TheTechGuide Forum
General Category => Tech Clinic => Topic started by: Heather on August 19, 2008, 11:49:49 PM
-
Good evening. My teenage son was on last fri or sat and said that the screen went white, icons disappeared, homepage changed andjust all around things went wacky then a popup came offering a virus scan (YIKES) I had warned him about those before, guess he forgot. anyway things froze and he shut down. now there are many problems with all web pages, no pictures will come up, many links won't open. also somehow modzilla appeared but who knows what teenagers do and don't cop to. time to put the puter back on lockdown.
any help much appreciated.
H
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:49 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\wscmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\Heather\Application Data\U3\0164630F62036E4A\LaunchPad.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [wscmgr] C:\WINDOWS\wscmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-431566318-4074410564-2899063045-1008.bak\..\Run: [Sonic RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-431566318-4074410564-2899063045-1008.bak\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet (User '?')
O4 - HKUS\S-1-5-21-431566318-4074410564-2899063045-1008.bak\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-431566318-4074410564-2899063045-1008.bak\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User '?')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYUS (http://\"http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm027YYUS\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/...tgameloader.cab (http://\"http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab\")
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab (http://\"https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab\")
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB (http://\"http://support.dell.com/systemprofiler/SysPro.CAB\")
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axvers...ntquick1611.cab (http://\"http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab (http://\"http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab\")
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (http://\"http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab\")
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab\")
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (http://\"http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab (http://\"http://messenger.zone.msn.com/binary/Chess.cab57176.cab\")
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 11444 bytes
-
additional info that may be helpful...
I tried to do a system restore to an earlier date and am locked out, it will not let me choose anything other that today (whatever day it is)
and I can't go back to last month.
any pictures on the web seem to come up ok if I right click to show picture, mostly useless but it's info
hubby's hot mail opens but won't go to any choices on the page
I am totally willing (eager even) to wipe the whole drive and start over if you think that's best, I would like to rescue as much as pssible beforehand
possibly online? don't know the options, never did a wipe before.
thanks again, H
-
Sorry for the delay, I seeu a bad service running, can you do the following
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
Post that log
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
In addition post a fresh Hijackthis log afterwards
-
ComboFix 08-08-23.03 - Heather 2008-08-24 12:49:32.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.230 [GMT -7:00]
Running from: C:\Documents and Settings\Heather\Desktop\ComboFix.exe
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\Heather\Application Data\FunWebProducts
C:\Documents and Settings\Heather\Application Data\FunWebProducts\Data\Heather\avatar.dat
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\#SharedObjects\HK4ZCHFW\interclick.com
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\#SharedObjects\HK4ZCHFW\interclick.com\ud.sol
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\#SharedObjects\HK4ZCHFW\static.youku.com
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\#SharedObjects\HK4ZCHFW\static.youku.com\v1.0.0236\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\#SharedObjects\HK4ZCHFW\static.youku.com\v1.0.0288\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\#SharedObjects\HK4ZCHFW\static.youku.com\v1.0.0307\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\Heather\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt
C:\Documents and Settings\Heather\Cookies\heather@bookingbuddy[2].txt
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt
C:\Documents and Settings\Heather\Cookies\heather@revsci[2].txt
C:\Documents and Settings\Heather\Cookies\heather@spamblockerutility[2].txt
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt
C:\Documents and Settings\Heather\Cookies\[email protected][2].txt
C:\Program Files\FunWebProducts
C:\Program Files\Microsoft Security Adviser
C:\Program Files\Microsoft Security Adviser\msavsc.exe
C:\Program Files\Microsoft Security Adviser\msctrl.exe
C:\Program Files\Microsoft Security Adviser\msctrl.log
C:\Program Files\Microsoft Security Adviser\msfw.exe
C:\Program Files\Microsoft Security Adviser\msiemon.exe
C:\Program Files\Microsoft Security Adviser\mssadv.exe
C:\Program Files\Microsoft Security Adviser\mssadv.log
C:\Program Files\Microsoft Security Adviser\mssadv_sp.exe
C:\Program Files\Microsoft Security Adviser\mssadv_sp.log
C:\Program Files\Microsoft Security Adviser\msscan.exe
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\rhcrw5j0evag
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\blphcvw5j0evag.scr
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\lphcvw5j0evag.exe
C:\WINDOWS\system32\phcvw5j0evag.bmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CBEVTSVC
-------\Service_CbEvtSvc
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.
2008-08-20 09:58 . 2002-08-29 03:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-08-18 21:41 . 2008-08-18 21:41 382,020 --a------ C:\WINDOWS\wscmgr.exe
2008-08-18 21:41 . 2008-08-24 13:14 605 --a------ C:\WINDOWS\data7933~.sys
2008-08-18 21:41 . 2008-08-24 13:14 605 --a------ C:\WINDOWS\data7933.sys
2008-08-18 13:59 . 2008-08-18 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-17 01:13 . 2008-08-18 22:24 46,080 --a------ C:\mssadv.dll
2008-08-17 01:13 . 2008-08-17 01:13 18,432 --a------ C:\0xf9.exe
2008-08-17 01:13 . 2008-08-18 22:24 11,264 --a------ C:\msscan.dll
2008-08-17 01:13 . 2008-08-18 22:24 11,264 --a------ C:\msiemon.dll
2008-08-17 01:13 . 2008-08-18 22:24 11,264 --a------ C:\msfw.dll
2008-08-17 01:13 . 2008-08-18 22:24 11,264 --a------ C:\msctrl.dll
2008-08-17 01:13 . 2008-08-18 22:24 11,264 --a------ C:\msavsc.dll
2008-08-04 00:34 . 2008-08-04 00:34 <DIR> d-------- C:\Program Files\Bonjour
2008-08-04 00:23 . 2008-08-04 00:23 <DIR> d-------- C:\Program Files\Safari
2008-07-27 21:30 . 2008-08-02 09:15 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-07-27 21:30 . 2008-08-24 09:00 24 --a------ C:\Documents and Settings\Heather\jagex_runescape_preferences.dat
2008-07-27 14:59 . 2008-07-27 15:07 4 --a------ C:\WINDOWS\SYSTEM32\fc.trk
2008-07-27 14:58 . 2008-07-27 15:09 <DIR> d-------- C:\Program Files\FastCrawl_at
2008-07-27 14:53 . 2008-07-27 14:55 <DIR> d-------- C:\Documents and Settings\Heather\Application Data\GetRightToGo
2008-07-27 00:23 . 2008-07-27 14:45 <DIR> d-------- C:\Program Files\EmpiresandDungeons_at
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-19 14:38 --------- d-----w C:\Documents and Settings\Heather\Application Data\U3
2008-08-18 06:49 --------- d-----w C:\Documents and Settings\Heather\Application Data\Apple Computer
2008-08-04 07:37 --------- d-----w C:\Program Files\iTunes
2008-08-04 07:36 --------- d-----w C:\Program Files\iPod
2008-08-04 07:33 --------- d-----w C:\Program Files\QuickTime
2008-07-30 16:53 --------- d-----w C:\Program Files\Google
2008-07-27 21:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-26 21:12 --------- d-----w C:\Program Files\Feudalism_at
2008-07-21 18:29 --------- d-----w C:\Program Files\Apple Software Update
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-07-07 18:51 --------- d-----w C:\Program Files\Windows Live
2008-07-07 18:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-07 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-24 17:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2007-11-10 07:20 64,504 ----a-w C:\Documents and Settings\Heather\Application Data\GDIPFONTCACHEV1.DAT
2007-02-20 19:51 439,296 ----a-w C:\Documents and Settings\Heather\GoToAssist_phone__317_en.exe
2007-02-18 04:07 8 ----a-w C:\Documents and Settings\Heather\Application Data\usb.dat.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 15:24 68856]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 02:36 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-17 00:24 180269]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 14:37 936960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"wscmgr"="C:\WINDOWS\wscmgr.exe" [2008-08-18 21:41 382020]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 03:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 03:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 03:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 03:00 455168]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-11 07:10:51 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2007-10-27 23:47:42 1078]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Sony Pictures Games\\Wheel of Fortune\\Wheel of Fortune.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-12-17 10:50]
S3 VisorUsb;Handspring USB;C:\WINDOWS\system32\DRIVERS\VisorUsb.sys [2001-11-12 17:07]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{145135b2-6da9-11dd-b086-000cf1e5dee4}]
\Shell\Auto\command - G:\MSOCache\doWTP_RESTORE_0.exe -autorun
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MSOCache\doWTP_RESTORE_0.exe -autorun
.
Contents of the 'Scheduled Tasks' folder
2008-08-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
2004-04-17 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE [2004-08-04 00:56]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\o0wxqnqc.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-08-24 13:13:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-24 13:25:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-24 20:25:40
ComboFix2.txt 2007-09-30 06:47:16
Pre-Run: 42,123,296,768 bytes free
Post-Run: 43,493,605,376 bytes free
220 --- E O F --- 2008-08-13 10:06:54
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:39 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\wscmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [wscmgr] C:\WINDOWS\wscmgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYUS (http://\"http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm027YYUS\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/...tgameloader.cab (http://\"http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab\")
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab (http://\"https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab\")
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB (http://\"http://support.dell.com/systemprofiler/SysPro.CAB\")
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axvers...ntquick1611.cab (http://\"http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab\")
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (http://\"http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab\")
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab\")
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (http://\"http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab (http://\"http://messenger.zone.msn.com/binary/Chess.cab57176.cab\")
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 10905 bytes
-
Can you please do the following for me
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
Edit:>>Can you also let me know what drive letter
G represents
Is it an external USB flash drive?
-
Drive G is not showing up. it could be the external flash that my son was using, we had trouble getting it to end program several re-boots ago. it is not plugged in.
32 Bit HP CIO Components Installer
ABBYY FineReader 5.0 Sprint
Action Replay Code Manager
Adobe Acrobat 4.0
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
Apple Mobile Device Support
Apple Software Update
Before You Know It 3.6
Bonjour
CCleaner (remove only)
CCScore
Championship Bass
Chuzzle Deluxe (remove only)
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
DA920EN
DD Tournament Poker 1.2
Dell AIO Printer A920
Dell Digital Jukebox Driver
Dell Media Experience
Dell ResourceCD
Dell Solution Center
Dell Support 5.0.0 (766)
DVDSentry
EA Network Play System
EA SPORTS online 2004
EarthLink Setup Files
EAX(tm) Unified (SHELL)
ebgcInfra
ebgcRes
ebgcSDK
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
EVEREST Home Edition v2.20
FaxTools
FinePixViewer Ver.4.0
FUJIFILM USB Driver
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 8.0
HP Officejet J3600 Series
HP Photosmart Cameras 7.0
HP Photosmart Premier Software 6.5
HP Software Update
HP Solution Center 8.0
ImageMixer VCD for FinePix
Indeo® software
In-Fisherman Freshwater Trophies
Insaniquarium Deluxe 1.1
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Explorer Default Page
iPod for Windows 2005-09-23
iPod for Windows 2006-03-23
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java DB 10.2.2.0
Java(tm) 6 Update 2
Java(tm) 6 Update 5
Java(tm) SE Development Kit 6 Update 2
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Logitech Desktop Messenger
Logitech MouseWare 9.79.1
Logitech Resource Center
MAX DS Video Converter
Microangelo Toolset 6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
MSN Music Assistant
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Muppets - Bright2
MUSICMATCH® Jukebox
My Disney Kitchen
Mystery P.I. - The Vegas Heist 1.0.0.3
Napster for Windows Media Player
Notifier
OfotoXMI
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
OTtBP
OTtBPSDK
Pokémon
PowerDVD
Pro Fishing 3D
ProModule: PowerPoint Support
ProModule: Quick Message
ProModule: SongSelect 3.0 Support
ProModule: SongSelect Lyrics Service Import
ProModule: Transitions 1
ProModule: Transitions 2
ProModule: Transitions 3
ProModule: Transitions 4
ProModule: Video Background
ProModule: Visualizations 1
ProModule: Visualizations 2
ProModule: Visualizations 3
ProModule: Visualizations 4
QuickTime
RAW FILE CONVERTER LE
RealArcade
RealPlayer
Rhapsody
Safari
Sansa Media Converter
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
SFR
SHASTA
Shockwave
SKIN0001
SKINXSDK
SmartMusic 10
SongShow Plus
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SonicStage 3.4
SpywareBlaster v3.5.1
SspSamples: Bible Atlas Images
SspSamples: Creative Interlude Sampler 2
SspSamples: Digital Hotcakes
SspSamples: Digital Juice Images
SspSamples: Digital Juice Jumpbacks
SspSamples: Whitmer Photography
SspSamples: WorshipFilms
SspSamples: WorshipScapes Images
SspSamples: WorshipScapes Videos
Starshine Episode 1
staticcr
Tiger Woods PGA TOUR 2004
U3Launcher
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
URGE
Verizon Online DSL
Verizon Online Help and Support
VPRINTOL
Wheel of Fortune (remove only)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 2
WinRAR archiver
WinZip
WinZip Self-Extractor
WIRELESS
WordPerfect Office 11
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Photos Easy Upload Tool
Yahoo! Photos Print-at-Home Tool
Zuma Deluxe
-
sorry about the delay, can you still do the following please
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
[color=\"blue\"]Updating Java:[/color]- Download the latest version of Java Runtime Environment (JRE) 6 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
- Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
- Click the "Download" button to the right.
- In the Window that opens, select Windows,>>Check the "agree" box and click Continue.
- Click on the link to download Windows Offline Installation and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:- Java 2 Runtime Environment, SE v1.4.2
- J2SE Runtime Environment 5.0
- J2SE Runtime Environment 5.0 Update 2
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u7-windows-i586-p.exe that you downloaded to install the newest version.
Afterwards:
Download the Flash_Disinfector.exe from here and save to desktop
http://www.techsupportforum.com/sectools/s...Disinfector.exe (http://\"http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe\")
Don't run it yet
Delete your copy of Combofix.exe,
Download a copy of ComboFix from [color=\"#FF0000\"]> HERE <[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")[/url]
Save it ONLY to your desktop
Don't run it yet
Run Flash_Disinfector.exe, Follow the prompts
Insert any removable flash drives you may have when prompted>>This includes any USB flash drives you have accessible as they may be infected also
follow the prompts, when done, leave the flash drives and/or any removeable media inserted to the computer
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]File::
C:\WINDOWS\wscmgr.exe
C:\mssadv.dll
C:\0xf9.exe
C:\msscan.dll
C:\msiemon.dll
C:\msfw.dll
C:\msctrl.dll
C:\msavsc.dll
G:\MSOCache\doWTP_RESTORE_0.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"=-
"Adobe Reader Speed Launcher"=-
"QuickTime Task"=-
"wscmgr"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{145135b2-6da9-11dd-b086-000cf1e5dee4}]
[/color]
Save this as txtfile on your desktop
CFScript
Then
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
I'll need to see that log again later
After that is done, please do the following
Go here and download your Free version of Avira AntiVir
http://www.download.com/Avira-AntiVir-Pers...cdlpid=10322935 (http://\"http://www.download.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlpid=10322935\")
Save the installer to desktop, but do not install it yet
Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time
NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it
A scan of your System should then start
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"
Quarantine or delete everything it finds
When the scan is finished
Reboot the computer
Back in Windows
Can you post all the following back please
It may take more than one reply to do so
1. Post a fresh hijackthis log
2. Post again the fresh log from ComboFix>>C:\ComboFix.txt
3. Please post the log from Avira
Open Avira again (Double click on the red Umbrella icon by the clock)
Click on REPORTS under Overview
Double click on the Scan report you just made
Then click on "Report File"
-
my son seems to have misplaced the flashdrive, may I proceed with the other instructions regardless until we find it or is success dependant on the flashdrive fix?
thank you, H
-
It would be nice if we could also clean the flash drive, but for now, that's ok
Just carry on with the instructions
If you do find the flash drive, it should be formatted, if not formatted, it should be cleaned with a virus scanner
Run Flash_Disinfector again as described earlier
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:15 AM, on 9/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYUS (http://\"http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm027YYUS\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/...tgameloader.cab (http://\"http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab\")
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab (http://\"https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab\")
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB (http://\"http://support.dell.com/systemprofiler/SysPro.CAB\")
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axvers...ntquick1611.cab (http://\"http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab\")
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (http://\"http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab\")
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab\")
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (http://\"http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab (http://\"http://messenger.zone.msn.com/binary/Chess.cab57176.cab\")
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 11009 bytes
ComboFix 08-09-01.01 - Heather 2008-09-01 22:12:44.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.197 [GMT -7:00]
Running from: C:\Documents and Settings\Heather\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Heather\Desktop\CFScript.txt
* Created a new restore point
[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
FILE ::
C:\0xf9.exe
C:\msavsc.dll
C:\msctrl.dll
C:\msfw.dll
C:\msiemon.dll
C:\mssadv.dll
C:\msscan.dll
C:\WINDOWS\wscmgr.exe
G:\MSOCache\doWTP_RESTORE_0.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\0xf9.exe
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\#SharedObjects\HK4ZCHFW\bin.clearspring.com
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\#SharedObjects\HK4ZCHFW\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Heather\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Heather\Cookies\[email protected][1].txt
C:\msavsc.dll
C:\msctrl.dll
C:\msfw.dll
C:\msiemon.dll
C:\mssadv.dll
C:\msscan.dll
C:\WINDOWS\wscmgr.exe
.
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.
2008-08-31 00:30 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-08-31 00:22 . 2008-08-31 00:22 0 --a------ C:\WINDOWS\SYSTEM32\REN85.tmp
2008-08-31 00:22 . 2008-08-31 00:22 0 --a------ C:\WINDOWS\SYSTEM32\REN84.tmp
2008-08-20 09:58 . 2002-08-29 03:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-08-18 21:41 . 2008-08-31 00:27 605 --a------ C:\WINDOWS\data7933~.sys
2008-08-18 21:41 . 2008-08-31 00:27 605 --a------ C:\WINDOWS\data7933.sys
2008-08-18 13:59 . 2008-08-18 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-04 00:34 . 2008-08-04 00:34 <DIR> d-------- C:\Program Files\Bonjour
2008-08-04 00:23 . 2008-08-04 00:23 <DIR> d-------- C:\Program Files\Safari
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 04:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-01 15:23 24 ----a-w C:\Documents and Settings\Heather\jagex_runescape_preferences.dat
2008-08-31 07:30 --------- d-----w C:\Program Files\Java
2008-08-19 14:38 --------- d-----w C:\Documents and Settings\Heather\Application Data\U3
2008-08-18 06:49 --------- d-----w C:\Documents and Settings\Heather\Application Data\Apple Computer
2008-08-04 07:37 --------- d-----w C:\Program Files\iTunes
2008-08-04 07:36 --------- d-----w C:\Program Files\iPod
2008-08-04 07:33 --------- d-----w C:\Program Files\QuickTime
2008-07-30 16:53 --------- d-----w C:\Program Files\Google
2008-07-27 22:09 --------- d-----w C:\Program Files\FastCrawl_at
2008-07-27 21:55 --------- d-----w C:\Documents and Settings\Heather\Application Data\GetRightToGo
2008-07-27 21:45 --------- d-----w C:\Program Files\EmpiresandDungeons_at
2008-07-27 21:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-26 21:12 --------- d-----w C:\Program Files\Feudalism_at
2008-07-21 18:29 --------- d-----w C:\Program Files\Apple Software Update
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-07-07 18:51 --------- d-----w C:\Program Files\Windows Live
2008-07-07 18:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-07 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-24 17:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2007-11-10 07:20 64,504 ----a-w C:\Documents and Settings\Heather\Application Data\GDIPFONTCACHEV1.DAT
2007-02-20 19:51 439,296 ----a-w C:\Documents and Settings\Heather\GoToAssist_phone__317_en.exe
2007-02-18 04:07 8 ----a-w C:\Documents and Settings\Heather\Application Data\usb.dat.bin
.
((((((((((((((((((((((((((((( snapshot@2008-08-24_13.25.18.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-22 08:23:35 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2008-02-22 08:23:39 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2008-02-22 09:33:32 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-07-19 05:10:20 36,552 ----a-w C:\WINDOWS\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-19 05:10:40 45,768 ----a-w C:\WINDOWS\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 15:24 68856]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 02:36 81920]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 14:37 936960]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 03:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 03:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 03:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 03:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-11 07:10:51 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2007-10-27 23:47:42 1078]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Sony Pictures Games\\Wheel of Fortune\\Wheel of Fortune.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2003-12-17 10:50]
S3 VisorUsb;Handspring USB;C:\WINDOWS\system32\DRIVERS\VisorUsb.sys [2001-11-12 17:07]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-09-01 22:18:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-01 22:22:26
ComboFix-quarantined-files.txt 2008-09-02 05:22:18
ComboFix2.txt 2008-08-24 20:25:45
ComboFix3.txt 2007-09-30 06:47:16
Pre-Run: 45,456,035,840 bytes free
Post-Run: 45,556,490,240 bytes free
182 --- E O F --- 2008-08-13 10:06:54
Avira AntiVir Personal
Report file date: Tuesday, September 02, 2008 19:50
Scanning for 1594576 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: NEWMAN
Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 17:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 22:54:15
ANTIVIR2.VDF : 7.0.6.94 2998784 Bytes 8/31/2008 02:47:37
ANTIVIR3.VDF : 7.0.6.106 129024 Bytes 9/2/2008 02:47:38
Engineversion : 8.1.1.23
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 18:58:21
AESCRIPT.DLL : 8.1.0.68 315770 Bytes 9/3/2008 02:47:44
AESCN.DLL : 8.1.0.23 119156 Bytes 7/10/2008 21:44:49
AERDL.DLL : 8.1.0.20 418165 Bytes 4/24/2008 21:37:48
AEPACK.DLL : 8.1.2.1 364917 Bytes 7/15/2008 21:58:35
AEOFFICE.DLL : 8.1.0.22 192890 Bytes 9/3/2008 02:47:43
AEHEUR.DLL : 8.1.0.50 1388918 Bytes 9/3/2008 02:47:42
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/10/2008 21:44:48
AEGEN.DLL : 8.1.0.36 315764 Bytes 9/3/2008 02:47:40
AEEMU.DLL : 8.1.0.7 430452 Bytes 7/31/2008 17:33:21
AECORE.DLL : 8.1.1.8 172406 Bytes 7/31/2008 17:33:21
AEBB.DLL : 8.1.0.1 53617 Bytes 7/10/2008 21:44:48
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 9/3/2008 02:47:38
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 22:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Tuesday, September 02, 2008 19:50
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'WLLoginProxy.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'msn6.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'McciBrowser.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'LaunchU3.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'EM_EXEC.EXE' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'McciTrayApp.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'IntelMEM.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
50 processes with 50 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '71' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\EarthLink TotalAccess\Accelerator\temp\codescache\cf\27cf
[DETECTION] Contains recognition pattern of the JS/StartPage.C Java script virus
[NOTE] The file was moved to '48f50204.qua'!
C:\Program Files\EarthLink TotalAccess\Accelerator\temp\codescache\d1\fad1
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '491f0240.qua'!
C:\QooBox\Quarantine\C\0xf9.exe.vir
[DETECTION] Is the TR/Dldr.VB.gob Trojan
[NOTE] The file was moved to '4924066e.qua'!
C:\QooBox\Quarantine\C\msavsc.dll.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '491f066c.qua'!
C:\QooBox\Quarantine\C\msctrl.dll.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '4921066e.qua'!
C:\QooBox\Quarantine\C\msfw.dll.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '49240670.qua'!
C:\QooBox\Quarantine\C\msiemon.dll.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '49270672.qua'!
C:\QooBox\Quarantine\C\mssadv.dll.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '49310674.qua'!
C:\QooBox\Quarantine\C\msscan.dll.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '49310675.qua'!
C:\QooBox\Quarantine\C\Program Files\Microsoft Security Adviser\msavsc.exe.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '491f067a.qua'!
C:\QooBox\Quarantine\C\Program Files\Microsoft Security Adviser\msctrl.exe.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '4921067c.qua'!
C:\QooBox\Quarantine\C\Program Files\Microsoft Security Adviser\msfw.exe.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '4924067e.qua'!
C:\QooBox\Quarantine\C\Program Files\Microsoft Security Adviser\msiemon.exe.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '49270680.qua'!
C:\QooBox\Quarantine\C\Program Files\Microsoft Security Adviser\mssadv.exe.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '49310682.qua'!
C:\QooBox\Quarantine\C\Program Files\Microsoft Security Adviser\mssadv_sp.exe.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49310684.qua'!
C:\QooBox\Quarantine\C\Program Files\Microsoft Security Adviser\msscan.exe.vir
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '4931068c.qua'!
C:\QooBox\Quarantine\C\WINDOWS\wscmgr.exe.vir
[DETECTION] Is the TR/PSW.Delf.abx.2 Trojan
[NOTE] The file was moved to '4921068d.qua'!
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\CbEvtSvc.exe.vir
[DETECTION] Is the TR/Dldr.Exchanger.AM Trojan
[NOTE] The file was moved to '4903067c.qua'!
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lphcvw5j0evag.exe.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4926068b.qua'!
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\phcvw5j0evag.bmp.vir
[DETECTION] Is the TR/Fakealert.AAF Trojan
[NOTE] The file was moved to '49210683.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0002134.exe
[DETECTION] Is the TR/Dldr.VB.gob Trojan
[NOTE] The file was moved to '48ee069c.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0002135.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '494ef875.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0002136.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '48ee069e.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0002137.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '494ef877.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0002138.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '48ee069d.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0002139.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '494ef876.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0002140.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '48ee069f.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0002141.exe
[DETECTION] Is the TR/PSW.Delf.abx.2 Trojan
[NOTE] The file was moved to '494ef848.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000137.exe
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '48ee06ac.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000138.exe
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '494ef845.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000139.exe
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '48ee06ad.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000140.exe
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '494ef846.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000141.exe
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '48ee06af.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000142.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '494ef858.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000143.exe
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '48ee06ae.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000144.exe
[DETECTION] Is the TR/Dldr.Exchanger.AM Trojan
[NOTE] The file was moved to '494ef847.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000146.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '48ee06a0.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000207.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '48ee06b1.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000208.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '494ef85a.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000209.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '48ee06b3.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000210.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '48ee06b2.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000211.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '494ef85b.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000212.dll
[DETECTION] Is the TR/Agent.vgo Trojan
[NOTE] The file was moved to '48ee06b4.qua'!
End of the scan: Tuesday, September 02, 2008 20:54
Used time: 1:03:58 Hour(s)
The scan has been done completely.
12179 Scanning directories
317793 Files were scanned
42 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
43 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
317748 Files not concerned
4025 Archives were scanned
2 Warnings
43 Notes
-
I missed a couple of files
Can you do the following please
Download [color=\"blue\"]OTMoveIt2.exe[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe\") by OldTimer:- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the entries below in Blue to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
================================================
[color=\"#0000FF\"]C:\WINDOWS\data7933~.sys
C:\WINDOWS\data7933.sys
[/color]
======================================================
- Return to OTMoveIt2, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
- Click the red "[color=\"red\"]MoveIt![/color]" button.
- Close OTMoveIt when it has completed.
[color=\"red\"]Note[/color]: If an entry cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log <-indicates date_time of log
Can I see that log
Also let me know how things are now running
-
no detectable changes yet, however sometimes when I open a webpage it's set to work offline, this just happens
webpages still won't display pictures and still can't get into Email Removed messages.
C:\WINDOWS\data7933~.sys moved successfully.
C:\WINDOWS\data7933.sys moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09042008_011815
-
Can you do the following please
Do a "System scan only" with Hijackthis and put a check next to these entries:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYUS (http://\"http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYUS\")
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
do pictures just not work in Internet Explorer?
Does everything appear ok in both Mozilla Firefox and/or Safari Web browsers?
You have both installed
-
do pictures just not work in Internet Explorer?
Does everything appear ok in both Mozilla Firefox and/or Safari Web browsers?
You have both installed
don't know, I only use IE, don't want the other browsers, they mysteriously appeared.
still no improvement but it's no worse either.
-
Okay, but can you please Open Mozilla Firefox browser
and browse to your normal pages and let me know if pics show
-
everything seems to work fine on Safari, can't access modzilla
-
Can we try resetting defaults in IE
Print these instructions or save them to a text file on desktop
close IE if open
Go to START>>Control Panel>>In Classic View
Click on "Internet Options"
Under the General tab>>Click on SETTINGS under Browsing History
Under Temporary Internet Files set to Automatically if not selected>>Ok it
Then click the Delete... button under Browsing History
Choose to clean the following
Temporary Internet Files
Cookies
History
Click Close
Under the Content tab
Choose to Clear SSL State
Under the Advanced tab
Click the Restore Advanced Settings
Apply and OK it
Now try to reopen IE and see if it works normally
-
sorry for the long delay, we've been moving.
this fix has worked nicely for the IE issue.
Still concerned about lurking nasties. Can you recommend a fairly fast way to back-up everything and go ahead with a wipe. I still have the malfunctioning virus protection that I cannot seem to get rid of or replace with another AV.
thanks again, as always you're the best.
-
I still have the malfunctioning virus protection that I cannot seem to get rid of or replace with another AV
I'm not sure what you mean by malfunctioning
Is it Avira your talking about?
Can you explain please
In addition post a fresh hijackthis log for review
-
sorry, I'm expecting you to read my mind.
I used to have an old version of Mcafee that we were unable to uninstall way back when, but when I just went to look for it it seems that the Avira took care of things. very nice. so disregard the AV issue.
other issues, I cannot access outlook express since the move, may or may not have to do with moving.
I still cannot get into Email Removed, it loads all the way till I try to open a message then won't open anything.
here's your logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:14 AM, on 10/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.arcadetown.com/swf/hamsterball/...tgameloader.cab (http://\"http://www.arcadetown.com/swf/hamsterball/raptisoftgameloader.cab\")
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab (http://\"https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab\")
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB (http://\"http://support.dell.com/systemprofiler/SysPro.CAB\")
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axvers...ntquick1611.cab (http://\"http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab\")
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (http://\"http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab\")
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab\")
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (http://\"http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab\")
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab (http://\"http://www.acclaim.com/cabs/acclaim_v5.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab (http://\"http://messenger.zone.msn.com/binary/Chess.cab57176.cab\")
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 10987 bytes
-
I cannot access outlook express since the move
\\
The Email addy your using, is it related to your ISP?
Are you using the same ISP (Internet Service Provider)
I still cannot get into Email Removed
The forum doesn't allow posting some email addresses
Can you space it out, the email provider you using
Eg.. ya hoo.com
Notice the single space