files\Trend Micro
2008-07-14 22:10 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-14 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-14 22:07 --------- d-----w C:\Program Files\Google
2008-07-14 22:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-09 14:42 --------- d-----w C:\Program Files\SPSS Evaluation
2008-06-30 21:38 --------- d--h--w C:\Program Files\Zero G Registry
2008-06-30 21:37 --------- d-----w C:\Program Files\VOIPAX
2008-06-28 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-28 21:08 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-06-28 21:01 --------- d-----w C:\Program Files\Common Files\Adobe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "C:\Program Files\thechatterbox.cc\tbthec.dll" [2008-05-21 00:43 1526296]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
2008-05-21 00:43 1526296 --a------ C:\Program Files\thechatterbox.cc\tbthec.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00b8e20c-5c71-4c2f-85a5-6ad541500df0}"= "C:\Program Files\thechatterbox.cc\tbthec.dll" [2008-05-21 00:43 1526296]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00B8E20C-5C71-4C2F-85A5-6AD541500DF0}"= "C:\Program Files\thechatterbox.cc\tbthec.dll" [2008-05-21 00:43 1526296]
[HKEY_CLASSES_ROOT\clsid\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-08-16 17:08 430080]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-03 06:13 286720]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe]
"TPSMain"="TPSMain.exe" [2004-08-11 18:28 266240 C:\WINDOWS\system32\TPSMain.exe]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-08-03 02:29 221184 C:\WINDOWS\SnoopFreeUI.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKLM\~\startupfolder\C:^Documents and Settings^Ahmed Hawwa^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Ahmed Hawwa\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe acrobat speed launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acrobat assistant 7.0]
--a------ 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-03 06:13 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vrs]
--a------ 2008-05-15 12:30 610308 C:\Program Files\NCH Swift Sound\VRS\vrs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"DomainService"=2 (0x2)
"Bonjour Service"=2 (0x2)
"gusvc"=3 (0x3)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"SavRoam"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Documents and Settings\\Ahmed Hawwa\\My Documents\\Downloads\\utorrent.exe"=
R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 15:52]
R2 linksnifferservice;[FireLion] Link Sniffer Service;C:\Program Files\FireLion Softwares\Link Sniffer\sLinkSniffer.exe [2007-12-11 19:11]
S2 VOIPAX;VOIPAX;C:\PROGRA~1\VOIPAX\VOIPAX\VOIPAX.exe [2008-06-30 22:37]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 21:22]
S3 SiwvidStart;SiwvidStart;C:\DOCUME~1\AHMEDH~1\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\siwvid.sys []
S3 VRSService;VRS Recording System;C:\Program Files\NCH Swift Sound\VRS\vrs.exe [2008-05-15 12:30]
.
Contents of the 'Scheduled Tasks' folder
2008-08-26 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
- C:\Program Files\AdwareAlert\AdwareAlert.exe []
2008-08-26 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
- C:\Program Files\AdwareAlert []
2008-08-14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
2007-04-24 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 14:20]
2008-08-25 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []
2007-06-22 C:\WINDOWS\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-adwarealert - C:\Program Files\AdwareAlert\AdwareAlert.exe
MSConfigStartUp-Eprc - C:\DOCUME~1\AHMEDH~1\APPLIC~1\STEM~1\logonui.exe
MSConfigStartUp-GPLv3 - C:\WINDOWS\system32\cvvygbug.dll
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-Uniblue SpyEraser - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Ahmed Hawwa\Application Data\Mozilla\Firefox\Profiles\s5kaya5j.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-08-26 15:23:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.exe
-> C:\WINDOWS\SnoopFreeDll.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\SnoopFreeSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-26 15:36:53 - machine was rebooted [ahmed hawwa]
ComboFix-quarantined-files.txt 2008-08-26 14:36:27
Pre-Run: 10,159,419,392 bytes free
Post-Run: 11,252,805,632 bytes free
269 --- E O F --- 2008-08-13 02:13:27
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:59 PM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FireLion Softwares\Link Sniffer\sLinkSniffer.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O2 - BHO: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O3 - Toolbar: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab (http://\"http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177338566265 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177338566265\")
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab (http://\"http://www.crucial.com/controls/cpcScanner.cab\")
O16 - DPF: {cafeefac-0014-0002-0005-abcdeffedcba} (Java Plug-in 1.4.2_05) -
O16 - DPF: {cafeefac-0016-0000-0001-abcdeffedcba} (Java Plug-in 1.6.0_01) -
O16 - DPF: {cafeefac-0016-0000-0002-abcdeffedcba} -
O16 - DPF: {cafeefac-0016-0000-0003-abcdeffedcba} -
O16 - DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: [FireLion] Link Sniffer Service (linksnifferservice) - FireLion Co., Ltd - C:\Program Files\FireLion Softwares\Link Sniffer\sLinkSniffer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (snoopfreesvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VOIPAX - Macrovision - C:\PROGRA~1\VOIPAX\VOIPAX\VOIPAX.exe
O23 - Service: VRS Recording System (VRSService) - NCH Software - C:\Program Files\NCH Swift Sound\VRS\vrs.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 7570 bytes
Post by: guestolo on August 30, 2008, 11:25:21 AM
Again, ensure that SpySweeper is disabled
Do a "System scan only" with Hijackthis and put a check next to these entries:
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} -
O16 - DPF: {cafeefac-0014-0002-0005-abcdeffedcba} (Java Plug-in 1.4.2_05) -
O16 - DPF: {cafeefac-0016-0000-0001-abcdeffedcba} (Java Plug-in 1.6.0_01) -
O16 - DPF: {cafeefac-0016-0000-0002-abcdeffedcba} -
O16 - DPF: {cafeefac-0016-0000-0003-abcdeffedcba} -
O16 - DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} -
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer
Back in Windows
Go to START>>ALL PROGRAMS>>ACCESSORIES>>SYSTEM TOOLS>>SCHEDULED TASKS
Look for a scheduled task related to Adware Alert
If you find it, right click on it and Delete it
Come back here and post a fresh hijackthis log and let me know how things are running
Post by: alinato on September 14, 2008, 12:07:06 AM
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' /> Things are running smooth now. the only thing is that combofix may have disabled norton AV permenantly. Whenever I right click anyhting, windows installer starts and asks for Symantec AV installation CD. I don't have the CD since it was intalled by our company. maybe I need to reinstall it. What do you think
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> Other than that. The too many active connections now disappeared and I'm happy to reach this stage. I'd like to thank you very much for your patience and assistance thoughout all of this.
Thanks,
Alinato....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:42 AM, on 9/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O2 - BHO: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: thechatterbox.cc Toolbar - {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - C:\Program Files\thechatterbox.cc\tbthec.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab (http://\"http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177338566265 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177338566265\")
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab (http://\"http://www.crucial.com/controls/cpcScanner.cab\")
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (snoopfreesvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VOIPAX - Macrovision - C:\PROGRA~1\VOIPAX\VOIPAX\VOIPAX.exe
O23 - Service: VRS Recording System (VRSService) - NCH Software - C:\Program Files\NCH Swift Sound\VRS\vrs.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 7640 bytes
Post by: guestolo on September 14, 2008, 12:24:26 AM
Is so, can you do the following please
Download and save to desktop
Microsoft's Windows Installer CleanUp Utility (http://\"http://download.microsoft.com/download/e/9/d/e9d80355-7ab4-45b8-80e8-983a48d5e1bd/msicuu2.exe\") >>(msicuu2.exe)
Double click on msicuu2.exe to run and install it
Once installed, go to START>>ALL PROGRAMS>>Windows Installer Cleanup
When the program loads
Look for any and ONLY the following
Any entry that begins with "CC," "cc," "Norton," "Symantec," "Sym," or "MSRedist,"
If any are found
Click the Entry and select Remove
When done, reboot the computer
Come back here and let me know if the right click issue is resolved please
Post by: alinato on September 18, 2008, 04:22:14 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> However, Symantec AV is not working at all. When I start it it gives me the following error:
"Symantec Antivirus is missing savrt32.dll, a required file. Please reinstall the product."
I noticed also that realtime protection is not working.
I tried to download the above file from the internet and then put it in WINDOWS folder or SYSTEM32 folder but no use. Should I reinstall the Symantec AV or could this also be resolved?
Thanks a million,
Alinato
Post by: guestolo on September 20, 2008, 10:33:22 AM
Is the subscription still active?
If you have the CD, yes I would uninstall it completely
Reboot then reinstall
If Norton's is expired, we can get you free alternatives, your choice
Post by: alinato on September 24, 2008, 10:57:02 AM
I would be interested, though, in knowing the free alternative.
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> Thanks,
Alinato
Post by: guestolo on September 27, 2008, 08:17:00 AM
Is it a corporate client edition of Norton's?
If it's your own personal computer, we can try an uninstall and replace it with a free version
Post by: alinato on September 30, 2008, 02:26:26 AM
It is my own my personal computer and that's why I was looking for the free version.
I don't want to ask our technician to hold on to my computer for about one-two days if I can do it my self and free!
From where I can get this free version?
thanks a lot in advance..
Alinato.
Post by: guestolo on September 30, 2008, 10:21:29 PM
Or, try and uninstall it yourself in Add and Remove programs
It may prompt for a password, by default it's symantec
After you do that, we can try a free version
OR, if you can't get a hold of the Admin anymore, we can go from there
BUT>DO NOT have more than one AntiVirus software running one your computer at one time
Bad conflicts, believe me, I've tried it with 3 different versions before, I couldn't even use my computer till I uninstalled at least one AV