TheTechGuide Forum
General Category => Tech Clinic => Topic started by: tonez on March 06, 2009, 04:58:19 PM
-
Here's a quick info about my PC. AVG has detected this in winlogon.exe called Trojan horse Generic12.BYMI and it seems like a link to an infected site called goasi.cn**/ex/a.php (I added the stars** to avoid an automatic link to that website)
A program called Malwarebytes -anti malware also detected 12 infected files but it's stills scanning so I wont get the results till its done.
Heres my HJT results
------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:56 PM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.EXE
C:\Program Files\Microsoft Windows Feedback Panel\FileChurn.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPArpMon.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Owner.ANTHONE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPASIEve.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [WindowsTelemetry] C:\Program Files\Microsoft Windows Feedback Panel\\WFPUser.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [TransTaskBar] "C:\Documents and Settings\Owner.ANTHONE\Local Settings\Temp\TransTaskBar.exe" /silent /TransLevel:74
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.ANTHONE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: WFPUser.lnk = C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL (http://\"http://kl.bar.need2find.com/KL/menusearch.html?p=KL\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab (http://\"http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab\")
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} (WCSAXrview Control) - http://live.littlechiquita.com/wcsarview.cab (http://\"http://live.littlechiquita.com/wcsarview.cab\")
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB (http://\"https://www.windowsonecare.com/install/cli/0.8.0794.48/WinSSWebAgent.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab (http://\"https://signup.msn.com/pages/MsnInstC.cab\")
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab (http://\"http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab (http://\"http://spaces.msn.com//PhotoUpload/MsnPUpld.cab\")
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab (http://\"http://media.labs.live.com/all/ps/_code_/Photosynth.cab\")
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx (http://\"http://www.tvkoo.com/update/KooPlayer.ocx\")
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab (http://\"https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab\")
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128830050062 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128830050062\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB (http://\"https://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab (http://\"http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab (http://\"http://www.gamespot.com/KDX/kdx.cab\")
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 (http://\"https://secure.logmein.com/activex/ractrl.cab?lmi=100\")
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 16747 bytes
-------------
Thank you
-
After you are done running the scan with Malwarebyte's Anti-Malware
I need to see it's log
A copy of it can also be found in Malwarebytes under the tab >>Logs
If you are asked to reboot after removing everything selected by MBAM
Do that first before posting the log
Also, I will need to see a fresh Hijackthis log after you post the log from MBAM
-
I have both malwarebytes AND windows onecare tune-up scanning. Not sure if this is a good idea but AVG was scanning my PC for the past 2 days, so I am letting these 2 programs scan at the same time to save time.
-
so I am letting these 2 programs scan at the same time to save time.
That's not saving me anytime
Does Windows Live onecare have AntiVirus software?
Is it the Trial version?
Is not a good idea to have more than one Active AntiVirus software installed
Can cause system instabilities and slow down your computer
Why don't you finish all your scans and get back to me when you are ready
At the point that you post back to me, can you refrain from running any more scanners till I get a chance to look at some logs
Edit>>Just noticed you said windows onecare tune-up
Sorry, mistook it for the full install program
Not a good idea to run a couple scanners at the same time, give one a chance then the other
We'll still have to start fresh once you've finished your scanning
-
Okay this is my Malwarebytes log...
All the boxes are checked and ready to be Removed, but I'll wait for your instructions.
----------
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2
3/6/2009 4:27:55 PM
mbam-log-2009-03-06 (16-07-46).txt
Scan type: Quick Scan
Objects scanned: 167744
Time elapsed: 3 hour(s), 29 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\rxresult.rxresultfilter (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\rxresult.rxresultfilter.1 (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2ab289ae-4b90-4281-b2ae-1f4bb034b647} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.
Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> No action taken.
Files Infected:
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe (Adware.PurityScan) -> No action taken.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> No action taken.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner.ANTHONE\Local Settings\Temp\mshtml2.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> No action taken.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner.ANTHONE\Local Settings\Temp\sft_ver1.1454.0.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Owner.ANTHONE\Local Settings\Temp\Setup_ver1.1409.0.exe (Trojan.FakeAlert) -> No action taken.
--------
This is the new HJT log after scanning my PC with malwarebytes.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:02 PM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.EXE
C:\Program Files\Microsoft Windows Feedback Panel\FileChurn.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPArpMon.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Owner.ANTHONE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPASIEve.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [WindowsTelemetry] C:\Program Files\Microsoft Windows Feedback Panel\\WFPUser.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [TransTaskBar] "C:\Documents and Settings\Owner.ANTHONE\Local Settings\Temp\TransTaskBar.exe" /silent /TransLevel:74
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.ANTHONE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: WFPUser.lnk = C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL (http://\"http://kl.bar.need2find.com/KL/menusearch.html?p=KL\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab (http://\"http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab\")
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} (WCSAXrview Control) - http://live.littlechiquita.com/wcsarview.cab (http://\"http://live.littlechiquita.com/wcsarview.cab\")
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB (http://\"https://www.windowsonecare.com/install/cli/0.8.0794.48/WinSSWebAgent.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab (http://\"https://signup.msn.com/pages/MsnInstC.cab\")
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab (http://\"http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab (http://\"http://spaces.msn.com//PhotoUpload/MsnPUpld.cab\")
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab (http://\"http://media.labs.live.com/all/ps/_code_/Photosynth.cab\")
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx (http://\"http://www.tvkoo.com/update/KooPlayer.ocx\")
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab (http://\"https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab\")
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128830050062 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128830050062\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB (http://\"https://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab (http://\"http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab (http://\"http://www.gamespot.com/KDX/kdx.cab\")
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 (http://\"https://secure.logmein.com/activex/ractrl.cab?lmi=100\")
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 16664 bytes
----------
-
You done?
I hope so, let's try fixing Problems on your computer
Download [color=\"#FF0000\"]> ATF Cleaner <[/color] (http://\"http://www.atribune.org/ccount/click.php?id=1\") by Atribune and save it to your Desktop.
Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu
Let's take a look at MalwareByte's AntiMalware
It's sorrly outdated
Here is the version your running
Malwarebytes' Anti-Malware 1.34
Database version: 1749
The version I have at this moment is
Database version: 1825
Run Malwarebytes AntiMalware from the shortcut on desktop
- Please be sure to check for UPDATES
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
1. With that log from MBAM
2. Can you run a fresh scan and Save logfile with Hijackthis and post it's contents
-
Well I finished scanning it with malwarebytes and it did not scan anything else, however my AVG keeps picking this up.
(http://i41.tinypic.com/14snznd.jpg)
along with other trojans in system_volume folder which I've unhid to see if theres more, but I only see 2 files in there that arent viruses.
I just did an HJT scan and heres my result
--------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:30 AM, on 3/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows Feedback Panel\FileChurn.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPArpMon.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPASIEve.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Owner.ANTHONE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [WindowsTelemetry] C:\Program Files\Microsoft Windows Feedback Panel\\WFPUser.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [TransTaskBar] "C:\Documents and Settings\Owner.ANTHONE\Local Settings\Temp\TransTaskBar.exe" /silent /TransLevel:74
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.ANTHONE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: WFPUser.lnk = C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL (http://\"http://kl.bar.need2find.com/KL/menusearch.html?p=KL\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab (http://\"http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab\")
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} (WCSAXrview Control) - http://live.littlechiquita.com/wcsarview.cab (http://\"http://live.littlechiquita.com/wcsarview.cab\")
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB (http://\"https://www.windowsonecare.com/install/cli/0.8.0794.48/WinSSWebAgent.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab (http://\"https://signup.msn.com/pages/MsnInstC.cab\")
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab (http://\"http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab (http://\"http://lads.myspace.com/upload/MySpaceUploader1006.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab (http://\"http://spaces.msn.com//PhotoUpload/MsnPUpld.cab\")
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab (http://\"http://media.labs.live.com/all/ps/_code_/Photosynth.cab\")
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx (http://\"http://www.tvkoo.com/update/KooPlayer.ocx\")
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab (http://\"https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab\")
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab\")
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab (http://\"http://go.divx.com/plugin/DivXBrowserPlugin.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128830050062 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128830050062\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB (http://\"https://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab (http://\"http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab (http://\"http://www.gamespot.com/KDX/kdx.cab\")
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 (http://\"https://secure.logmein.com/activex/ractrl.cab?lmi=100\")
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 16372 bytes
-------------------
-
You didn't post the new log from Malwarebytes
You can find that log within MBAM, under the LOGS tab
In addition:
Download ComboFix from one of these locations:
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://www.forospyware.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 3[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]
--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply
NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
-
Here's the malwarebytes log from last night. Ill run combo fix now.
------------------------
Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 2
3/8/2009 12:12:12 AM
mbam-log-2009-03-08 (00-12-11).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 512022
Time elapsed: 21 hour(s), 59 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Quick question, am I suppose to have System Restore checked on "Computer/Properties/System Restore tab" because I unchecked it after finding out that System Restore was infected after doing it twice with no result.
ComboFix is scanning now, but this may take awhile. My computer is lagging really bad, I don't know why.
-
You really have to slow down, and ONLY do what I ask for now
Your getting way to far ahead, causing more troubles for both of us
Does ComboFix look like it's scanning
Are you posting on the same computer as your running ComboFix?
-
No I'm using another computer. combofix is scanning now and I see "completed stage_50" so I will come back when its all over.
-
here is teh combofix log
ComboFix 09-03-06.02 - Owner 2009-03-08 11:10:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.76 [GMT -7:00]
Running from: c:\documents and settings\Owner.ANTHONE\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Windows OneCare Antivirus *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Windows OneCare Firewall *enabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner.ANTHONE\Application Data\Adobe\Player.exe.bak
c:\windows\cdmxtras
c:\windows\cdmxtras\uninst.exe
c:\windows\IE4 Error Log.txt
c:\windows\patch.exe
c:\windows\system32\au3305adc.dll
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WayJmUvw.ini2
c:\windows\system32\WGOqAcdd.ini2
c:\windows\system32\wpcap.dll
c:\windows\wiaserviv.log
D:\Autorun.inf
E:\Autorun.inf
[color=\"RED\"] c:\windows\system32\userinit.exe . . . is infected!![/color]
[color=\"RED\"] c:\windows\system32\svchost.exe . . . is infected!![/color]
[color=\"RED\"] c:\windows\system32\spoolsv.exe . . . is infected!![/color]
[color=\"RED\"] c:\windows\explorer.exe . . . is infected!![/color]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.
2009-03-06 14:30 . 2009-03-06 14:30 <DIR> d-------- c:\program files\Trend Micro
2009-03-06 12:22 . 2009-03-06 12:22 <DIR> d-------- c:\documents and settings\Owner.ANTHONE\Application Data\Malwarebytes
2009-03-06 12:21 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-06 12:21 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-06 12:20 . 2009-03-06 12:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-06 12:20 . 2009-03-06 12:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 12:26 . 2009-03-03 12:29 162,816 --a------ c:\windows\system32\302.tmp
2009-03-03 12:26 . 2009-03-03 12:26 88 --a------ c:\windows\system32\300.tmp
2009-03-03 12:26 . 2009-03-03 12:26 0 --a------ c:\windows\system32\301.tmp
2009-03-03 02:47 . 2009-03-07 20:41 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-03 02:39 . 2009-03-03 12:33 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-03 02:39 . 2009-03-03 02:39 <DIR> d-------- c:\program files\AVG
2009-03-03 02:39 . 2009-03-03 02:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-03 02:39 . 2009-03-03 02:39 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-03 02:39 . 2009-03-03 02:39 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-03 02:39 . 2009-03-03 02:39 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-03-03 02:39 . 2009-03-03 02:39 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\threedegrees
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\Skyhook Wireless
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\SEGA
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\Safari
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\Pure Networks
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\MSN Screen Saver
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\Microsoft Xbox Music Mixer PC Tool
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\illiminable
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\FoxyTunes
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\FolderAccess
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\Dearborn
2009-03-03 01:16 . 2009-03-03 01:16 <DIR> d-------- c:\program files\Common Files\NSV
2009-03-03 01:04 . 2009-03-03 01:16 <DIR> d-------- c:\program files\LochJournal
2009-03-03 01:03 . 2009-03-03 01:03 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-03-03 01:02 . 2009-03-03 01:16 <DIR> d-------- c:\program files\Messenger Plus! Live
2009-03-02 19:17 . 2009-03-02 19:17 30,208 --a------ c:\windows\system32\308.tmp
2009-03-02 19:14 . 2009-03-02 19:17 161,792 --a------ c:\windows\system32\304.tmp
2009-03-02 19:14 . 2009-03-02 19:14 124 --a------ c:\windows\system32\303.tmp
2009-03-02 10:18 . 2009-03-03 01:00 <DIR> d-------- c:\documents and settings\Owner.ANTHONE\.housecall6.6
2009-03-02 10:05 . 2009-03-02 10:05 0 --a------ c:\windows\_id.dat
2009-03-02 10:04 . 2009-03-02 10:04 30,208 --a------ c:\windows\system32\2FA.tmp
2009-03-01 22:52 . 2009-03-01 22:52 0 --a------ c:\windows\system32\2FB.tmp
2009-03-01 14:31 . 2009-03-03 01:17 <DIR> d-------- c:\documents and settings\Owner.ANTHONE\AdobeLicensingFilesBackup
2009-02-08 00:47 . 2009-02-08 00:47 32 --a------ c:\windows\basefx.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 20:06 114 ----a-w C:\sccfg.sys
2009-03-08 08:31 --------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-03-08 08:08 --------- d-----w c:\program files\LogMeIn
2009-03-08 03:42 --------- d-----w c:\documents and settings\All Users\Application Data\WFP
2009-03-03 15:04 --------- d-----w c:\program files\WinPcap
2009-03-03 14:18 --------- d-----w c:\program files\magicISO
2009-03-03 14:15 --------- d-----w c:\program files\Kazaa Lite K++
2009-03-03 14:02 --------- d-----w c:\program files\iIChatLogger
2009-03-03 08:21 --------- d-----w c:\program files\Common Files\Adobe
2009-03-03 08:17 --------- d-----w c:\program files\Trojan Remover
2009-03-03 08:17 --------- d-----w c:\program files\AIMTunes
2009-03-03 08:04 --------- d-----w c:\program files\MSN Messenger
2009-03-03 07:56 --------- d-----w c:\program files\UDPixel
2009-03-02 03:29 --------- d-----w c:\program files\Windows Live
2009-03-01 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-26 01:57 --------- d-----w c:\program files\Steam
2008-12-12 19:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 19:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-03-07 20:58 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2004-12-07 20:30 92,536 ----a-w c:\documents and settings\Owner.ANTHONE\Application Data\GDIPFONTCACHEV1.DAT
2003-09-24 14:30 94,784 -csh--w c:\windows\twain.dll
2004-08-04 10:56 50,688 --sh--w c:\windows\twain_32.dll
2006-02-23 21:54 80 --sh--r c:\windows\system32\9E6F8F5001.dll
2004-09-06 03:33 10,022 -csha-w c:\windows\system32\KGyGaAvL.sys
2004-08-04 10:56 1,028,096 --sha-w c:\windows\system32\mfc42.dll
2004-08-04 10:56 54,784 --sha-w c:\windows\system32\msvcirt.dll
2004-08-04 10:56 413,696 --sha-w c:\windows\system32\msvcp60.dll
2007-12-04 18:38 550,912 --sha-w c:\windows\system32\oleaut32.dll
2004-08-04 10:56 83,456 --sha-w c:\windows\system32\olepro32.dll
2004-08-04 10:56 29,184 --sha-w c:\windows\system32\regsvr32.exe
.
------- Sigcheck -------
2003-09-23 21:40 30208 0e30185391664a93adea467fb30d112d c:\windows\$NtServicePackUninstall$\svchost.exe
2004-08-04 03:56 31744 507d4280883b3b2f86cf419409f7c752 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 17:12 31744 80e8884636e2f24878225ec7e6212371 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe
2004-08-04 03:56 31744 a91cf50336aff204e52c96739fe587be c:\windows\system32\svchost.exe
2007-06-13 03:23 1050624 064764874e384ce81c976a2b23101287 c:\windows\explorer.exe
2007-06-13 04:26 1050624 7c9855e139757c4ff9b0aea726e45063 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2003-09-23 13:32 1021440 f3bd0a5fbe5ac1102068af36f1de5dea c:\windows\$NtServicePackUninstall$\explorer.exe
2003-09-23 13:32 1021440 4beb38ca693bcc872f01060ce4aeb560 c:\windows\$NtUninstallKB820291$\explorer.exe
2004-08-04 03:56 1049600 b6ead87cff7cd1beab8d15bae4a0344d c:\windows\$NtUninstallKB938828$\explorer.exe
2004-08-04 03:56 1049088 a120c5a41edde16e888bc1c12d3923d4 c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-13 17:12 1050624 61c4df4d6b876a7ed811c69977781ffe c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
2007-06-13 03:23 1050624 ce5d36031342ded2f3556889d100f6ba c:\windows\system32\dllcache\explorer.exe
2003-09-23 13:54 30720 651996b9e028a6cb9300f751851635fd c:\windows\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 03:56 32768 46cd882e4a9513fa4493f69bd8ce5a48 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 17:12 32768 fda80b85f613580c9775e1cae6981e2e c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe
2004-08-04 03:56 32768 7217d1f15893498e12426adc35464080 c:\windows\system32\ctfmon.exe
2004-08-04 03:56 32768 03c80a6a1a561bffe132465fcde7032f c:\windows\system32\dllcache\ctfmon.exe
2005-06-10 17:17 75264 e62e147599af3f9f0bb818b9d425051a c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2003-09-24 05:19 68608 d5bf1bd8ebe36342e1231548b16bcd23 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 03:56 75264 6358865e9c84bcbecb67b8bf5d792994 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2004-08-04 03:56 75264 044bec1aeabbb690fb2cf3cc35079aa5 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 17:12 75264 4adca18e0b6ad9daa5af45ab194ad1de c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe
2005-06-10 16:53 75264 e31e3d84663d285c15d5925a43607679 c:\windows\system32\spoolsv.exe
2003-09-23 21:45 39424 ff8b53ed5cad216a3156e76b81e74b40 c:\windows\$NtServicePackUninstall$\userinit.exe
2004-08-04 03:56 41984 e93743a26b7dcac4bf4f059b80c421e2 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 17:12 43520 16a4911aeba83a43beb52fe8daf4678f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe
2004-08-04 03:56 41984 8f831b54d54841b645f59ca5c2783ede c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32768]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 221696]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1220608]
"Google Update"="c:\documents and settings\Owner.ANTHONE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 70144]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 69632]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 503808]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 81920]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 262144]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-12-05 3022848]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 360448]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2006-01-05 262104]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-12 217088]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 57344]
"WindowsTelemetry"="c:\program files\Microsoft Windows Feedback Panel\\WFPUser.exe" [2008-12-12 177016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-24 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-03 1601304]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
c:\documents and settings\Owner.ANTHONE\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2006-01-21 139264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WFPUser.lnk - c:\program files\Microsoft Windows Feedback Panel\wfpuser.exe [2008-12-12 177016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2003-08-25 13:25 139264 c:\progra~1\COMMON~1\stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 22:16 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-03 02:39 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 08:03 87352 c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MSN Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MSN Desktop Search.lnk
backup=c:\windows\pss\MSN Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Winter Fun Wallpaper Changer.lnk
backup=c:\windows\pss\Winter Fun Wallpaper Changer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner.ANTHONE^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Owner.ANTHONE\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner.ANTHONE^Start Menu^Programs^Startup^AquariumDesktop2006.lnk]
path=c:\documents and settings\Owner.ANTHONE\Start Menu\Programs\Startup\AquariumDesktop2006.lnk
backup=c:\windows\pss\AquariumDesktop2006.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner.ANTHONE^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner.ANTHONE\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
c:\program files\ISP50\BIN\PPCOLink -STATION [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3Degrees]
--a------ 2003-07-14 12:57 245824 c:\program files\threedegrees\threedegrees.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2001-07-20 06:10 73728 c:\program files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CW]
--a--c--- 2006-01-17 18:00 231936 c:\program files\windowsys\cw4.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a--c--- 2003-03-03 22:59 144896 c:\program files\AIM\DeadAIM.ocm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopX]
--a------ 2004-02-10 01:16 556544 c:\program files\Stardock\Object Desktop\DesktopX\DesktopX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 08:02 133104 c:\documents and settings\Owner.ANTHONE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2005-11-15 20:44 1220608 c:\program files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a------ 2003-06-18 20:00 221184 c:\program files\Microsoft Money\System\mnyexpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1711616 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 13:50 176128 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-12-05 20:50 3022848 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2003-09-12 20:13 118784 c:\windows\system32\ps2.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a--c--- 2006-01-31 05:20 200704 c:\program files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 434176 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a--c--- 2003-11-03 17:50 241664 c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2003-12-18 00:31 139264 c:\windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 18:22 21898024 c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-09 15:21 1410296 c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2004-01-27 05:53 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2003-10-29 14:17 155648 c:\program files\Multimedia Card Reader\shwicon2k.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-24 08:57 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
--a--c--- 2004-11-28 20:48 281232 c:\program files\Trojan Remover\Trjscan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 09:01 131072 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
--------- 2006-10-18 22:58 26112 c:\program files\Windows Media Connect 2\WMCCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 16:47 77824 c:\windows\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a--c--- 2003-07-14 18:52 61440 c:\windows\ltmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2003-12-05 20:50 774144 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>Ý�\�†Ð=Ÿà�Û±Þ"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Excursion9.5\\mIRC.ExCurSioN.exe"=
"c:\\Program Files\\threedegrees\\threedegrees.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\threedegrees\\musicmix.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\SteamApps\\anthone\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\XBConnect4\\XBC4.exe"=
"c:\\Program Files\\Steam\\SteamApps\\anthone\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Railroad Tycoon 3\\RT3.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\K-litePro\\k-litepro.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"c:\\Program Files\\Bit Lord 1.1\\BitLord.exe"=
"c:\\Program Files\\LeechFTP\\Leechftp.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:@xpsp2res.dll,-22010
"3540:UDP"= 3540:UDP:*:Disabled:@xpsp2res.dll,-22011
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 mrtRate;mrtRate;
R3 Ipinprospw;Ipinprospw;c:\windows\system32\drivers\nwlnkflt.sys [2003-09-24 12416]
R3 ldiskl;ldiskl;
R3 Mssauisk;Mssauisk;
R3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\DRIVERS\xusb20.sys [2006-10-13 50048]
R4 LMIRfsClientNP;LMIRfsClientNP;
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-03-03 12552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-03 325128]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-03 107272]
S1 MPSHLPR;MPSHLPR;c:\windows\system32\DRIVERS\mpshlpr.sys [2005-10-26 106752]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-03 298264]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-17 47640]
S2 MPSDrv;MPSDrv;c:\windows\system32\DRIVERS\mpsdrv.sys [2005-10-26 82560]
S2 mpssvc;Microsoft Protection Service;c:\program files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe [2005-10-27 836328]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 wfpservice;Windows Feedback Panel Background Service;c:\program files\Microsoft Windows Feedback Panel\WFPService.EXE [2008-12-12 250744]
--- Other Services/Drivers In Memory ---
*Deregistered* - 6to4
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - avg8wd
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - IpFilterDriver
*Deregistered* - IpN
-
You have a nasty virus that infects critical legit files on your computer
Let's see what the next scanner will find
BUT FIRST: As I said earlier
Is not a good idea to have more than one Active AntiVirus software installed
Can cause system instabilities and slow down your computer
Here's what ComboFix is reading
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Windows OneCare Antivirus *On-access scanning enabled* (Outdated)
You MUST remove either Windows Live Onecare or AVG
You choose, but uninstall one, then reboot the computer
Back in Windows
Then,
==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
We'll use it later
Ensure to copy from REGEDIT4 and down in the code box
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
"TkBellExe"=-
"QuickTime Task"=-
"AlcxMonitor"=-
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")
DO NOT attempt to run it yet
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Sign in with your Normal Account
Double click on fix.reg and allow to add/merge to the registry at the prompt
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found:(http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
(http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
- After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
-
Thats odd. I can't go on Safe mode. Once I'm on *Pick a user* screen, the PC restarts and goes back to normal view.
Are there other options? There is also Safe Mode with Network and Safe Mode with Command Prompt, but I would need the commands to do the work.
-
Just run Dr.Web in Normal Windows>>Disable your Active Virus Scanner
But before you allow the computer to reboot, after the scan
Double click on fix.reg and allow to merge to the registry
-
Hey I'm back. Dr web was scanning my PC for the past 2-3 days. It caught a lot, but it only Cured a virus called win32.virut.56 which pretty much infected every .exe files on my computer.
At the end of the scan this morning, about 98% done, computer crashed and restarted itself.
I'm not sure if the viruses are back since it was not finalized by the Dr. Web and I couldn't save a log.
On the other hand, I'm in the dr. Web folder and I see a quarantine folder and a CureIt.log which I cant open right now.
And since I didn't manually restart, I havent double clicked or registered fix.reg you told me to do.
Should I re-scan my PC with dr. web?
-
I was able to open CureIt.log and heres a part of the log. It is quite long so I'm only posting this part. The rest of it are ALL the individual files in my C:\ that are "OK'ed" and cured.
=============================================================================
Dr.Web Scanner for Windows v5.00.2 (5.00.2.02090)
© 1992-2009 Igor Daniloff. All rights reserved.
Log generated on: 2009-03-09, 15:39:53 [ANTHONE][Owner]
Command line: "C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\setup.exe" /lng /ini:setup_XP.ini
Operating system: Windows XP Home Edition x86 (Build 2600), Service Pack 2
=============================================================================
DwShield started
Engine version: 5.00 (5.00.0.12182)
Engine API version: 2.02
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\6f416931 - 153 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\8232b26d - 5947 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\67afca69 - 6039 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\a4942499 - 5309 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\22de4406 - 3511 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\86eee9db - 2495 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\6d4b390c - 4565 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\6c8e56a8 - 4467 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\141e62ca - 5196 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\357ffb6a - 2359 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\045d5010 - 1938 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\48f05196 - 3335 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\6ec4afa9 - 3185 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\c39ead47 - 1468 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\243a7799 - 280 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\8e48f8f9 - 567 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\f55a7770 - 1194 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\c63eb356 - 423328 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\3912492e - 155 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\07759278 - 626 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\b3e4fcc6 - 891 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\412d49f1 - 840 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\2320f11a - 3316 virus records
[Virus database] C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\ba01645c - 19303 virus records
Total virus records: 500467
Key file: C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\setup.key
License key number: 0010537607
Registered to: A User
License key activates on: 2008-12-05
License key expires on: 2009-06-07
Process in memory: System:4 - OK
Process in memory: C:\Program Files\LogMeIn\x86\RaMaint.exe:156 - OK
Process in memory: C:\Program Files\LogMeIn\x86\LogMeIn.exe:196 - OK
Process in memory: C:\Program Files\LogMeIn\x86\LMIGuardian.exe:356 - OK
Process in memory: C:\PROGRA~1\AVG\AVG8\avgam.exe:448 - OK
Process in memory: C:\PROGRA~1\AVG\AVG8\avgrsx.exe:484 - OK
Process in memory: C:\PROGRA~1\AVG\AVG8\avgnsx.exe:492 - OK
Process in memory: C:\WINDOWS\system32\PnkBstrA.exe:560 - OK
Process in memory: C:\WINDOWS\System32\svchost.exe:660 - OK
Process in memory: C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe:688 - OK
Process in memory: \SystemRoot\System32\smss.exe:776 - OK
Process in memory: C:\Program Files\Viewpoint\Common\ViewpointService.exe:804 - OK
Process in memory: \??\C:\WINDOWS\system32\csrss.exe:876 - OK
Process in memory: \??\C:\WINDOWS\system32\winlogon.exe:900 - OK
Process in memory: C:\WINDOWS\system32\services.exe:944 - OK
Process in memory: C:\WINDOWS\system32\lsass.exe:956 - OK
Process in memory: C:\Program Files\Microsoft Windows Feedback Panel\WFPService.EXE:960 - OK
Process in memory: C:\WINDOWS\system32\Ati2evxx.exe:1100 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:1128 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:1224 - OK
Process in memory: C:\Program Files\iPod\bin\iPodService.exe:1264 - OK
Process in memory: C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe:1272 - OK
Process in memory: C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe:1300 - OK
Process in memory: C:\WINDOWS\System32\svchost.exe:1412 - OK
Process in memory: C:\WINDOWS\System32\svchost.exe:1540 - OK
Process in memory: C:\Documents and Settings\Owner.ANTHONE\Desktop\drweb-cureit.exe:1556 - OK
Process in memory: C:\Program Files\Microsoft Windows Feedback Panel\WFPASIEve.exe:1600 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:1612 - OK
Process in memory: C:\Program Files\Microsoft Windows Feedback Panel\FileChurn.exe:1688 - OK
Process in memory: C:\Program Files\Microsoft Windows Feedback Panel\WFPArpMon.exe:1796 - OK
Process in memory: C:\WINDOWS\system32\spoolsv.exe:1832 - OK
Process in memory: C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe:1936 - OK
Process in memory: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe:1952 - OK
Process in memory: C:\Program Files\Bonjour\mDNSResponder.exe:1980 - OK
Process in memory: C:\WINDOWS\System32\svchost.exe:2032 - OK
Process in memory: C:\HP\KBD\KBD.EXE:2068 - OK
Process in memory: C:\Program Files\Windows Media Player\WMPNetwk.exe:2124 - OK
Process in memory: C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe:2184 - OK
Process in memory: C:\Program Files\Microsoft Windows OneCare Live\winss.exe:2284 - OK
Process in memory: C:\WINDOWS\system32\ctfmon.exe:2340 - OK
Process in memory: C:\windows\system\hpsysdrv.exe:2612 - OK
Process in memory: C:\WINDOWS\System32\hphmon05.exe:2640 - OK
Process in memory: C:\Program Files\Rainlendar\Rainlendar.exe:2696 - OK
Process in memory: C:\WINDOWS\ALCXMNTR.EXE:2704 - OK
Process in memory: C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\setup.exe:2756 - OK
Process in memory: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe:2844 - OK
Process in memory: C:\WINDOWS\System32\alg.exe:2856 - OK
Process in memory: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe:2924 - OK
Process in memory: C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe:2964 - OK
Process in memory: C:\Program Files\Microsoft IntelliPoint\ipoint.exe:3088 - OK
Process in memory: C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe:3112 - OK
Process in memory: C:\WINDOWS\System32\wbem\wmiprvse.exe:3136 - OK
Process in memory: C:\Program Files\LogMeIn\x86\LogMeInSystray.exe:3292 - OK
Process in memory: C:\Program Files\LogMeIn\x86\LMIGuardian.exe:3316 - OK
Process in memory: C:\Program Files\QuickTime\QTTask.exe:3348 - OK
Process in memory: C:\Documents and Settings\Owner.ANTHONE\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe:3352 - OK
Process in memory: C:\Program Files\Microsoft ActiveSync\wcescomm.exe:3412 - OK
Process in memory: C:\Program Files\Common Files\Real\Update_OB\realsched.exe:3448 - OK
Process in memory: C:\Program Files\iTunes\iTunesHelper.exe:3464 - OK
Process in memory: C:\Program Files\Windows Media Player\WMPNSCFG.exe:3536 - OK
Process in memory: C:\PROGRA~1\MI3AA1~1\rapimgr.exe:3592 - OK
Process in memory: C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe:3836 - OK
Process in memory: C:\WINDOWS\system32\Ati2evxx.exe:3908 - OK
Process in memory: C:\WINDOWS\explorer.exe:3976 - OK
Process in memory: C:\DOCUME~1\OWNER~1.ANT\LOCALS~1\Temp\RarSFX0\_start.exe:3984 - OK
Process in memory: C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe:4060 - OK
Process in memory: C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe:4084 - OK
[Memory scanning] No viruses found
Master Boot Record HDD1 - OK
Active OS/2 or WinNT Boot Sector HDD1 - OK
Master Boot Record HDD2 - OK
[Scan path] c:\documents and settings\admin\start menu\programs\startup\desktop.ini
c:\documents and settings\admin\start menu\programs\startup\desktop.ini - OK
[Scan path] c:\documents and settings\all users\drm\cache\indiv03.key
c:\documents and settings\all users\drm\cache\indiv03.key - OK
[Scan path] c:\documents and settings\all users\start menu\programs\startup\desktop.ini
c:\documents and settings\all users\start menu\programs\startup\desktop.ini - OK
[Scan path] c:\documents and settings\default user\start menu\programs\startup\desktop.ini
c:\documents and settings\default user\start menu\programs\startup\desktop.ini - OK
[Scan path] c:\documents and settings\guest\start menu\programs\startup\desktop.ini
c:\documents and settings\guest\start menu\programs\startup\desktop.ini - OK
[Scan path] c:\documents and settings\owner\application data\real\rhapsodyplayerengine\nprhapengine.dll
c:\documents and settings\owner\application data\real\rhapsodyplayerengine\nprhapengine.dll - OK
-
Virut is a nasty infection, it infects legit files, Dr. Web may be able to cure all the files, but no guarantee that the system is secure
I suggest that you clean install the operating system, also, check any external flash drives for infected files
Or we can carry on trying to clean the machine, it's up to you
Can I have you upload the Dr.Web log please
The part that you omitted is important
Simply go to Savefile and upload it and post the link to the file back here
There is no need to register at savefile
http://www.savefile.com/upload.php (http://\"http://www.savefile.com/upload.php\")
-
I'm thinking about reformatting the system but i would have to save my documents thru xternal hdd atleast, but i'm worried that an infected file could come along and infect me again after reformatting.
how many more scanners are we gonna go thru if i went ahead? when you said "try", whats the percentage of me actually cleaning it totally? does it have a chance?
by the way, i was using a flash drive to transfer files back n forth from pc to laptop, as soon as i transfered combofix.exe, AVG caught it as a virus in my laptop.
-
I think you best decision would be to clean install
Problem is, your External harddrives, flashdrives also probably have infected files on them that can reinfect you
If you do decide to Format and clean install>>{Do not Repair or install over the top}
Don't plug any external flashdrives, harddrives into the computer until you disabled Autorun on the drives and scan them with an updated Virus scanner
Do you want to go this route, it is the best
Do you have many files/folders to backup?
Also, I'm hoping your other computer is not infected!
Can you post a Hijackthis log from that computer
-
Okay, I guess the best option is to do clean install. I will copy my documents to my external harddrive first and disconnect it before I do clean install, then rescan it for viruses. I only have about 1 gig or less worth of files saving.
I'll post an HJT log for this laptop after I've completely fixed my other one.
-
Here's the typical warning for this one
Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.
Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.
Recent variants also modify htm, html, asp and php files.
Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.
I see your running XP Home edition SP2
you may want to update to Service pack 3 while your at it
In addition, take a look at the following link
Talks about disabling Autoplay feature
http://www.microsoft.com/downloads/details...;displaylang=en (http://\"http://www.microsoft.com/downloads/details.aspx?FamilyID=c7dbcde3-7814-47c5-849e-e64ecfb35d74&displaylang=en\")
-
Okay, I guess the best option is to do clean install. I will copy my documents to my external harddrive first and disconnect it before I do clean install, then rescan it for viruses. I only have about 1 gig or less worth of files saving.
I'll post an HJT log for this laptop after I've completely fixed my other one.
-
Okay I've backed up my files. Quick question, do I need the disc for this to work? I thought we didnt need them anymore for XP? I don't know where to go and format my pc. It's not on F8 startup.
-
You may need the XP CD
What is the Exact Make and model of your computer?
Did you get the XP install CD or Recovery CD's with your computer?
Do you have a Restore partition on your computer?
-
I'm trying to find out if I could acquire the disc in a Best Buy store so I wont have to go thru compaq support and wait for it in the mail.
make and model:
Compaq Presario 061
dw257a-aba sr1050n na510
I don't remember if this came with an install disc back in 04, but theres a D: drive that says Presario_RP and it has files like Recovery with a "yellow lock" icon.
-
Well, you may be in luck, there is no guarantee that Virut has infected the Recovery partition, but chances are that it may not be able to write to it
I'm still not quite sure what Model you have, it should be labelled clearer than that on the side of the box
or in the back
But for now, Here's instructions for a Recovery
http://h10025.www1.hp.com/ewfrf/wc/documen...323#bph07145_cp (http://\"http://h10025.www1.hp.com/ewfrf/wc/document?docname=bph07145&lc=en&dlc=en&cc=us&lang=en&os=228&rule=20789&product=409323#bph07145_cp\")
Follow the steps Outlined in
Recovering during startup
Ensure to do the Destructive Recovery
-
I've pressed F10 then it takes me to Recovery thru MS-DOS where I could go to C:/Windows and type "Format C:" if I wanted to. I dont see an option to do destructive recovery.
After trying it the second time, it took me to a screen that says "COMPAQ" in red font followed by a blue screen that says
STOP: d000000d Unknown Hard Error
Uknown Hard Error
----
Is this the Make you were talking about:
sr1050nx
-
Just an update: I have found a recovery disc for my Sony Vaio laptop which is also a Microsoft Xp Home Edition. I was wondering if I could use it for my Compaq Presario desktop? So I dont have to call compaq support.
-
Nope, you can't use the discs designed specifically for the Vaio laptop
You have to have the proper discs for that make/model computer
Is that the Exact error message your getting?
It sounds like the first time you entered the Recovery Console
and not accessing the Recovery partition
I like having the discs, but the hidden recovery partition should work
If you must get the discs, you can order them from HP for a small fee if there available
Sometimes, they leave it up to the owner to create the discs
What happens when you try running the Destructive recovery from within Windows
The link I posted earlier gives you all instructions
-
I got it working finally. I was probably pressing f10 too many times. Problem now is I forgot to do Destructive, so I will have to do it again once regular recovery is done just to be safe.
-
Advanced INF Installer
INF Install failure. Reason: No Signature was present in the subject.
Agere Win Modem
And RealTek
has not passed Windows Logo testing to verify its compatibility with windows XP
These are the main things that were not installed, but I'm not sure how to get my sound back.
The only hardware I have had installed was a video card (Radeon 9800) back in 04.
I'll try and update everything for now.
-
From the model you listed earlier, you can find your sound drivers here
http://h10025.www1.hp.com/ewfrf/wc/softwar...;product=405454 (http://\"http://h10025.www1.hp.com/ewfrf/wc/softwareList?os=228&lc=en&dlc=en&cc=us&product=405454\")
Your video driver is here
http://support.amd.com/us/gpudownload/wind...mp;lang=English (http://\"http://support.amd.com/us/gpudownload/windows/Pages/radeonaiw_xp.aspx?type=2.4.1&product=2.4.1.3.22&lang=English\")
You only really need the Display driver and not the Full package, up to you
Don't forget about Windows Updates
Maybe before you get Windows Updates you can post a fresh Hijackthis log and we can see what you need installed
With the fresh Hijackthis log
Do the following
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
Sometimes, a Recovery will add a bunch of junk to the computer you don't need installed, we can deal with some of it, before you get XP SP3 installed
Edit>>Remember, don't insert those Flash drives and external Harddrive back to the computer till we have you an updated Virus scanner and disable Autorun
-
Before I do all that, I'm having a difficult time connecting the desktop to the internet.
I've called time warner cable but hasnt been able to help, they told me to contact Compaq and update my drivers under Device Manager my Network Adapters has
1394 Net Adapter and
Ethernet Controller with an exclamation point on the icon.
And I was told to call them to get help updating it.
I'm also using Linksys Router for my wireles laptop right now, but the desktop just isnt working. I keep getting this page cannot be displayed.
-
Did you get a Drivers disk with your computer?
Have you scanned your Flash drive for infection yet?
I don't want you putting it in your laptop if it's infected
Do you have any blank CD's you can use to burn drivers too from your laptop?
-
I guess I'll have to use the flash drive to transfer files. My flash drive only has txt, and docs anyway. They cant possibly be infected
-
Just to be sure, as some files may be hidden
download Flash_Disinfector (http://\"http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe\") and save it to your desktop on the laptop- Double click on Flash_Disinfector.exe to run it. If you receive a prompt, please allow it.
- You will be prompted to plug in your flash drive. Plug it in. If you have more than one, plug them in
- Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
- When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
- Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
[color=\"#4169E1\"]Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/color]
Scan the flash drive with an updated virus scanner, you have one on your laptop right
Simply go to MyComputer and right click on the Flash drive and choose to scan it
Then go to the following link
http://h10025.www1.hp.com/ewfrf/wc/softwar...5454&os=228 (http://\"http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=pv-18350-4&lc=en&dlc=en&cc=us&product=405454&os=228\")
From there, download
sp26266.exe and save it to the flash drive
Transfer that file to the Desktop of the "Desktop" computer
Run the installer, reboot afterwards, see if that get's you online
Check device manager and see if you still have yellow exclamation for Ethernet
If your not online yet, come back here and we'll try some other steps
EDIT>>Not sure if you viewed the directions for installing the driver
But here they are, just in case
1. Download the driver package.
2. Double-click on the icon for the driver package downloaded in step 1, and then click NEXT.
3. Accept the terms in the HP license agreement, and then click NEXT.
4. Click OK to continue. The original drivers are now stored in the C:\HP\Drivers\LAN folder.
5. If Device Manager does not start automatically, use the following steps. Otherwise go to step 6:
a. Click Start.
b. Right-click My Computer, and then select Properties.
c. Click the Hardware tab, and then click the Device Manager button.
6. Click the + (plus) sign next to "Network adapters" or "Other devices".
7. Right-click the device you want to update, and then select Update Driver.
8. Click NEXT to install the software automatically
9. Click FINISHED to complete the installation.
In your case, you found Ethernet Controller with exclamation mark, that's the device your after
-
I can't get back online. I went back on device manager and theres till an exclamation point on Ethernet Controller. I right clicked and tried to update it but I got this error:
Hardware Installation
The software you are installing for this hardware:
NVIDIA nForce MCP Networking Controller has not passed windows logo testing to verify its compatibility with windows XP
Continuing your installation of this software my impair or destabilize the correct operation of your system either immediately or in the future. Microsoft strongly recommends that you stop this installation now andcontact the hardware vendor for software that has passed windows logo testing.
[Continue ANyway] [ STOP Installation]
-
I'm sure I'm directing you to your model of computer
Follow my instructions in my last post from #6
That package does contain the Nvidia network driver, so if you posted the right model computer
I think we have the right driver, so Continue Anyways
-
Ok here's a fresh new HJT Log.
One question though, Why did symantec started acting up earlier? about 100+ pop ups started showing up and it was all email proxy like this screenshot I found on google.
http://advait.supnekar.googlepages.com/desktopclutter.JPG (http://\"http://advait.supnekar.googlepages.com/desktopclutter.JPG\")
I hope there arent anymore malware that got thru.
------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:42 PM, on 3/14/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\regwiz.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inf\rundll33.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\afisicx.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sopidkc.exe
C:\WINDOWS\System32\tdctxte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\reader_s.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/ (http://\"http://www.ati.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\regwiz.exe,C:\WINDOWS\System32\undname.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\System32\inf\rundll33.exe C:\WINDOWS\xccdf16_090313a.dll xccd16
O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nidle] "C:\Documents and Settings\Owner\Application Data\nidle\nidle.exe" 61A847B5BBF728103B9D3B466188719AB689201522886B092CBD44BD8689220221DD3257 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O4 - Startup: Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\System32\afisicx.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\System32\sopidkc.exe
O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\System32\tdctxte.exe
--
End of file - 8418 bytes
-
Did you scan that Flash drive?
If so, with what scanner?
Did you hook any other External drives to this computer?
Is this the Hijackthis log from your Desktop or Laptop?
-
I only plugged the flash drive when I transferred the updates. I scanned it and it wasnt infected, and that HJT is from my desktop. Pls let me know if I re-infected my PC so I can reformat again. This PC already shut off itself twice just now, so I'm starting to think that a virus snicked in.
-
Is the Desktop and Laptop networked?
Something is reinfecting you, either your external drives
Or Recovery partition is infected, or networked folders
I'm guessing that the laptop also has been infected, but I can't be sure
If your laptop is also infected, it may be injecting itself into the download of the network driver
Can you post a Hijackthis log from the laptop
-
Okay this is the laptop. Should I just go on and reformat the desktop again?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:47 PM, on 3/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MSOFFI~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MSOFFI~1\Office12\ONBttnIE.dll (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MSOFFI~1\Office12\REFIEBAR.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.Email Removed.com/mail/w2/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 8440 bytes
-
Not sure why you keep running with more than one AntiVirus software on your computer
More than one active Virus scanner will cause system conflicts and considerably slow down the machine
I suggest that you keep the one your happiest with and uninstall the other
Afterwards, let's do a double check on the laptop
For the LAPTOP
Download ComboFix from one of these locations:
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://www.forospyware.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 3[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]
--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply
NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
-
ComboFix 09-03-06.02 - Tonez 2009-03-14 17:03:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.99 [GMT -7:00]
Running from: c:\documents and settings\Tonez\Desktop\ComboFix.exe
FW: Windows OneCare Firewall *enabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Readme.txt
.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.
2009-03-14 16:23 . 2009-03-14 16:23 <DIR> d-------- c:\program files\Trend Micro
2009-03-10 17:18 . 2009-03-14 00:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-10 16:40 . 2009-03-10 16:40 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-10 16:24 . 2009-03-10 16:24 <DIR> d-------- c:\program files\7-Zip
2009-03-09 23:32 . 2009-03-09 23:32 <DIR> d-------- c:\documents and settings\Tonez\DoctorWeb
2009-03-07 13:07 . 2009-03-07 13:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 13:07 . 2009-03-07 13:07 <DIR> d-------- c:\documents and settings\Tonez\Application Data\Malwarebytes
2009-03-07 13:07 . 2009-03-07 13:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-07 13:07 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 13:07 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-05 21:05 . 2009-03-08 19:49 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-05 15:04 . 2009-03-05 15:04 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-05 15:04 . 2009-03-05 15:04 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-05 15:04 . 2009-03-05 15:04 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-05 15:03 . 2009-03-14 15:52 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-05 15:03 . 2009-03-05 15:03 <DIR> d-------- c:\program files\AVG
2009-03-05 15:03 . 2009-03-05 15:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-03 18:28 . 2009-03-03 18:28 <DIR> d-------- c:\program files\kSolo
2009-03-03 01:57 . 2009-03-03 01:58 <DIR> d-------- c:\documents and settings\Tonez\Application Data\vlc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 03:43 --------- d-----w c:\program files\PokerStars
2009-03-11 00:00 --------- d-----w c:\program files\Common Files\Adobe
2009-03-10 02:29 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-10 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-03-10 02:19 --------- d-----w c:\program files\Trojan Remover
2009-03-08 07:08 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-26 23:14 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-26 23:13 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 23:08 --------- d-----w c:\program files\Google
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM95\aim.exe" [2004-02-04 61440]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2006-02-23 200424]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2002-12-05 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-05 1932568]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-05 15:04 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSMPSVC]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus.lnk
backup=c:\windows\pss\D-Link AirPlus.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerPanel.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerPanel.lnk
backup=c:\windows\pss\PowerPanel.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-02-04 13:29 61440 c:\program files\AIM95\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2002-10-18 16:58 114688 c:\program files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2002-11-23 18:52 294912 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
--a------ 2002-08-20 11:29 40960 c:\windows\system32\ezSP_Px.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2003-08-04 17:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-06-02 11:13 267048 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-07-09 14:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 14:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-19 22:15 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
--a--c--- 2002-07-14 12:50 11406 c:\program files\support.com\client\lserver\Server.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a--c--- 2001-09-04 17:24 28672 c:\windows\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a--c--- 2002-03-14 17:46 45056 c:\windows\system32\ico.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Excursion9.4\\Excursion9.4.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-05 107912]
R1 MPSHLPR;MPSHLPR;c:\windows\system32\drivers\mpshlpr.sys [2005-10-26 106752]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-05 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-05 298264]
R2 MPSDrv;MPSDrv;c:\windows\system32\drivers\mpsdrv.sys [2005-10-26 82560]
R2 mpssvc;Microsoft Protection Service;c:\program files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe [2005-10-27 836328]
R3 LMPC2;LMPC2;c:\windows\system32\drivers\lmpc2.sys [2004-09-28 4224]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2003-01-02 71961]
S2 mrtRate;mrtRate;
S3 PRISM;IEEE 802.11 Wireless NIC Driver;c:\windows\system32\drivers\EXPRESS.sys [2003-01-02 614912]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
2009-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2003-04-16 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 00:56]
2003-04-16 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-04 00:56]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-bcachew - c:\windows\System32\bcachew.exe
MSConfigStartUp-gcasServ - c:\program files\Microsoft AntiSpyware\gcasServ.exe
MSConfigStartUp-PC Connection Agent - c:\program files\Microsoft ActiveSync\wcescomm.exe
MSConfigStartUp-hzfmhepp - c:\windows\System32\rhfacvdo.exe
MSConfigStartUp-INTLGNTT - c:\windows\System32\INTLGNTT.exe
MSConfigStartUp-McAgentexe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-McUpdateexe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-rmturad - c:\windows\rmturad.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-WhenUSave - c:\progra~1\Save\Save.exe
MSConfigStartUp-_1251c - c:\windows\System32\_1251c.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\msoffi~1\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Tonez\Application Data\Mozilla\Firefox\Profiles\1xixlnab.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-03-14 17:07:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2009-03-14 17:14:17
ComboFix-quarantined-files.txt 2009-03-15 00:12:56
Pre-Run: 2,224,603,136 bytes free
Post-Run: 2,931,671,040 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
229
-
Does Norton's have a Firewall?
Do you have the Laptop and Desktop networked together?
DESKTOP INFORMATION:
Do you only have the C: partition and D: for Recovery partition?
Do you have any other External drives hooked to the desktop?
Insert the Flash drive to the desktop
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Take a look at the contents of the Flash drive
Look at the file extensions, do you have any other extensions backed up besides music files
Text documents
Any zipped files?
Are there ANY .exe or .scr files?
You should see an autorun.inf Folder
Inside that folder should be a file labelled "This folder was created by Flash Disinfector"
Do you see it?
Is your Wireless Router have security enabled and are you using strong passwords?
-
I did another destructive system recovery just to be safe, but let me answer your questions.
[quote name=\'guestolo\' post=\'459513\' date=\'Mar 14 2009, 05:03 PM\']Does Norton's have a Firewall?
I think this norton came with the computer and it ma y have it but outdated.
Do you have the Laptop and Desktop networked together?
Nope
DESKTOP INFORMATION:
Do you only have the C: partition and D: for Recovery partition?
Yes
Do you have any other External drives hooked to the desktop?
I havent hooked up my external harddrive since the time you told me not to.
Insert the Flash drive to the desktop
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Take a look at the contents of the Flash drive
Look at the file extensions, do you have any other extensions backed up besides music files
Text documents
Any zipped files?
Are there ANY .exe or .scr files?
You should see an autorun.inf Folder
Inside that folder should be a file labelled "This folder was created by Flash Disinfector"
Do you see it?
I actually did all of this just now in this laptop, and also deleted all of my files in it afterwards except for that autorun.inf folder with Flash Disinfector in it. They were just school documents anyway and the update drivers from earlier.
Is your Wireless Router have security enabled and are you using strong passwords?
This I am not sure of. I havent really messed with the router. The wireless is not password protected so anybody can leech off my connection ( I dont know how to set it up)
[/quote]
-
Your Router should of came with documentation to properly set up the Security on it!
Do the following please
From the laptop, redownload your Ethernet drivers from the following link and save it to the USB Flash drive
http://h10025.www1.hp.com/ewfrf/wc/softwar...5454&os=228 (http://\"http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=pv-18350-4&lc=en&dlc=en&cc=us&product=405454&os=228\")
We'll need them later:
Just to be safe, go to
go to this link
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Browse to the file for your Ethernet driver on the Flash drive and ensure it's clean
Remove the flash drive from the laptop afterwards
Back at the desktop
Disconnect the Network cable from the Desktop to the Router, DO Not hook this up till the next set of instructions are done
Your going to have to redo the Destructive Recovery (Make sure your doing the Destructive)
Once done, transfer the file from the flash drive to the desktop computer
Install it as you did before, but ONLY install the Ethernet Controller for now
If you have a Wireless network card in the Desktop, don't enable it for now
Let's get the Firewall enabled for XP
# Click Windows Start.
# Do one of these:
* Category view: select Control Panel, then Network and Internet Connections.
* Classic view: select Settings, then Control Panel.
# Click Network Connections, and then double-click the network icon for your network connection.
# Click the Properties button, and then select Advanced tab.
# Check the box under Internet Connect Firewall. and OK it
Now you can reconnect the Network cable from the Desktop to the Router
If you don't get Internet connection with 30 seconds, reboot the computer
Come back here immediately and post a Hijackthis log
Let's see if it looks clean, then we can try and start to get the machine secure
I did another destructive system recovery just to be safe, but let me answer your questions.
Edit>>Have you reinstalled your Ethernet driver yet?
You can skip the part I mentioned above about destructive recovery for now
-
I've actually done all of those and got the internet working without using the flash drive on the desktop. I let it install anyway even after a warning of a possible error later.
After doing all those, I went online and downloaded a program that I found called SuperAntispyware. At the same time while i was doing all of this, I shut off the laptop to make sure theres no network between the computers. It scanned these viruses that I took with my cellphone cam, the PC then restarted itself even before it finished scanning.
(http://i42.tinypic.com/309lnqh.jpg)
At the same time, the Norton Anti virus scanner was blocking those pop-ups I mentioned earlier.
I think the culprit here is my D: recovery partition because this second time I did it, I made sure that no flash, external drive werent connected, laptop was turned off and once I was on my desktop, Norton firewall started showing those pop-ups about email proxy.
-
Can you try the following
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")
Run the scanner, let it finish the express scan, then select Custom Scan and only select your Recovery partition (D:)
-
Well I ran CureIt last night and did quick scan, full scan and custom scan. My D: drive was infected by virut.56 and they were all cured. Nothing else was found. I even double checked it with a Superantispyware. The C: drive though had more infections and most files were cured, deleted and moved.
http://uploading.com/del/A83DPPY87JYXPG/DrWebupdate.txt.html (http://\"http://uploading.com/del/A83DPPY87JYXPG/DrWebupdate.txt.html\")
I'm providing you the log from DrwebCureIt as well as this interesting screenshot. I checked why I couldnt get back online last night, and I noticed the network has added these WAN miniport on top of the nVidia.
(http://i43.tinypic.com/25hmt6u.jpg)
I also received this message from my internet provider (roadrunner) when I was using internet on my laptop. probably from last nights activity on my desktop. It was doing a lot weird things. http://uploading.com/files/YGZ3TVO3/roadrunner.txt.html (http://\"http://uploading.com/files/YGZ3TVO3/roadrunner.txt.html\")
Now I'm going to do a clean install for the third time. Third times a charm. I hope my recovery partition isnt infected by any other viruses.
-
The first link to the Dr. Web scan was incorrect, you sent a link to the Upload section to delete file
So it's of no use to me
Hopefully, that cured the files in the D: drive
I suspect, that because you didn't do a Destructive recovery the first time around
You allowed Virut to infect the Recovery partition
If your next clean install doesn't work, you may have to order CD's
Unfortuneately, I don't think HP has your disks on hand, but you may be able to find them around the net
Then you would have to destroy that recovery partition and install from the Recovery Cd's
OR; we could try Dr. Web a different way, and ensure that you get Service pack 3 installed, BEFORE you reconnect to the Internet
But you will have to follow certain steps, and it's still not a guarantee
Try doing the clean install once again, if you can
Ensure your Firewall is ENABLED before connecting to the Internet, I'm not sure if Norton's was totally functional
It's also outdated
If everything goes alright this time, I need to see that fresh Hijackthis log, in addition, I asked for an uninstall list which you did not supply
It would help to see some of these logs, that Cureit log would of been of great help, but I think it's too late now
-
Okay the third clean install was a charm. I did not get network or realtek error just like before. It was a smooth clean install. No errors but just a one time shut off and this was when I first ran drwebcureit.
Here are logs of the three programs.
These are the only potential viruses scanned by drwebcureit that I have all moved.
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
RealBar.dll;C:\Program Files\Common Files\Real\Toolbar;Adware.MegaSearch;Incurable.Moved.;
A0000064.vbs;C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP0;Probably SCRIPT.Virus;Incurable.Moved.;
A0001013.exe;C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP0;Tool.ProcessKill;Incurable.Moved.;
I've googled them like killwind.exe, and they seem safe files.
**This one is combofix log. it did not scan anything.
ComboFix 09-03-14.02 - Owner 2009-03-15 12:32:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.324 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.
2009-03-15 11:21 . 2009-03-15 11:21 0 --a------ c:\windows\nsreg.dat
2009-03-15 10:47 . 2009-03-15 12:31 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb
2009-03-15 10:41 . 2009-03-15 10:41 <DIR> d---s---- c:\documents and settings\Owner\UserData
2009-03-15 10:39 . 2009-03-15 10:39 4,172 -rahs---- c:\windows\system32\drivers\HP_DW257A-ABA SR1050N NA510_YC_Pres_QMXM412_E42NAheREG3_4_IExplorer4_SASUSTeK Computer INC._VRev 1.xx_B3.01_T040210_WXH1_L409_M512_J200_7AMD_8Athlon XP 3200+_92.19_110DE006E_N10DE0066_P_Z11C1044C_K_A10DE006A_U10DE0067.MRK
2009-03-15 10:38 . 2004-01-27 06:18 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-03-15 10:38 . 2004-01-28 00:26 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-03-15 10:38 . 2004-01-27 05:57 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Sonic
2009-03-15 10:38 . 2004-01-27 06:55 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-03-15 10:38 . 2004-01-28 00:29 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\interMute
2009-03-15 10:37 . 2009-03-15 10:37 <DIR> d-------- c:\program files\Yahoo!
2009-03-15 10:37 . 2001-12-10 17:42 204,800 --a------ c:\windows\system32\IVIresizeW7.dll
2009-03-15 10:37 . 2001-12-10 17:42 200,704 --a------ c:\windows\system32\IVIresizeA6.dll
2009-03-15 10:37 . 2001-12-10 17:42 192,512 --a------ c:\windows\system32\IVIresizeP6.dll
2009-03-15 10:37 . 2001-12-10 17:42 192,512 --a------ c:\windows\system32\IVIresizeM6.dll
2009-03-15 10:37 . 2001-12-10 17:42 188,416 --a------ c:\windows\system32\IVIresizePX.dll
2009-03-15 10:37 . 2001-12-10 17:42 20,480 --a------ c:\windows\system32\IVIresize.dll
2009-03-15 10:36 . 2009-03-15 10:36 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-15 10:36 . 2009-03-15 10:36 <DIR> d-------- c:\program files\Multimedia Card Reader
2009-03-15 10:36 . 2002-08-29 02:01 134,272 --a------ c:\windows\system32\drivers\portcls.sys
2009-03-15 10:36 . 2002-08-29 01:32 57,856 --a------ c:\windows\system32\drivers\drmk.sys
2009-03-15 10:35 . 2009-03-15 10:35 <DIR> d-------- c:\program files\ATI Technologies
2009-03-15 10:35 . 2004-01-27 06:18 <DIR> d-------- c:\documents and settings\Default User\WINDOWS
2009-03-15 10:35 . 2002-08-29 02:06 51,072 --a------ c:\windows\system32\drivers\i8042prt.sys
2009-03-15 10:35 . 2002-08-29 01:27 23,424 --a------ c:\windows\system32\drivers\kbdclass.sys
2009-03-15 09:30 . 2009-03-15 10:46 248 --a------ c:\windows\system\hpsysdrv.dat
2009-03-15 09:28 . 2009-03-15 09:29 <DIR> d-------- c:\windows\I386
2009-03-15 09:21 . 2009-03-15 11:20 <DIR> dr------- C:\Program Files
2009-03-15 09:21 . 2009-03-15 09:27 <DIR> dr------- c:\documents and settings\All Users\Documents
2009-03-15 09:20 . 2009-03-15 10:39 <DIR> dr-hsc--- c:\windows\system32\dllcache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 18:45 --------- d-----w c:\program files\Easy Internet signup
2009-03-15 18:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 18:37 --------- d-----w c:\program files\InterVideo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-27 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-01-27 151597]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-08-15 70816]
"NAV CfgWiz"="c:\program files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 124096]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 335872]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 135168]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-17 118784]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 c:\windows\ALCXMNTR.EXE]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-01-27 16384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
S2 mrtRate;mrtRate;
--- Other Services/Drivers In Memory ---
*Deregistered* - DwShield00007E84
.
Contents of the 'Scheduled Tasks' folder
2004-01-28 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-19 00:17]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-RecordNow! - (no file)
HKLM-Run-VTTimer - VTTimer.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: SpSubLSP.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cgd1bkiu.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-03-15 12:33:58
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\SpSubLSP.dll
c:\windows\System32\dssenh.dll
.
Completion time: 2009-03-15 12:34:40
ComboFix-quarantined-files.txt 2009-03-15 20:34:38
Pre-Run: 188,652,871,680 bytes free
Post-Run: 188,662,820,864 bytes free
128
**HJT Log****
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:35 PM, on 3/15/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
--
End of file - 5874 bytes
My norton isnt acting up like before and my pc seems stable now. I think I'm probably clean now. I will wait for other instructions but for now I'm going to update my video driver and such.
I don't know how or where to get sp2 or sp3, and proper instructions to scan and disinfect my external harddrive. I'm not going to connect that yet.
I also need, if there are any, free firewall. A firewall similar to windows OneCare that I can monitor which programs can access the internet. This norton that came with the computer only has a month trial. Maybe Ill just get the free version of AVG?
I will wait for your instructions.
-
Just an update.
I've installed drivers, flash, and windows sp2 update. I dont think windows-update alerted me for sp3. So far, there hasnt been any weird activities that i came across with.
edit>> updates.microsoft.com is now letting me update to SP3.
-
Well, it sounds like everything is going alright, once you have all your Windows Updates
Can you come back here and post a fresh Hijackthis log
No sense trying to do anything till then
DO NOT install more than One AntiVirus and one Software Firewall
I'm not sure if you need a hand with any of that.
Keep me updated
-
Here you go. I'd like to know if its safe for me to plug my external harddrive in?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:35 PM, on 3/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6908 bytes
-
Can you post that uninstall list from Hijackthis please
Let's see what we can update and remove
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
In addition, we can get you an updated Firewall and AntiVirus>>Were you happy with AVG?
-
Here you go..
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album Starter Edition
Adobe Reader 6.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
Catalyst Control Center - Branding
CC_ccStart
ccCommon
Compaq Connections
Compaq Instant Support
Compaq Organize
Counter-Strike: Source
Easy Internet Sign-up
Excavation from Compaq (remove only)
Five Card Frenzy from Compaq (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.0
HP Software Update
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.2_03
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Mozilla Firefox (3.0.7)
MSRedist
MSXML 4.0 SP2 (KB954430)
Multimedia Card Reader
MUSICMATCH® Jukebox
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
NVIDIA Ethernet Driver
NVIDIA GART Driver
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Compaq (remove only)
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
RealOne Player
RecordNow!
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Slyder from Compaq (remove only)
Sonic Update Manager
SpamSubtract
Steam
SymNet
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player (Remove Only)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
World of Warcraft FREE Trial
Yahoo! Companion
Zone Deluxe Games
Zune Desktop Theme
-----
I havent downloaded AVG. The program doesnt seem to be that good compared to the ones you told me to use (drweb, combofix, HJT)
-
Let's try a combination of tools and see how you like them. the first 2 are your new Firewall and AntiVirus
Plus, we must update some of your software to secure them also
First:
Go to START>>RUN>>Copy/Paste the following
[color=\"#FF0000\"]combofix /u[/color]
and press enter
This will uninstall ComboFix and it's components'
Download and save to desktop
Sunbelt-Personal-Firewall (http://\"http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/\")
This Trial version is still Free and functional after 30 days
DO NOT install it yet
Next:
Go here and download your Free version of Avira AntiVir
http://www.download.com/Avira-AntiVir-Pers...cdlpid=10322935 (http://\"http://www.download.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlpid=10322935\")
Save the installer to desktop
DO NOT install it yet either
[color=\"blue\"]Updating Java:[/color]- Download the latest version of Java Runtime Environment (JRE) 6 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
- Scroll down to where it says "JRE 6 Update 12".
- Click the "Download" button to the right.
- In the Window that opens, select Windows, beside Platform:>>Check the "agree" box and click Continue.
- Click on the link to download Windows Offline Installation and save to your desktop.
Do NOT install this yet either
Next: Download and save to your Desktop the Norton Removal Tool (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2007080716270339?Open&docid=2005033108162039&nsf=tsgeninfo.nsf&view=docid\")
The download link is near the bottom of that page
I use Windows Vista/XP/2000. DOWNLOAD
Now, before we go any further, Disconnect the Internet cable from the computer to the Router
Run the Norton Removal tool, follow all the prompts
Allow the computer to reboot, if it doesn't reboot
Reboot manually
Remain Disconnected from the Internet
Access your Add and Remove Programs and remove all the following
Viewpoint Media Player (Remove Only)
Adobe Reader 6.0
Java 2 Runtime Environment, SE v1.4.2_03
When the last one is removed
Reboot the computer again
Run the installer for the Sunbelt-Personal-Firewall
Follow the prompts, I would install with Simple mode, but it is up to you
At the prompt to Restart the computer
Don't do so, instead, please just Shut down the computer
When the computer has shut down
Reconnect the Internet cable to the computer
Boot back up
After you have totally finished booting to Windows
Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time
NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it
A scan of your System should then start after updating
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"
I suspect it won't find anything. But run the scan anyways
I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
At the link you can read more about it then continue with
Free Download on the right>>Continue Download at next page
Basically it *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection
Run the installer for the latest version of Sun Java from the desktop you saved ealier
Update Adobe Reader
Go to the following link
http://get.adobe.com/reader/ (http://\"http://get.adobe.com/reader/\")
Download and Install the latest
NOTE: When installing, if you have the option to untick any Toolbars, etc.. they may add to the installer
Choose NOT to install any, they are not needed for the A. Reader to function properly
That really goes with any free software, if a toolbar is not needed or wanted, why install it
Post one last Hijackthis log and let me know how things are still running please
-
Ok I managed to do all of that, but Avira caught some viruses that were all quarantined. Here's the log for Avira
Avira AntiVir Personal
Report file date: Sunday, March 15, 2009 21:03
Scanning for 1298139 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: TONY
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 17:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:58:43
ANTIVIR2.VDF : 7.1.2.152 749568 Bytes 3/11/2009 04:58:48
ANTIVIR3.VDF : 7.1.2.172 74752 Bytes 3/15/2009 04:58:50
Engineversion : 8.2.0.114
AEVDF.DLL : 8.1.1.0 106868 Bytes 3/16/2009 04:59:14
AESCRIPT.DLL : 8.1.1.63 364923 Bytes 3/16/2009 04:59:11
AESCN.DLL : 8.1.1.8 127346 Bytes 3/16/2009 04:59:08
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 22:58:38
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/16/2009 04:59:06
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 3/16/2009 04:59:03
AEHEUR.DLL : 8.1.0.104 1634679 Bytes 3/16/2009 04:59:01
AEHELP.DLL : 8.1.2.2 119158 Bytes 3/16/2009 04:58:57
AEGEN.DLL : 8.1.1.28 336244 Bytes 3/16/2009 04:58:55
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 19:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 3/16/2009 04:58:52
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 19:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 21:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 22:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Sunday, March 15, 2009 21:03
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SbPFCl.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'SbPFSvc.exe' - '1' Module(s) have been scanned
Scan process 'SbPFLnch.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'SpamSub.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'BackWeb-1940576.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe'
Scan process 'Steam.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'mmtask.exe' - '1' Module(s) have been scanned
Scan process 'shwicon2k.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'ltmsg.exe' - '1' Module(s) have been scanned
Scan process 'kbd.exe' - '1' Module(s) have been scanned
Scan process 'hphmon05.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'BackWeb-1940576.exe' has been terminated
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
[DETECTION] Is the TR/Agent.16384.CX Trojan
[NOTE] The file was moved to '4a20de81.qua'!
40 processes with 39 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD5
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '72' files ).
Starting the file scan:
Begin scan in 'C:\' <PRESARIO>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\hp\patches\42WW3USB\src\PCIFINDX.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a06df54.qua'!
C:\Program Files\BackWeb\BackWeb Client\6.2.3.66L\Program\runner.exe
[DETECTION] Is the TR/Agent.16384.CX Trojan
[NOTE] The file was moved to '4a2bdfce.qua'!
C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP25\A0009887.exe
[DETECTION] Is the TR/Agent.16384.CX Trojan
[NOTE] The file was moved to '49ede1f6.qua'!
C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP25\A0009888.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49ede1fb.qua'!
C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP25\A0009889.exe
[DETECTION] Is the TR/Agent.16384.CX Trojan
[NOTE] The file was moved to '49ede1fe.qua'!
Begin scan in 'D:\' <PRESARIO_RP>
D:\hp\patches\42WW3USB\src\PCIFINDX.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a06e6b8.qua'!
D:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP25\A0009891.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49ede6a9.qua'!
End of the scan: Sunday, March 15, 2009 21:41
Used time: 37:45 Minute(s)
The scan has been done completely.
6481 Scanning directories
290279 Files were scanned
9 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
8 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
290268 Files not concerned
13275 Archives were scanned
6 Warnings
8 Notes
Afterwards, I scanned my system with Drwebcureit and it didnt pick up anything, so I did an HJT and here's a log for it.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:52 PM, on 3/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\HP\Digital Imaging\bin\hpqdirec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ (http://\"http://google.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ (http://\"http://srch-qus10.hpwis.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/ (http://\"http://qus10.hpwis.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
--
End of file - 7070 bytes
I also downloaded SpywareBlaster, but I'm wondering if its working in the background because its not on startup icon menu by the clock?
Is it also okay to connect my external harddrive right about now?
-
I also downloaded SpywareBlaster, but I'm wondering if its working in the background because its not on startup icon menu by the clock?
As mentioned in the link I supplied to you
No-Nonsense Security
SpywareBlaster can help keep your system secure, without interfering with the "good side" of the web. And unlike other programs, SpywareBlaster does not have to remain running in the background. It works alongside the programs you have to help secure your system.
Since you ran ComboFix on this drive, the External harddrive should not autostart
Plug it in, but don't access it yet
Go through MyComputer and right click on the Drive letter(s) of the external harddrive and scan it with Avira
Let me know if it finds anything
I'm a bit concerned, Avira did find a couple infected files in the D: drive
Not sure if you can totally trust that Recovery partition anymore,
I'm almost thinking you should make an image of the C: drive, the Recovery CD's would be the best
But you don't have those, and I'm unsure if you create them now, if they would be any good anyways
I use Acronis for backup, but I'm looking at a free program for you
Let me test it out later and get back to you, I'm off to work
How much room do you have on your External Hard drive?
-
I have a western digital external hdd. I have 4.59 gigs left in my ext drive.
I double checked my D: Recovery Partition for those infected files and they were not their anymore. But for future problems, I could just contact compaq now and order a copy of the disc or if theres a way to create one in the external hdd, then I'm all for that. I could also try and burn a cd of it if its possible.
I ran Avira and DrWeb and they found virut.56 in there and got rid of it. I manually deleted the ones that couldnt be deleted.
Heres the log for Avira:
Avira AntiVir Personal
Report file date: Monday, March 16, 2009 10:33
Scanning for 1298139 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: Owner
Computer name: TONY
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 17:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:58:43
ANTIVIR2.VDF : 7.1.2.152 749568 Bytes 3/11/2009 04:58:48
ANTIVIR3.VDF : 7.1.2.172 74752 Bytes 3/15/2009 04:58:50
Engineversion : 8.2.0.114
AEVDF.DLL : 8.1.1.0 106868 Bytes 3/16/2009 04:59:14
AESCRIPT.DLL : 8.1.1.63 364923 Bytes 3/16/2009 04:59:11
AESCN.DLL : 8.1.1.8 127346 Bytes 3/16/2009 04:59:08
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 22:58:38
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/16/2009 04:59:06
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 3/16/2009 04:59:03
AEHEUR.DLL : 8.1.0.104 1634679 Bytes 3/16/2009 04:59:01
AEHELP.DLL : 8.1.2.2 119158 Bytes 3/16/2009 04:58:57
AEGEN.DLL : 8.1.1.28 336244 Bytes 3/16/2009 04:58:55
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 19:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 3/16/2009 04:58:52
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 19:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 21:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 22:34:37
Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\Owner\LOCALS~1\Temp\c306eab8.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: E:,
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Monday, March 16, 2009 10:33
Starting the file scan:
Begin scan in 'E:\' <My Book>
E:\wd_windows_tools\Setup.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '4a328ede.qua'!
E:\wd_windows_tools\Google\GoogleInstaller.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '4a2d8eed.qua'!
E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29\A0010024.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '49ee8ec2.qua'!
E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29\A0010025.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '49ee8ec9.qua'!
End of the scan: Monday, March 16, 2009 10:43
Used time: 10:11 Minute(s)
The scan has been done completely.
2825 Scanning directories
93828 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
93817 Files not concerned
869 Archives were scanned
0 Warnings
4 Notes
There is both System Volume Information and wd_windows_tools folder in the external hdd, do I actually need both? I could delete them if theyre not necessary.
This is the DrWeb log
A0010026.exe;E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29;Win32.Virut.56;Cured.;
A0010027.EXE;E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29;Win32.Virut.56;Cured.;
A0010028.EXE;E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29;Win32.Virut.56;Cured.;
A0010029.EXE;E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29;Win32.Virut.56;Cured.;
I think the external hdd is clean now. I'm now scanning my C: drive with avira in case a virus sneaked in. I'll edit this post in a bit if I find anything or not.
edit>> My C: drive is clean.
-
It looks as if Avira killed some more files related
It also appears that your system is clean,
Don't keep scanning with Dr. Web, the version you have, if you want to, delete your copy and redownload a fresh copy to ensure it is right updated
But first:
I'm just testing out a backup program, it's a lot like Acronis, but I haven't had a chance to try a restore with it yet
For now, can you do the following
Have your External Harddrive on,
Turn off, and then back on System Restore
Let's ensure the System Volume information folders are cleared
Here's directions
http://support.microsoft.com/kb/310405 (http://\"http://support.microsoft.com/kb/310405\")
After that
Access your Add and remove programs and remove "Compaq Connections"
Reboot afterwards
Additionally, Your system comes preinstalled with software you may never use
Look thru this uninstall list you suppled
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album Starter Edition
Adobe Reader 6.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
Catalyst Control Center - Branding
CC_ccStart
ccCommon
Compaq Connections
Compaq Instant Support
Compaq Organize
Counter-Strike: Source
Easy Internet Sign-up
Excavation from Compaq (remove only)
Five Card Frenzy from Compaq (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.0
HP Software Update
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.2_03
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Mozilla Firefox (3.0.7)
MSRedist
MSXML 4.0 SP2 (KB954430)
Multimedia Card Reader
MUSICMATCH® Jukebox
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
NVIDIA Ethernet Driver
NVIDIA GART Driver
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Compaq (remove only)
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
RealOne Player
RecordNow!
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Slyder from Compaq (remove only)
Sonic Update Manager
SpamSubtract
Steam
SymNet
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player (Remove Only)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
World of Warcraft FREE Trial
Yahoo! Companion
Zone Deluxe Games
Zune Desktop Theme
Don't remove anything yet, we already updated or removed some
But let me know out of that bunch, which you don't think you need, or unsure about
Defragment your Harddrive
Download and save to your desktop the installer for Macrium Reflect FREE Edition
http://www.macrium.com/reflectfree.asp (http://\"http://www.macrium.com/reflectfree.asp\")
Don't install yet, I'm just checking it out, so I'll let you know what i think about it
Let me know when you have the above done
-
I have already uninstalled the following in bold font,
and the following underlined programs I'm curious of if they can be safely taken out.
I had a problem uninstalling compaq connections. There was a Backweb error or some sort, so I'll probably leave it. Its not really taking up a lot of space.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album Starter Edition
Adobe Reader 6.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
Catalyst Control Center - Branding
CC_ccStart
ccCommon
Compaq Connections
Compaq Instant Support
Compaq Organize
Counter-Strike: Source
Easy Internet Sign-up
Excavation from Compaq (remove only)
Five Card Frenzy from Compaq (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.0
HP Software Update
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.2_03
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Mozilla Firefox (3.0.7)
MSRedist
MSXML 4.0 SP2 (KB954430)
Multimedia Card Reader
MUSICMATCH® Jukebox
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
NVIDIA Ethernet Driver
NVIDIA GART Driver
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Compaq (remove only)
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
RealOne Player
RecordNow!
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Slyder from Compaq (remove only)
Sonic Update Manager
SpamSubtract
Steam
SymNet
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player (Remove Only)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
World of Warcraft FREE Trial
Yahoo! Companion
Zone Deluxe Games
Zune Desktop Theme
I am now degfragging C: drive
-
After you defrag, why not install Macrium Reflect FREE Edition
After installation
In your External drive, create a new folder, call it something like Backup
It may take a few GB to create this backup, but you can later burn it to disk
Or create a new one to disks, this is so you get used to the software, you can read it's documetation online or in the Help file
Then start Macrium from the shortcut on the desktop
Once it loads, select "Create backup image of entire disk/partion....."
under Backup tasks
In Partition selection select the C: drive
in Backup selection under Local disk, browse to the folder Backup
Click Next >>Finish
Under Backup Save Options>>Ensure the Backup folder on External is still the destination
Then click OK
The backing up should then start
When it's done
Create a Rescue disk
Put a blank CD in your burner>>in Macrium
Click OTHER TASKS>>Create Rescue CD
Try using the LINUX option (default) then click NEXT
This rescue disk will help if the computer becomes unbootable because of Malware, driver problems,etc...
Let me know when that's done, we can test your backup later
Do you have a DVD burner or just a CD burner?
You may of noticed one of the backup options was to DVD/CD
Get to that point then we can deal with the installed programs later
I'm off to bed, so I'll talk to you later
-
How much gigs exactly do I need for this backup? I keep getting an I/O
device error. And I've freed about 30 gigs on the external. This is
the error.
Image ID - 7290B9606552AE61
Imaging Summary
Backup Definition File: C:\Documents and Settings\Owner\My Documents\Reflect\My Backup.xml
Backup Type: Full
Destination: E:\Backup-Dont Del\7290B9606552AE61-00-00.mrimg
Auto Verify: N
Maximum File Size: Automatic
Compression: Medium
Password: N
Intelligent Copy: Y
Total Selected: 54.047 GB
Operation 1 of 1
Hard Disk: 1
Drive Letter: C
File System: NTFS
Label: PRESARIO
Size: 182.090 GB
Free: 128.044 GB
Used: 54.047 GB
Starting Image - Wednesday, March 18, 2009 12:31:07
Initializing
Analysing file system on volume C:
Saving Partition - PRESARIO (C:)
Creating Volume Snapshot
Reading File System Bitmap
Saving Partition
Backup aborted! - Write operation failed - The request could not be performed because of an I/O device error.
Am I suppose to back up the C: drive or the D: partition recovery? You mentioned that it should be C: drive.
I also have an internal dvd/cd-rw burner. I havent used it awhile, hopefully it still works.
-
Am I suppose to back up the C: drive or the D: partition recovery? You mentioned that it should be C: drive.
As I said, the C: drive
How much gigs exactly do I need for this backup? I keep getting an I/O
device error. And I've freed about 30 gigs on the external. This is
the error.
I see the following
Drive Letter: C
File System: NTFS
Label: PRESARIO
Size: 182.090 GB
Free: 128.044 GB
I see you have already used almost 54 GB on your clean Recovery, how can that be?
Did you backup to your C: drive then try to backup back to your External?
Which now doesn't have enough room?
That will never work, On a Clean install it should be around a 3gb, after compression
But not if you add more to your C: drive?/
-
I transferred my documents back to my C drive from my external, so my external has 27 gigs free.
I've also installed couple of games and programs on the C drive.
It was creating a backup earlier, but there was about 15% left done when it gave me the error.
Was I suppose to backup before doing anything else?
-
Was I suppose to backup before doing anything else?
Yes you were, what do you think the point behind Imaging your Operating System was about?
I asked you earlier to slow down
Did you read the documentation included with the software?
It seems like you have everything under control, I'll lock this topic now, as it doesn't appear you need my help anymore, take care tonez