Post by: indfin on May 17, 2009, 10:41:19 AM
Strange happenings on my desktop -- not the laptop you helped me fix last week (that is working fine, thank you).
So I get home last night and I hear music playing on my computer. I go to the Task Manager and there are no applications running. In Processes, iexplore.exe is hogging up lot of memory, slowing down the computer considerably, like when opening Firefox, etc. The music keeps going on and off, playing I think radio stations.
I went to Firewall and disabled all exceptions and restarted my computer. Then I downloaded HijackThis, but when I tried to run it, nothing happened. I deleted, restarted computer, downloaded HJT and tried to run it a few more times, but nothing happened. Finally, copied HJT to a disc, copied it to my computer and it ran.
Now I have two instances of iexplore.exe running, which are not using too much memory (about 80,000 K combined) and the computer seems to be running at normal speed. The music is also stopped.
But I am sure I have virus, spyware or the like. Can you please check. Thanks. (I have been watching cricket online from some free sites.)
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:41 AM, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS.000\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.000\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS.000\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\hj\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.000\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (http://\"http://www.yapta.com/user\") (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (http://\"http://www.yapta.com/user\") (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (http://\"http://www.comcast.net/\") (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (http://\"http://www.comcastsupport.com/\") (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (http://\"http://online.comcast.net/help/\") (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll (http://\"https://us.dbrasweb.db.com/llclient/dbrasweb/winxp/,DanaInfo=rctoolbox2.us.db.com+AXXPEE.dll\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.ooxtv.com/vjocx-en.cab (http://\"http://www.ooxtv.com/vjocx-en.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - <a href="http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab" target="_blank" rel="nofollow">http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab</a>
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}: NameServer = 68.87.64.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS.000\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 7064 bytes
Post by: indfin on May 17, 2009, 10:58:53 AM
"The procedure entry point ??_V@YAXPAX@Z could not be located in the dynamic link library msvcrt.dll"
I x-ed it and Firefox worked fine. It doesn't happen anymore.
HJT Log is showing Internet Explorer and McAfee entries. I have not opened IE since starting the computer this morning and I do not have McAfee installed on my computer.
AND....the music started again. I guess the computer has to be on for a while before things kick in.
I have very little free space left on my C: drive (200 MB). So if I have to download any large files in the process of cleaning this mess up, I may have problems.
Post by: guestolo on May 17, 2009, 11:03:05 AM
- Close all windows and Double click on OTListIt2.exe to Run it
- Click Run Scan and let the program run uninterrupted
- It will produce two logs for you, one will pop up - OTListIt2.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
Post by: indfin on May 17, 2009, 11:48:03 AM
So I am attaching the two files instead. Thanks.
OTListIt logfile created on: 5/17/2009 12:35:38 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\hj\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy
479.48 Mb Total Physical Memory | 202.25 Mb Available Physical Memory | 42.18% Memory free
1.37 Gb Paging File | 1.07 Gb Available in Paging File | 77.86% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1540 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS.000 | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 0.26 Gb Free Space | 1.40% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 57.27 Gb Total Space | 2.45 Gb Free Space | 4.28% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SOURCE401
Current User Name: hj
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On
[color=\"orange\"]========== Processes (SafeList) ==========[/color]
PRC - [2009/04/22 19:30:22 | 00,953,168 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/05/11 09:59:46 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/05/09 16:51:00 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/11 10:00:04 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/05/11 10:00:18 | 00,486,168 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/05/11 09:59:52 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/05/11 10:00:18 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2001/12/18 00:46:22 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\System32\wbem\unsecapp.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 20:12:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Explorer.EXE
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\Iexplore.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\Iexplore.exe
PRC - [2009/05/17 12:34:12 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hj\Desktop\OTListIt2.exe
[color=\"orange\"]========== Win32 Services (SafeList) ==========[/color]
SRV - File not found -- -- (ACDaemon [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/11 10:00:04 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/05/11 09:59:46 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/10/06 09:19:36 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/05/09 16:51:00 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/04/22 19:30:22 | 00,953,168 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2006/11/10 19:18:02 | 00,774,144 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/07/29 19:34:38 | 00,117,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.dll -- (usnsvc [On_Demand | Stopped])
SRV - [2009/03/09 13:50:42 | 01,680,928 | ---- | M] (NanJing Nagasoft Co, LTD.) -- C:\WINDOWS.000\system32\nagasoft\vjocx.dll -- (vvdsvc [Auto | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
[color=\"orange\"]========== Driver Services (SafeList) ==========[/color]
DRV - [2002/03/25 08:13:54 | 00,303,948 | ---- | M] (Avance Logic, Inc.) -- C:\WINDOWS.000\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [1999/09/10 07:06:00 | 00,025,244 | ---- | M] (Adaptec) -- C:\WINDOWS.000\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
DRV - [2009/05/11 10:00:18 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/05/11 10:00:18 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/05/11 10:00:12 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2005/05/12 14:21:08 | 01,332,544 | ---- | M] (C-Media Inc) -- C:\WINDOWS.000\system32\drivers\cmuda.sys -- (cmuda [On_Demand | Stopped])
DRV - [2008/09/29 20:50:48 | 00,028,672 | ---- | M] () -- C:\WINDOWS.000\system32\Drivers\CO_Mon.sys -- (CO_Mon [On_Demand | Stopped])
DRV - [2007/02/15 20:57:06 | 00,034,760 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS.000\System32\Drivers\ElbyCDFL.sys -- (ElbyCDFL [On_Demand | Running])
DRV - [2009/02/17 13:11:32 | 00,024,232 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS.000\System32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [System | Running])
DRV - [2008/04/13 14:45:30 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2009/04/22 19:30:54 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS.000\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2001/08/17 14:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
DRV - [2001/12/18 04:45:46 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS.000\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/29 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS.000\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/07/16 14:19:52 | 00,070,400 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS.000\system32\DRIVERS\Rtlnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/04 01:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS.000\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2004/03/02 14:02:30 | 00,167,040 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS.000\system32\DRIVERS\s3gnbm.sys -- (S3Psddr [On_Demand | Running])
DRV - [2004/03/02 14:02:30 | 00,167,040 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS.000\System32\DRIVERS\s3gnbm.sys -- (S3SavageNB [On_Demand | Stopped])
DRV - [2007/11/13 05:25:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS.000\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/09/10 01:30:00 | 00,042,880 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS.000\system32\drivers\viaudio.sys -- (VIAudio [On_Demand | Stopped])
[color=\"orange\"]========== Standard Registry (SafeList) ==========[/color]
[color=\"orange\"]========== Internet Explorer ==========[/color]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://home.microsoft.com/access/allinone.asp (http://\"http://home.microsoft.com/access/allinone.asp\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
[color=\"orange\"]========== FireFox ==========[/color]
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/05/09 16:51:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS.000\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/05/11 18:10:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/27 18:16:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/27 18:16:12 | 00,000,000 | ---D | M]
[2009/04/27 18:16:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hj\Application Data\mozilla\Extensions
[2009/04/27 18:16:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hj\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/04/27 18:16:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hj\Application Data\mozilla\Firefox\Profiles\41u7rlsp.default\extensions
[2009/04/27 18:16:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/27 18:16:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/09 16:51:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/24 00:38:32 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/24 00:38:34 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/23 20:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/23 20:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/23 20:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/23 20:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/23 20:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/23 20:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/23 20:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml
O1 HOSTS File: (23 bytes) - C:\WINDOWS.000\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Yapta BHO) - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll (Yapta, Inc.)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCustomizeWebView = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (Yapta, Inc.)
O9 - Extra 'Tools' menuitem : Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - File not found
O9 - Extra Button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe (Yapta, Inc.)
O9 - Extra 'Tools' menuitem : Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe (Yapta, Inc.)
O9 - Extra Button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (http://\"http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab\") (Shockwave ActiveX Control)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll (http://\"https://us.dbrasweb.db.com/llclient/dbrasweb/winxp/,DanaInfo=rctoolbox2.us.db.com+AXXPEE.dll\") (Confidence Online for Web Applications)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab\") (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab\") (Java Plug-in 1.6.0_13)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab\") (Reg Error: Key error.)
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab\") (NsvPlayX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab\") (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab\") (Java Plug-in 1.6.0_13)
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\") (Live365Player Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\") (Shockwave Flash Object)
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} http://www.ooxtv.com/vjocx-en.cab (http://\"http://www.ooxtv.com/vjocx-en.cab\") (VodClient Control Class)
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab (http://\"http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab\") (IWinAmpActiveX Class)
O16 - DPF: DirectAnimation Java Classes (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}\\NameServer = 68.87.64.146
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS.000\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS.000\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/23 00:39:06 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS.000\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2005/05/30 20:43:38 | 00,000,000 | ---D | M]
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS.000\System32\lsdelete.exe ()
[color=\"orange\"]========== Files/Folders - Created Within 30 Days ==========[/color]
[4 C:\WINDOWS.000\System32\*.tmp files]
[5 C:\WINDOWS.000\*.tmp files]
[2009/05/17 12:34:12 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\hj\Desktop\OTListIt2.exe
[2009/05/17 11:22:22 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\hj\Desktop\HiJackThis.exe
[2009/05/14 18:29:17 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ODBC
[2009/05/12 13:30:03 | 00,000,000 | ---D | C] -- C:\WINDOWS.000\System32\nagasoft
[2009/05/12 10:44:21 | 01,089,593 | ---- | C] () -- C:\WINDOWS.000\System32\dllcache\ntprint.cat
[2009/05/11 22:42:15 | 00,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/05/11 22:42:15 | 00,000,024 | -HS- | C] () -- C:\WINDOWS.000\9DB1EAAE82C91755
[2009/05/11 22:37:26 | 00,000,000 | ---D | C] -- C:\Program Files\SlySoft
[2009/05/11 20:41:24 | 00,000,000 | ---D | C] -- C:\WINDOWS.000\ie8updates
[2009/05/11 20:41:04 | 00,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\iecompat.dll
[2009/05/11 20:37:02 | 00,000,000 | -H-D | C] -- C:\WINDOWS.000\ie8
[2009/05/11 18:08:27 | 00,000,000 | ---D | C] -- C:\WINDOWS.000\System32\XPSViewer
[2009/05/11 18:08:16 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/05/11 18:07:48 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/05/11 18:06:14 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\printfilterpipelinesvc.exe
[2009/05/11 18:06:14 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\prntvpt.dll
[2009/05/11 18:06:14 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\filterpipelineprintproc.dll
[2009/05/11 18:06:13 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\xpsshhdr.dll
[2009/05/11 18:06:13 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\xpsshhdr.dll
[2009/05/11 18:06:11 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\xpssvcs.dll
[2009/05/11 18:06:11 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\xpssvcs.dll
[2009/05/11 18:05:14 | 00,000,000 | ---D | C] -- C:\WINDOWS.000\SxsCaPendDel
[2009/05/03 15:43:03 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/04/27 18:16:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\hj\Application Data\Mozilla
[2009/04/27 18:16:10 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2008/09/30 18:08:31 | 00,000,151 | ---- | C] () -- C:\WINDOWS.000\PhotoSnapViewer.INI
[2008/09/30 10:49:20 | 00,000,116 | ---- | C] () -- C:\WINDOWS.000\NeroDigital.ini
[2008/09/12 22:49:29 | 00,028,672 | ---- | C] () -- C:\WINDOWS.000\System32\drivers\CO_Mon.sys
[2008/07/23 12:50:52 | 03,596,288 | ---- | C] () -- C:\WINDOWS.000\System32\qt-dx331.dll
[2008/07/23 12:47:34 | 00,000,416 | ---- | C] () -- C:\WINDOWS.000\System32\dtu100.dll.manifest
[2008/07/23 12:47:34 | 00,000,416 | ---- | C] () -- C:\WINDOWS.000\System32\dpl100.dll.manifest
[2008/07/23 12:46:38 | 00,012,288 | ---- | C] () -- C:\WINDOWS.000\System32\DivXWMPExtType.dll
[2007/04/28 13:46:54 | 00,579,602 | ---- | C] () -- C:\WINDOWS.000\System32\x264vfw.dll
[2007/02/21 10:27:26 | 00,000,929 | ---- | C] () -- C:\WINDOWS.000\WDD_COMPARE_FILES_CFX2.INI
[2007/02/21 10:27:26 | 00,000,863 | ---- | C] () -- C:\WINDOWS.000\WDD_COMPARE_FILES_CFX1.INI
[2007/02/21 10:27:26 | 00,000,144 | ---- | C] () -- C:\WINDOWS.000\FifX_v2.INI
[2007/02/21 10:27:25 | 00,000,817 | ---- | C] () -- C:\WINDOWS.000\WDD_COMPARE_DIR_CFX1.INI
[2007/02/21 10:23:58 | 00,002,143 | ---- | C] () -- C:\WINDOWS.000\WDD_SearchHistory.INI
[2007/01/11 16:13:32 | 00,000,981 | ---- | C] () -- C:\WINDOWS.000\MD_MacroDiffs.INI
[2007/01/11 16:13:32 | 00,000,893 | ---- | C] () -- C:\WINDOWS.000\MD_MicroDiffs.INI
[2007/01/11 16:03:29 | 00,000,036 | ---- | C] () -- C:\WINDOWS.000\SW_Win2000X16.DLL
[2007/01/11 16:00:45 | 00,000,078 | ---- | C] () -- C:\WINDOWS.000\SW_Win2000X9.DLL
[2007/01/03 14:13:49 | 00,000,022 | ---- | C] () -- C:\WINDOWS.000\kodakpcd.hj.ini
[2006/06/23 22:14:50 | 00,000,029 | ---- | C] () -- C:\WINDOWS.000\atid.ini
[2006/06/23 22:14:47 | 00,000,363 | ---- | C] () -- C:\WINDOWS.000\wininit.ini
[2006/05/22 07:47:24 | 00,008,704 | ---- | C] () -- C:\WINDOWS.000\System32\ff_vfw.dll
[2006/05/21 17:56:42 | 00,000,547 | ---- | C] () -- C:\WINDOWS.000\System32\ff_vfw.dll.manifest
[2005/09/25 23:05:57 | 00,000,492 | ---- | C] () -- C:\WINDOWS.000\demo.INI
[2005/05/30 20:51:59 | 00,012,327 | ---- | C] () -- C:\WINDOWS.000\IOS.INI
[2005/05/30 20:51:59 | 00,008,487 | ---- | C] () -- C:\WINDOWS.000\cdplayer.ini
[2005/05/30 20:51:59 | 00,001,105 | ---- | C] () -- C:\WINDOWS.000\_delis43.ini
[2005/05/30 20:51:59 | 00,000,787 | ---- | C] () -- C:\WINDOWS.000\SCANREG.INI
[2005/05/30 20:51:59 | 00,000,120 | ---- | C] () -- C:\WINDOWS.000\protocol.ini
[2005/05/30 20:51:59 | 00,000,045 | ---- | C] () -- C:\WINDOWS.000\DKDGNOL.ini
[2005/05/30 20:51:59 | 00,000,043 | ---- | C] () -- C:\WINDOWS.000\webica.ini
[2005/05/30 20:51:59 | 00,000,032 | ---- | C] () -- C:\WINDOWS.000\concentr.ini
[2005/05/30 20:51:59 | 00,000,028 | ---- | C] () -- C:\WINDOWS.000\QTW.INI
[2005/05/30 20:51:59 | 00,000,026 | ---- | C] () -- C:\WINDOWS.000\MSOFFICE.INI
[2005/05/30 20:51:59 | 00,000,025 | ---- | C] () -- C:\WINDOWS.000\SOL.INI
[2005/05/30 20:51:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS.000\progman.ini
[2005/05/30 20:51:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS.000\MSINFO32.INI
[2005/05/30 20:51:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS.000\CSSETUP.INI
[2005/05/30 20:51:58 | 00,007,885 | ---- | C] () -- C:\WINDOWS.000\NETDET.INI
[2005/05/30 20:51:58 | 00,005,068 | ---- | C] () -- C:\WINDOWS.000\DELETEFI.INI
[2005/05/30 20:51:58 | 00,003,598 | ---- | C] () -- C:\WINDOWS.000\HTMLHELP.INI
[2005/05/30 20:51:58 | 00,001,053 | ---- | C] () -- C:\WINDOWS.000\ODBC.INI
[2005/05/30 20:51:58 | 00,000,225 | ---- | C] () -- C:\WINDOWS.000\TELEPHON.INI
[2005/05/30 20:51:58 | 00,000,181 | ---- | C] () -- C:\WINDOWS.000\winmine.ini
[2005/05/30 20:51:58 | 00,000,060 | ---- | C] () -- C:\WINDOWS.000\POWERPNT.INI
[2005/05/30 20:51:58 | 00,000,054 | ---- | C] () -- C:\WINDOWS.000\WAVEMIX.INI
[2004/07/01 04:28:27 | 00,000,010 | ---- | C] () -- C:\WINDOWS.000\smdat32m.sys
[2004/04/20 11:16:14 | 00,109,056 | ---- | C] () -- C:\WINDOWS.000\System32\plx_upldr.dll
[2003/02/18 18:26:28 | 00,028,672 | ---- | C] () -- C:\WINDOWS.000\System32\cmirmdrv.dll
[2001/12/18 04:46:34 | 00,001,683 | ---- | C] () -- C:\WINDOWS.000\win.ini
[2001/12/18 04:46:14 | 00,000,583 | ---- | C] () -- C:\WINDOWS.000\system.ini
[1999/01/22 18:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS.000\System32\MSRTEDIT.DLL
[1980/01/01 00:00:00 | 00,188,416 | ---- | C] () -- C:\WINDOWS.000\System32\MEMBG.DLL
[1980/01/01 00:00:00 | 00,057,344 | ---- | C] () -- C:\WINDOWS.000\System32\ICMFILTER.DLL
[color=\"orange\"]========== Files - Modified Within 30 Days ==========[/color]
[4 C:\WINDOWS.000\System32\*.tmp files]
[5 C:\WINDOWS.000\*.tmp files]
[1 C:\Documents and Settings\hj\My Documents\*.tmp files]
[2009/05/18 11:13:54 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\hj\Desktop\HiJackThis.exe
[2009/05/17 12:34:12 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hj\Desktop\OTListIt2.exe
[2009/05/17 11:20:02 | 00,002,206 | ---- | M] () -- C:\WINDOWS.000\System32\wpa.dbl
[2009/05/17 11:19:36 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\hj\Local Settings\desktop.ini
[2009/05/17 11:13:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS.000\tasks\SA.DAT
[2009/05/17 11:13:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS.000\bootstat.dat
[2009/05/17 02:38:10 | 00,000,472 | ---- | M] () -- C:\WINDOWS.000\tasks\Ad-Aware Update (Weekly).job
[2009/05/15 08:28:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS.000\tasks\AppleSoftwareUpdate.job
[2009/05/13 08:45:30 | 00,001,683 | ---- | M] () -- C:\WINDOWS.000\win.ini
[2009/05/13 08:45:30 | 00,000,583 | ---- | M] () -- C:\WINDOWS.000\system.ini
[2009/05/13 08:45:30 | 00,000,225 | RHS- | M] () -- C:\boot. ini
[2009/05/12 23:39:46 | 00,000,041 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/05/12 10:39:52 | 00,000,037 | ---- | M] () -- C:\WINDOWS.000\vbaddin.ini
[2009/05/12 10:37:58 | 00,001,053 | ---- | M] () -- C:\WINDOWS.000\ODBC.INI
[2009/05/11 22:42:16 | 00,000,024 | -HS- | M] () -- C:\WINDOWS.000\9DB1EAAE82C91755
[2009/05/11 22:20:00 | 00,000,073 | -HS- | M] () -- C:\Documents and Settings\hj\My Documents\desktop.ini
[2009/05/11 22:18:22 | 00,155,568 | ---- | M] () -- C:\WINDOWS.000\System32\FNTCACHE.DAT
[2009/05/11 20:42:04 | 00,001,374 | ---- | M] () -- C:\WINDOWS.000\imsins.BAK
[2009/05/11 18:19:32 | 00,492,928 | ---- | M] () -- C:\WINDOWS.000\System32\PerfStringBackup.INI
[2009/05/11 18:19:32 | 00,435,168 | ---- | M] () -- C:\WINDOWS.000\System32\perfh009.dat
[2009/05/11 18:19:32 | 00,069,032 | ---- | M] () -- C:\WINDOWS.000\System32\perfc009.dat
[2009/05/11 10:00:18 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\drivers\avgldx86.sys
[2009/05/11 10:00:18 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\drivers\avgmfx86.sys
[2009/05/11 10:00:18 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\avgrsstx.dll
[2009/05/11 10:00:12 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\drivers\avgtdix.sys
[2009/05/10 04:00:06 | 00,000,408 | ---- | M] () -- C:\WINDOWS.000\tasks\McAfee.com Scan for Viruses - My Computer tsid_04302005192849.job
[2009/05/10 04:00:06 | 00,000,408 | ---- | M] () -- C:\WINDOWS.000\tasks\McAfee.com Scan for Viruses - My Computer tsid_01092005211916.job
[2009/05/07 03:16:30 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\System32\MRT.exe
[2009/05/06 23:00:02 | 00,000,502 | ---- | M] () -- C:\WINDOWS.000\tasks\Tune-up Application Start.job
[2009/05/05 10:27:56 | 00,000,438 | ---- | M] () -- C:\WINDOWS.000\tasks\EasyShare Registration Task.job
[2009/04/30 18:30:24 | 00,000,151 | ---- | M] () -- C:\WINDOWS.000\PhotoSnapViewer.INI
[2009/04/25 01:30:40 | 00,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\iecompat.dll
[2009/04/22 19:31:22 | 00,015,688 | ---- | M] () -- C:\WINDOWS.000\System32\lsdelete.exe
[2009/04/22 19:30:54 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS.000\System32\drivers\Lbd.sys
< End of report >
OTListIt Extras logfile created on: 5/17/2009 12:35:38 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\hj\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy
479.48 Mb Total Physical Memory | 202.25 Mb Available Physical Memory | 42.18% Memory free
1.37 Gb Paging File | 1.07 Gb Available in Paging File | 77.86% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1540 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS.000 | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 0.26 Gb Free Space | 1.40% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 57.27 Gb Total Space | 2.45 Gb Free Space | 4.28% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SOURCE401
Current User Name: hj
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On
[color=\"orange\"]========== File Associations ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
[color=\"orange\"]========== Security Center Settings ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
[color=\"orange\"]========== Authorized Applications List ==========[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe:*:Disabled:backWeb-7288971
[2008/11/22 11:18:58 | 00,270,128 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe:*:Disabled:µTorrent
[2009/05/11 10:00:04 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Disabled:avgemc.exe
[2009/05/11 09:58:20 | 01,085,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Disabled:avgupd.exe
[2008/12/16 15:16:10 | 00,637,232 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent
[2009/01/18 15:44:04 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe:*:Disabled:DNA
[2008/10/30 14:16:42 | 00,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Disabled:EasyShare
[2009/04/24 00:38:12 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox
[2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer
File not found -- C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000
[2009/03/27 17:01:02 | 24,103,720 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Disabled:Skype
[2009/03/23 06:22:06 | 04,054,312 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version4\TeamViewer.exe:*:Disabled:TeamViewer Remote Control Application
[2006/11/17 00:22:30 | 00,495,616 | ---- | M] (TVU Networks) -- C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Disabled:TVU Player Component
File not found -- C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server
File not found -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger
[color=\"orange\"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{03885E0D-22E9-4B14-ACA3-5F43EDDEAB7C}" = TripStalker
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{235BBFC6-D863-4066-A01A-3BD504C31033}" = Nero 7 Ultra Edition
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skypeâ„¢ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(tm) 6 Update 13
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{54DD126C-E5F5-404C-B4B7-66DF7FD4F2FF}" = MSSoap
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6A136B9A-1895-436F-83F8-30D9C68BB6EA}" = Rhapsody Player Engine
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARD_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARD_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPRO_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARD_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPRO_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}" = RTLSetup 2.50.503
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3A1A5F0-0B94-4E69-B3E1-92F25E31BEE9}" = H264 Codecs
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.1
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF6DA606-904D-4C18-823F-A4CFC3035E53}" = eFax Messenger
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Avance AC'97 Audio
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FCE50DB8-C610-4C42-BE5C-193F46C6F812}" = Windows Live Messenger
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Abacast Client" = Abacast Client
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG8Uninstall" = AVG Free 8.5
"CloneCD" = CloneCD
"C-Media Audio Driver" = C-Media WDM Audio Driver
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"dBpoweramp FLAC Codec" = dBpoweramp FLAC Codec
"ffdshow" = ffdshow
"FLAC" = FLAC 1.2.0a (remove only)
"Flickr Uploadr" = Flickr Uploadr 2.5.0.15
"foobar2000" = foobar2000 v0.9.6.2
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"P4M266" = ProSavageDDR and Utilities
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"STANDARD" = Microsoft Office Standard 2007
"TeamViewer 4" = TeamViewer 4
"TVUPlayer" = TVUPlayer 2.3.0.0
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"x264 Revision 534 x264.nl" = x264 Revision 534 x264.nl (remove only)
"Yapta" = Yapta
[color=\"orange\"]========== HKEY_CURRENT_USER Uninstall List ==========[/color]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
"Confidence Online EE" = Confidence Online(tm) for Web Applications
"uTorrent" = µTorrent
[color=\"orange\"]========== Last 10 Event Log Errors ==========[/color]
[ Application Events ]
Error - 4/21/2009 4:06:45 PM | Computer Name = SOURCE401 | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 9.1.0.163, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
Error - 4/25/2009 6:44:07 AM | Computer Name = SOURCE401 | Source = Application Error | ID = 1000
Description = Faulting application avgcsrvx.exe, version 8.0.0.223, faulting module
avgcorex.dll, version 8.0.0.237, fault address 0x001c09ac.
Error - 5/11/2009 6:36:56 PM | Computer Name = SOURCE401 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
. Error code = 0x80070070
Error - 5/11/2009 6:37:30 PM | Computer Name = SOURCE401 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
. Error code = 0x80070070
Error - 5/11/2009 6:37:35 PM | Computer Name = SOURCE401 | Source = MsiInstaller | ID = 11307
Description = Product: Microsoft Office Standard 2007 -- Error 1307.There is not
enough disk space to install this file: C:\Program Files\Common Files\Microsoft
Shared\Web Server Extensions\12\BIN\FPSRVUTL.DLL. Free some disk space and click
'Retry', or click 'Cancel' to exit.
Error - 5/11/2009 6:37:43 PM | Computer Name = SOURCE401 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Standard 2007 - Update 'Microsoft Office
2007 Service Pack 2 (SP2)' could not be installed. Error code 1603. Windows Installer
can create logs to help troubleshoot issues with installing software packages.
Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127 (http://\"http://go.microsoft.com/fwlink/?LinkId=23127\")
Error - 5/14/2009 1:38:08 PM | Computer Name = SOURCE401 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 SR-1 Professional -- Error 1706. No
valid source could be found for product Microsoft Office 2000 SR-1 Professional.
The Windows installer cannot continue.
Error - 5/14/2009 1:41:25 PM | Computer Name = SOURCE401 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 5/14/2009 1:41:56 PM | Computer Name = SOURCE401 | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
Error - 5/17/2009 12:01:13 PM | Computer Name = SOURCE401 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 3/15/2009 1:33:02 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
SOURCE400 that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{9FA2A991-9158-4DA4. The master browser is stopping or an election is
being forced.
Error - 3/15/2009 2:45:05 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
SOURCE400 that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{9FA2A991-9158-4DA4. The master browser is stopping or an election is
being forced.
Error - 3/31/2009 8:28:27 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
SOURCE400 that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{9FA2A991-9158-4DA4. The master browser is stopping or an election is
being forced.
Error - 4/9/2009 1:51:25 PM | Computer Name = SOURCE401 | Source = NetBT | ID = 4307
Description = Initialization failed because the transport refused to open initial
Addresses.
Error - 5/2/2009 12:22:19 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
SOURCE400 that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{9FA2A991-9158-4DA4. The master browser is stopping or an election is
being forced.
Error - 5/2/2009 1:30:25 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
SOURCE400 that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{9FA2A991-9158-4DA4. The master browser is stopping or an election is
being forced.
Error - 5/11/2009 6:38:10 PM | Computer Name = SOURCE401 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: The 2007 Microsoft® Office Suite Service Pack 2 (SP2).
Error - 5/11/2009 11:51:42 PM | Computer Name = SOURCE401 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070070: The 2007 Microsoft® Office Suite Service Pack 2 (SP2).
Error - 5/17/2009 2:32:59 AM | Computer Name = SOURCE401 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.
Error - 5/17/2009 12:17:05 PM | Computer Name = SOURCE401 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.
< End of report >
Post by: guestolo on May 17, 2009, 12:02:32 PM
[2009/05/13 08:45:30 | 00,000,225 | RHS- | M] () -- C:\boot. ini
I simply put a single space after boot and before .ini
I've edited your response to include the logs and removed the attachments
Give me a bit to look over those logs, we're just about to start a late breakfast
So I'll return soon
Post by: indfin on May 17, 2009, 12:19:54 PM
Post by: guestolo on May 17, 2009, 12:30:18 PM
Download [color=\"#FF0000\"]> ATF Cleaner <[/color] (http://\"http://www.atribune.org/ccount/click.php?id=1\") by Atribune and save it to your Desktop.
Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu
download Malwarebytes' Anti-Malware from Here (http://\"http://www.besttechie.net/tools/mbam-setup.exe\") or Here (http://\"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html\")
Save the installer to desktop
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to [color=\"#006400\"]Update Malwarebytes' Anti-Malware[/color] and [color=\"#006400\"]Launch Malwarebytes' Anti-Malware[/color], then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Post by: indfin on May 17, 2009, 01:54:28 PM
I tried every which way, but I cannot run mbam-setup.exe
When I restarted my computer, an IE window opened up (NOT the browser) saying "Are you sure you want to navigate away from this page" or something to that effect. Also, I can hear clicking sounds, as when IE opens new pages (again, IE is not open).
Post by: guestolo on May 17, 2009, 02:02:15 PM
Try installing again, let me know if it works
Post by: indfin on May 17, 2009, 02:05:09 PM
Post by: guestolo on May 17, 2009, 02:11:50 PM
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
- During the download, rename Combofix to Combo-Fix as follows:
(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif)
- * It is important you rename Combofix during the download, but not after.
* Please do not rename Combofix to other names, but only to the one indicated.
SAVE IT ONLY TO YOUR DESKTOP
--------------------------------------------------------------------
[color=\"#2E8B57\"]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with some tools[/color]
Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
* Click on Tools.
* Select Advanced.
* In the left hand pane, scroll down to "Resident Shield".
* In the main pane, deselect the option to "Enable Resident Shield."
We will reenable this protection later
- Double click on Combo-Fix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply
NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
Post by: indfin on May 17, 2009, 02:14:39 PM
Post by: indfin on May 17, 2009, 02:16:48 PM
Post by: indfin on May 17, 2009, 02:57:25 PM
It installed the Recovery Console. It restarted, but with a 30 second timer, not the 2 seconds I saw when I ran this on the laptop.
Then Microsoft did its Disk Error Checking, found bunch of stuff. ComboFix started when the computer did, but after couple of minutes, the computer shut off and retared again, but this time ComboFix did not start.
The ComboFix folder has numerous files, but the .txt file has essentially nothing. Here it is:
ComboFix 09-05-17.01 - hj 05/17/2009 15:42:09.1 - [color=\"red\"]FAT32[/color]x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.166 [GMT -4:00]
Running from: C:\Documents and Settings\hj\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
_____________________________
Should I re do the ComboFix cycle again? More importantly, is it time for me to panic?
Post by: guestolo on May 17, 2009, 03:08:15 PM
Can you ensure that Windows Is set to Show file extensions
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Uncheck the Hide protected operating system files (recommended) option.
* Click OK.
Again, let's try running the installer for Malwarebytes
But this time, right click on indfin.exe and rename the installer to indfin.bat
If it does install alright, but the scanner won't start
Ensure all instances of malwarebytes is closed
Navigate to the following folder
C:\Program Files\Malwarebytes' Anti-Malware
In that folder, right click on MBAM.exe and rename it to indfin.bat
Run indfin.bat from within the folder, see if you can get it to run
If you still can't get Malwarebytes to run, can you do the following for me
Click on Start, click Run, and then type [color=\"#0000FF\"]devmgmt.msc[/color] and click OK
On the View menu click on [color=\"#0000FF\"]Show hidden devices[/color]
Browse to Non-Plug and Play Drivers do you see something like [color=\"#FF0000\"]TDSSserv.sys[/color]
Post by: indfin on May 17, 2009, 03:26:25 PM
Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600 Service Pack 3
5/17/2009 4:12:22 PM
mbam-log-2009-05-17 (16-12-22).txt
Scan type: Quick Scan
Objects scanned: 90215
Time elapsed: 6 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS.000\SYSTEM32\UACcjsalxrcdvxfmyr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\UAColfbbrodenxdqpu.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\UAClaliqtydsbitbxa.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\UACtenkboukhitftnw.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\UACqlxbhepjyyvgved.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\DRIVERS\UACkltublrnoeesxmd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\hj\Local Settings\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS.000\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.000\FONTS\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.000\FONTS\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.000\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
_________________________________________
I will not do anything from your last post until you reply to this post.
Post by: indfin on May 17, 2009, 03:30:11 PM
Post by: guestolo on May 17, 2009, 03:33:44 PM
Can you do the following
delete your copy of Combo-Fix.exe on desktop
Then, Download ComboFix from one of these locations:
Don't rename it, just download it normally
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]
--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]
Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply
NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
Post by: indfin on May 17, 2009, 04:18:43 PM
The computer shuts down about 30 seconds after ComboFix starts. When the computer restarts, it goes through the disk check. The errors showing up during disk check are:
\combofix\N-\...(some numbers) "first allocation data is not valid the entry is truncated."
Also wanted to make sure that you saw the Malwarebytes log three posts earlier.
Post by: guestolo on May 17, 2009, 04:33:11 PM
Let's skip ComboFix for now
Can you do the following
Please download gmer.zip (http://\"http://www.gmer.net/gmer.zip\") and save it to your desktop.
* Right click the file you just downloaded and choose Extract all
* Click Next
* Click Browse
* Click the + next to My Computer
* Click Local Disk (C:)
* Click Make new folder
* Enter GMER
* Click OK, then Next
* Check Show extracted files and click Finish
* Double click on GMER.exe to run it.
* Select the Rootkit tab.
* Select all drives that are connected to your system to be scanned.
* Click on the Scan button.
* When the scan is finished, click Copy to save the scan log to the Windows clipboard.
* Open Notepad or a similar text editor.
* Paste the clipboard contents into the text editor.
* Save the GMER scan log to post later in this thread
* Close GMER.
Go to [color=\"#FF0000\"]Kaspersky website[/color] (http://\"http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.kaspersky.com%2Fkos%2Feng%2Fpartner%2Fdefault%2Fkavwebscan.html\") and perform an online antivirus scan.
1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
[color=\"#FF0000\"]Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases[/color]
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
Please include all the following in your next reply
1. The report from Kaspersky's
2. The log from GMER
Post by: indfin on May 17, 2009, 06:13:02 PM
Post by: indfin on May 17, 2009, 10:04:52 PM
GMER:
GMER 1.0.15.14972 - http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-05-17 18:04:57
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF755887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7558BFE]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.000\Explorer.EXE[1356] @ C:\WINDOWS.000\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS.000\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
---- EOF - GMER 1.0.15 ----
________________________________________________________________
Kaspersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 17, 2009 23:42:56
Records in database: 2189078
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 63153
Threat name: 5
Infected objects: 86
Suspicious objects: 0
Duration of the scan: 03:34:23
File name / Threat name / Threats count
C:\FOUND.001\FILE0005.CHK Infected: EICAR-Test-File 1
C:\FOUND.001\FILE0039.CHK Infected: EICAR-Test-File 1
C:\FOUND.002\FILE0006.CHK Infected: EICAR-Test-File 1
C:\Documents and Settings\hj\Local Settings\Temp\install.exe Infected: Trojan.Win32.Inject.zzx 1
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\CHWT.dbx Infected: Virus.MSWord.VMPC-based 1
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Intellibridge.dbx Infected: Virus.MSWord.VMPC-based 1
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Larson.dbx Infected: Virus.MSWord.VMPC-based 1
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Sent Items.dbx Infected: Virus.MSWord.VMPC-based 32
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Intellibridge (1).dbx Infected: Virus.MSWord.VMPC-based 4
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Larson (1).dbx Infected: Virus.MSWord.VMPC-based 3
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Internal (1).dbx Infected: Virus.MSWord.VMPC-based 2
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\Baltek (1).dbx Infected: Virus.MSWord.VMPC-based 5
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\CHWT (1).dbx Infected: Virus.MSWord.VMPC-based 5
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express\CiviGenics (1).dbx Infected: Virus.MSWord.VMPC-based 2
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\CHWT.dbx Infected: Virus.MSWord.VMPC-based 5
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\Internal.dbx Infected: Virus.MSWord.VMPC-based 2
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\Larson.dbx Infected: Virus.MSWord.VMPC-based 3
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\Intellibridge.dbx Infected: Virus.MSWord.VMPC-based 4
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\Baltek.dbx Infected: Virus.MSWord.VMPC-based 5
C:\Documents and Settings\hj\Application Data\Identities\{CD2BBA66-CE79-11D9-A593-0020ED65A18C}\Microsoft\Outlook Express\CiviGenics.dbx Infected: Virus.MSWord.VMPC-based 2
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012421.dll Infected: Trojan.Win32.TDSS.acbv 1
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012422.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012423.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012424.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012425.dll Infected: Packed.Win32.Tdss.f 1
The selected area was scanned.
_______________________________________________________________
Thanks.
Post by: guestolo on May 17, 2009, 11:12:34 PM
Copy the contents of the paths below in Blue to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[color=\"#0000FF\"]:OTLI
PRC - C:\WINDOWS.000\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\Iexplore.exe (Microsoft Corporation)
:files
C:\Documents and Settings\hj\Local Settings\Temp\install.exe
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012422.dll
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012423.dll
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012424.dll
C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012425.dll
:commands
[emptytemp]
[start explorer]
[Reboot][/color]
- Return to OTListIt2, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
- Close all Browser windows, including this one
- Then Click the red Run Fix button.
- Let the program run unhindered, reboot when it is done
- Then post the OTL2 log that opens
In addition, post a fresh Hijackthis log and let me know how things are now running
NOTE:
This is a usual folder in your Outlook Express identity
Sent Items
Did you create the next ones in your OE account?
CHWT
Intellibridge
Larson
Internal (1)
Baltek (1)
CiviGenics (1)
Internal
Baltek
CiviGenics
As you can see by the Kaspersky scan, you have an infected file in each of the above
Possibly a Word attachment?
If, so, I would delete it
Post by: indfin on May 18, 2009, 11:19:53 AM
========== OTLISTIT ==========
Process Explorer.EXE killed successfully!
No active process named Iexplore.exe was found!
========== FILES ==========
File\Folder C:\Documents and Settings\hj\Local Settings\Temp\install.exe not found.
File\Folder C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012422.dll not found.
File\Folder C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012423.dll not found.
File\Folder C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012424.dll not found.
File\Folder C:\System Volume Information\_restore{6372F6CE-B431-4163-BDDC-F96250F4CD5B}\RP222\A0012425.dll not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS.000\temp\Perflib_Perfdata_4fc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully
OTListIt2 by OldTimer - Version 2.0.15.8 log created on 05182009_113808
Files moved on Reboot...
File C:\WINDOWS.000\temp\Perflib_Perfdata_4fc.dat not found!
Registry entries deleted on Reboot...
___________________________________________________________
Let Chkdsk run on reboot.
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:11 AM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.000\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\hj\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.000\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (http://\"http://www.yapta.com/user\") (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (http://\"http://www.yapta.com/user\") (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (http://\"http://www.comcast.net/\") (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (http://\"http://www.comcastsupport.com/\") (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (http://\"http://online.comcast.net/help/\") (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll (http://\"https://us.dbrasweb.db.com/llclient/dbrasweb/winxp/,DanaInfo=rctoolbox2.us.db.com+AXXPEE.dll\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.ooxtv.com/vjocx-en.cab (http://\"http://www.ooxtv.com/vjocx-en.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}: NameServer = 68.87.64.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS.000\SYSTEM32\avgrsstx.dll
O23 - Service: 7E5C2CF5213DBFD292AA44CF30FDF9D9 - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\ComboFix\SWREG.EXE" ACL "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep" /RESET /Q (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 7286 bytes
____________________________________________________________
I have many folders created over the years in OE and, yes, I created all the ones listed below - though only once, I don't know why they appear twice. Any one of these folders may have 25 to 2,000 messages, many with attachments. I would delete the infected files, but how would I find them? I guess the other option is to just copy all the folders on to a disc and delete them all from my hard drive.
The computer is running fine...the music has stopped, in a good way.
Is there a way to reduce the 30 seconds to 3 seconds at start up (Recovery Console)?
Thanks a ton.
The computer seems to be back to its original shape. Thank you once again.
Post by: guestolo on May 18, 2009, 11:32:05 AM
But do the following first, you should have a shortcut on desktop to Malwarebytes
Leave it there, but the installer you named to indfin.bat<<- can you delete this from desktop
Then if you renamed mbam.exe in the ProgramFiles folder
Navigate to C:\Program Files\Malwarebytes' Anti-Malware
Rename indfin.bat back to mbam.exe
Then from the shortcut on desktop, run MBAM
Check for updates, run another quick scan, remove anything found, if anything, and post it's new log back here please
Quote
Is there a way to reduce the 30 seconds to 3 seconds at start up (Recovery Console)?Oh, yes, we'll fix that in a bit
Post by: indfin on May 18, 2009, 12:38:16 PM
Ran MBAM after updating. Nothing found. I guess that's good.
MBAM Log:
Malwarebytes' Anti-Malware 1.36
Database version: 2147
Windows 5.1.2600 Service Pack 3
5/18/2009 1:33:20 PM
mbam-log-2009-05-18 (13-33-20).txt
Scan type: Quick Scan
Objects scanned: 88086
Time elapsed: 5 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Post by: guestolo on May 18, 2009, 12:47:43 PM
Can you ensure that you Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Ensure that AVG is up to date
Navigate to the following folder
C:\Documents and Settings\hj\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express
Right click on the Outlook Express folder and do a Scan with AVG on it
Does it pick up anything?
Also, go to the following directory, it's a bit different, take not of the 'Local Settings' folder
C:\Documents and Settings\hj\Local Settings\Application Data\Identities\{76F62320-D2A8-11D7-A591-E3340838DE4E}\Microsoft\Outlook Express
Right click on Outlook Express and Scan it with AVG, anything?
Post by: indfin on May 18, 2009, 01:12:35 PM
Post by: guestolo on May 18, 2009, 01:40:00 PM
First: Right click on MyComputer icon and select Properties>>ADVANCED tab>>SETTINGS under 'Startup and Recovery'
Beside "Time to display list of Operating systems:"
Change the time from 30 to 2
OK out of there
Go to START>>RUN>>
copy and paste the following
[color=\"#FF0000\"]combofix /u[/color]
and press enter
This will uninstall ComboFix and it's components
Let me know if that step successfully finished
Go to START>>RUN>>copy and paste the following
[color=\"#FF0000\"]C:\WINDOWS.000\gmer_uninstall.cmd[/color]
and press enter
This will uninstall GMER
You can remove Kaspersky Online Scanner from Add and Remove Programs
Do a "System scan only" with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
OTListIt2.exe
- Double-click OTListIt2.exe to run it.
- Click the Cleanup! button
- Select Yes to reboot Now
Let me know if you get the following error message on startup
Code: [Select]
Windows can not find file 'C: \ ComboFix \ Hidec.exe "
Post by: indfin on May 18, 2009, 02:15:31 PM
Uninstalled ComboFix.
When trying to uninstall GMER, got message "Cannot find the File". When I searched for it, it is only on Desktop and Recent. Also, when I ran GMER initially, I could not follow your instructions completely because "New Folder" or something did not show up. I just extracted the files to a folder GMER on my desktop and ran it.
Cannot find Kaspersky in the Add/Remove Programs. As an aside, should I remove MBAM from there?
Removed Spyware entry through HJT.
Ran OTListIt2 and, yes, did get the error message on startup.
Post by: guestolo on May 18, 2009, 02:42:58 PM
So don't worry about that step
Quote
Cannot find Kaspersky in the Add/Remove Programs.Sorry, Kaspersky doesn't add that entry any more, you can simply run ATF-Cleaner.exe again and have it clear your Temp folders, that should take care of it
Quote
As an aside, should I remove MBAM from thereYes, remove from Add and Remove programs, or if you prefer, hold onto it and update and run a quick scan occassionally
Quote
Ran OTListIt2 and, yes, did get the error message on startup.Can I see that fresh Hijackthis log please that I asked for in my last response
Post by: indfin on May 18, 2009, 02:46:53 PM
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:35 PM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.000\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hj\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.000\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (http://\"http://www.yapta.com/user\") (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (http://\"http://www.yapta.com/user\") (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (http://\"http://www.comcast.net/\") (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (http://\"http://www.comcastsupport.com/\") (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (http://\"http://online.comcast.net/help/\") (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll (http://\"https://us.dbrasweb.db.com/llclient/dbrasweb/winxp/,DanaInfo=rctoolbox2.us.db.com+AXXPEE.dll\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.ooxtv.com/vjocx-en.cab (http://\"http://www.ooxtv.com/vjocx-en.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}: NameServer = 68.87.64.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS.000\SYSTEM32\avgrsstx.dll
O23 - Service: 7E5C2CF5213DBFD292AA44CF30FDF9D9 - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\ComboFix\SWREG.EXE" ACL "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep" /RESET /Q (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 7103 bytes
___________________________________________________
Post by: guestolo on May 18, 2009, 03:31:51 PM
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as service.bat
Save this file on the desktop
Code: [Select]
sc stop 7E5C2CF5213DBFD292AA44CF30FDF9D9
sc delete 7E5C2CF5213DBFD292AA44CF30FDF9D9 Double click on service.bat
A dos like window may open and close quickly
Let it finish then Reboot the computer
Back in Windows, post one last Hijackthis log and let me know if the error on startup is now gone
Post by: indfin on May 18, 2009, 03:48:53 PM
HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:59 PM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS.000\system32\spoolsv.exe
C:\WINDOWS.000\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS.000\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\hj\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.000\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (http://\"http://www.yapta.com/user\") (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (http://\"http://www.yapta.com/user\") (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (http://\"http://www.comcast.net/\") (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (http://\"http://www.comcastsupport.com/\") (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (http://\"http://online.comcast.net/help/\") (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll (http://\"https://us.dbrasweb.db.com/llclient/dbrasweb/winxp/,DanaInfo=rctoolbox2.us.db.com+AXXPEE.dll\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab\")
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (http://\"http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.ooxtv.com/vjocx-en.cab (http://\"http://www.ooxtv.com/vjocx-en.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}: NameServer = 68.87.64.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS.000\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
--
End of file - 6961 bytes
Post by: guestolo on May 18, 2009, 10:30:02 PM
I see the following
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
Related to your Printing/Scanning software
I don't see the following in your uninstall list, which makes me think you have uninstalled the software and it is left behind
Arc Soft Print Creations
If you feel that you did have it installed, and have since removed it, please do the following
Copy the contents of the CODE box, not including the word "code"
Right click on service.bat we made earlier and select EDIT
Replace the contents of that file with the one in the code box
Left click to set and save the file
Code: [Select]
sc stop ACDaemon
sc delete ACDaemonDouble click on service.bat
A dos like window may open and close quickly
Let it finish then Reboot the computer
Back in Windows, although you are running out of room, and should consider backing up files to DVD or External Harddrive
It's important to keep your computer secure
I strongly recommend that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
At the link you can read more about it then continue with
Free Download on the right>>Continue Download at next page
Basically it
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection
Post by: indfin on May 18, 2009, 11:35:09 PM
Couple of questions (these are just out of curiosity, so you don't have to answer them):
A). I routinely delete unnecessary files to create more space on the disk. I missed about 2.6 GB of them!! Which programs can I regularly run to delete junk from the computer?
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />. Can I go back to watching cricket (www.ooxtv.com and www.lifeiscolourful.com) or were these the cause of all problems?If I hear back on these, good; otherwise, thank you very much once again!
Post by: guestolo on May 19, 2009, 09:50:06 AM
Quote
Can I go back to watching cricket (www.ooxtv.com and www.lifeiscolourful.com) or were these the cause of all problems?
I'm not sure, lifeiscolourful seems to be ok
I'm not positive about ooxtv>>It mentions you need to run IE and install it's Active X, I can't find the control to check it out?
Is this when the problems started?
Post by: indfin on May 19, 2009, 10:29:14 AM
With the semi-finals approaching, it's very hard to stay away.
Post by: indfin on May 19, 2009, 10:33:21 AM
Post by: guestolo on May 19, 2009, 10:37:20 AM
Give me a few minutes
Post by: guestolo on May 19, 2009, 11:02:39 AM
for ooxtv.com
According to McAfee site advisor
Both www.ooxtv.com and www.lifeiscolourful.com are ok
They have yet to test crictime.com, I'll check it later to see the results
But as far as I can tell for now, the sites are safe
Post by: indfin on May 19, 2009, 11:15:18 AM
Post by: guestolo on May 19, 2009, 11:44:20 AM
But for now, it looks alright
I'll lock this topic as your problems appear resolved
Take care indfin
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />