MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: What on earth is going on?
June 07, 2020, 10:05:05 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 07, 2020, 10:05:05 AM

Login with username, password and session length
 Featured Sites:
News
New  Got pics of your modded PC or want to show off your cool desktop, visit our new Show & Tell forum!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: What on earth is going on?  (Read 4675 times)
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« on: April 30, 2009, 01:19:56 AM »

My pc has become slow and unresponsive. When I reeboot half the desktop icons are missing and about half the ones that are there are blanked out. There is no start buttin so it's impossible to do anything. I have to keep rebooting and rebooting until it comes right. Sometimes this takes about 30 times and it's driving me mad.

Could this be caused by a virus? I run AVG free and adaware but they are not showing anything. i've also just run windows liveone.

I use xp home.

Any suggestions?

Ian
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: April 30, 2009, 01:52:16 AM »

Hi.Welcome to the forum


Run these programs.


Please download Malwarebytes' Anti-Malware from one of these places:

 http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

 http://www.besttechie.net/tools/mbam-setup.exe



Double Click mbam-setup.exe to install the application.
If it will not run make a copy of the MBAM.exe and rename MBAM.exe to xxx.exe and run that.Keep the genuine MBAM.exe as we may need to run that later as is.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

PLEASE NOTE:
 If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


Once that Malwarebytes' Anti-Malware is done removing the malware and you have rebooted the computer, browse around and see if you are still having that problem.


=====================================================================================




Ok.We need to download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

If it will not run  rename Combofix to xxx.exe and run that.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


==================================

Please download HijackThis to your desktop..

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

Logged

An Australian Member of

EDDY
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« Reply #2 on: May 02, 2009, 10:28:57 AM »

Hi Pancake

Thanks for your help, I am sorry I am slow getting back to you, I
Logged

 
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« Reply #3 on: May 02, 2009, 11:51:30 AM »

I have noticed since running these that my Roxio Media Creator 10 no longer opens.  Everything else seems to be working. Don't know if thats relevant.
Ian
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #4 on: May 02, 2009, 10:49:17 PM »

I need that Combofix log please.
Logged

An Australian Member of

EDDY
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« Reply #5 on: May 02, 2009, 11:42:23 PM »

I cannot find it, the only text file in the Combofix folder simply says:

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

Everytime I reboot now I get a small black window appear with a blue border and the word "Combofix" at the top.

Have I done something wrong, would it be worth running Combofix again?

Ian
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #6 on: May 03, 2009, 06:21:30 AM »

Yes run it again.
Logged

An Australian Member of

EDDY
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« Reply #7 on: May 07, 2009, 10:26:05 PM »

Sorry this has taken so long, I have not been able to get on the site.
Because the Combofix file is over 20000 characters I will have to split it.
Thanks for your ongoing help:

ComboFix 09-05-03.1 - Ian 04/05/2009  1:29.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1983.1055 [GMT 1:00]
Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Ian\Application Data\inst.exe

.
(((((((((((((((((((((((((   Files Created from 2009-04-04 to 2009-05-04  )))))))))))))))))))))))))))))))
.

2009-04-30 10:47 . 2009-04-30 10:47   --------   d-----w   c:\documents and settings\Ian\Application Data\Malwarebytes
2009-04-30 10:47 . 2009-04-06 14:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-04-30 10:47 . 2009-04-06 14:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 10:47 . 2009-04-30 10:47   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 10:47 . 2009-04-30 10:47   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-29 11:46 . 2009-04-29 11:48   --------   d-----w   c:\program files\Windows Live Safety Center
2009-04-28 09:41 . 2009-04-28 09:41   --------   d-----w   c:\program files\TomTom International B.V
2009-04-23 23:24 . 2009-04-23 23:24   --------   d-sh--w   c:\windows\system32\config\systemprofile\IETldCache
2009-04-21 23:43 . 2009-04-21 23:43   --------   d-----w   c:\program files\iPod
2009-04-21 23:43 . 2009-04-21 23:43   --------   d-----w   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 23:43 . 2009-04-21 23:43   --------   d-----w   c:\program files\iTunes
2009-04-16 02:00 . 2009-04-16 02:00   --------   d-sh--w   c:\documents and settings\Default User\IETldCache
2009-04-15 21:39 . 2009-03-06 14:22   284160   -c----w   c:\windows\system32\dllcache\pdh.dll
2009-04-15 21:39 . 2009-02-09 12:10   401408   -c----w   c:\windows\system32\dllcache\rpcss.dll
2009-04-15 21:39 . 2009-02-06 11:11   110592   -c----w   c:\windows\system32\dllcache\services.exe
2009-04-15 21:39 . 2009-02-09 12:10   473600   -c----w   c:\windows\system32\dllcache\fastprox.dll
2009-04-15 21:39 . 2009-02-06 10:10   227840   -c----w   c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 21:39 . 2009-02-09 12:10   453120   -c----w   c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 21:39 . 2009-02-09 12:10   729088   -c----w   c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 21:39 . 2009-02-09 12:10   617472   -c----w   c:\windows\system32\dllcache\advapi32.dll
2009-04-15 21:39 . 2009-02-09 12:10   714752   -c----w   c:\windows\system32\dllcache\ntdll.dll
2009-04-15 21:37 . 2008-05-03 11:55   2560   ------w   c:\windows\system32\xpsp4res.dll
2009-04-15 21:37 . 2008-04-21 12:08   215552   -c----w   c:\windows\system32\dllcache\wordpad.exe
2009-04-13 23:25 . 2009-04-13 23:25   --------   d-sh--w   c:\documents and settings\Ian\IECompatCache
2009-04-12 00:29 . 2009-04-12 00:29   --------   d-sh--w   c:\documents and settings\NetworkService\IETldCache
2009-04-11 15:32 . 2009-04-11 15:32   --------   d-sh--w   c:\documents and settings\Ian\PrivacIE
2009-04-11 13:52 . 2009-04-11 13:52   --------   d-sh--w   c:\documents and settings\LocalService\IETldCache
2009-04-11 13:48 . 2009-04-11 13:48   --------   d-sh--w   c:\documents and settings\Ian\IETldCache
2009-04-11 13:38 . 2009-04-11 13:38   --------   d-----w   c:\windows\ie8updates
2009-04-11 13:37 . 2009-04-11 13:38   --------   dc-h--w   c:\windows\ie8
2009-04-11 13:35 . 2009-02-28 04:55   105984   -c----w   c:\windows\system32\dllcache\iecompat.dll
2009-04-11 10:46 . 2009-04-11 10:46   --------   d-----w   c:\documents and settings\Ian\Local Settings\Application Data\Gruss_Software
2009-04-11 10:40 . 2009-04-11 11:21   --------   d-----w   c:\temp\Betting Assistant Logs
2009-04-11 10:40 . 2009-04-11 10:40   --------   d-----w   c:\documents and settings\Ian\Application Data\Betting Assistant
2009-04-11 10:40 . 2009-04-11 11:21   165   ----a-w   c:\temp\debug_betting_assistant.bat
2009-04-11 10:21 . 2009-04-21 23:31   --------   d-----w   c:\program files\Betting Assistant

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 00:33 . 2006-07-23 16:43   6   ---ha-w   c:\windows\Tasks\SA.DAT
2009-05-04 00:29 . 2009-01-25 01:30   472   ----a-w   c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-05-03 21:20 . 2006-07-28 09:24   28   ----a-w   c:\windows\popcinfo.dat
2009-05-03 19:36 . 2009-04-13 22:50   418   ---ha-w   c:\windows\Tasks\User_Feed_Synchronization-{E85D352D-3E6A-4C9E-AE82-0F83959A6A73}.job
2009-05-03 01:09 . 2008-01-18 13:43   330   ---ha-w   c:\windows\Tasks\MP Scheduled Scan.job
2009-04-30 12:15 . 2008-09-06 15:34   284   ----a-w   c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-29 10:07 . 2008-02-08 00:48   --------   d-----w   c:\program files\Kontiki
2009-04-28 09:41 . 2007-11-29 01:27   --------   d-----w   c:\program files\TomTom HOME 2
2009-04-23 23:24 . 2009-01-25 21:49   15688   ----a-w   c:\windows\system32\lsdelete.exe
2009-04-23 23:24 . 2009-01-25 01:30   64160   ----a-w   c:\windows\system32\drivers\Lbd.sys
2009-04-23 23:23 . 2008-09-26 12:11   --------   d-----w   c:\program files\SpywareBlaster
2009-04-21 23:43 . 2008-10-13 12:23   --------   d-----w   c:\program files\Common Files\Apple
2009-04-19 23:26 . 2006-07-25 23:35   --------   d-----w   c:\program files\Microsoft Picture It! PhotoPub
2009-04-14 21:26 . 2007-09-27 22:44   --------   d-----w   c:\program files\MozyHome
2009-04-11 07:41 . 2008-09-18 13:32   10520   ----a-w   c:\windows\system32\avgrsstx.dll
2009-04-11 07:41 . 2008-09-18 13:32   325640   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-04-01 23:33 . 2009-04-01 23:33   --------   d-----w   c:\program files\Adobe Media Player
2009-04-01 23:33 . 2009-04-01 23:33   --------   d-----w   c:\program files\Common Files\Adobe AIR
2009-03-31 13:17 . 2009-03-31 13:17   --------   d-----w   c:\program files\Common Files\xing shared
2009-03-31 13:17 . 2008-02-29 14:47   --------   d-----w   c:\program files\Common Files\Real
2009-03-19 15:32 . 2005-02-02 00:21   23400   ----a-w   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 13:48 . 2006-07-26 17:21   --------   d-----w   c:\program files\Common Files\Adobe
2009-03-12 23:14 . 2009-03-12 23:14   --------   d-----w   c:\program files\QuickTime
2009-03-12 23:10 . 2009-03-12 23:09   --------   d-----w   c:\program files\Safari
2009-03-08 03:34 . 2004-08-04 12:00   914944   ----a-w   c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2004-08-04 12:00   43008   ----a-w   c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2004-08-04 12:00   18944   ----a-w   c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2004-08-04 12:00   420352   ----a-w   c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2004-08-04 12:00   72704   ----a-w   c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2004-08-04 12:00   71680   ----a-w   c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2004-08-04 12:00   34816   ----a-w   c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2004-08-04 12:00   48128   ----a-w   c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2004-08-04 12:00   45568   ----a-w   c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2004-08-04 12:00   156160   ----a-w   c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00   284160   ----a-w   c:\windows\system32\pdh.dll
2009-03-05 23:59 . 2009-03-12 23:13   1900544   ----a-w   c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 . 2008-10-13 12:23   36864   ----a-w   c:\windows\system32\drivers\usbaapl.sys
2009-02-09 12:10 . 2004-08-04 12:00   729088   ----a-w   c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00   714752   ----a-w   c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00   617472   ----a-w   c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00   401408   ----a-w   c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00   1846784   ----a-w   c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2004-08-03 22:59   2066048   ----a-w   c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00   110592   ----a-w   c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00   2189056   ----a-w   c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00   35328   ----a-w   c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00   56832   ----a-w   c:\windows\system32\secur32.dll
2008-10-01 23:12 . 2008-10-01 23:12   2   --shatr   c:\windows\winstart.bat
2007-09-12 16:27 . 2007-03-21 11:39   34531872   --sha-w   c:\windows\system32\drivers\fidbox.dat
2007-09-12 16:27 . 2007-03-21 11:39   1191968   --sha-w   c:\windows\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-04-06 09:33   2823168   ----a-w   c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-04-06 09:33   2823168   ----a-w   c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-14 160592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-11 1932568]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-23 516440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-31 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-23 101136]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Ian\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2007-3-6 845584]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-5-6 688128]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-4-6 2829312]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
Logged

 
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« Reply #8 on: May 07, 2009, 10:26:56 PM »

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-11 07:41   10520   ----a-w   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Roxio\\Sound Editor 10\\SoundEdit10.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUPnPRenderer10.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Partizan;Partizan;
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
R2 SessionLauncher;SessionLauncher;
R3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\Drivers\csrbc01.sys [2005-06-28 24859]
R3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-09-18 23096]
R3 MusCVideo32;MusCVideo32;c:\windows\system32\DRIVERS\MusCVideo32.sys [2008-09-18 3768]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
R3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys [2005-06-30 17792]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-23 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-11 325640]
S1 mozyFilter;mozyFilter;c:\windows\system32\DRIVERS\mozy.sys [2008-10-06 53752]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-11 298264]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-23 953168]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-04-08 92008]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys [2004-09-28 57640]
S3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\DRIVERS\btkrnbdg.sys [2003-03-18 15876]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:24]

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-05-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-05-03 c:\windows\Tasks\User_Feed_Synchronization-{E85D352D-3E6A-4C9E-AE82-0F83959A6A73}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&rlz=1G1GGLQ_ENGB275
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 01:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1908)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\MozyHome\mozyshell.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Crypserv.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\MozyHome\mozybackup.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Microsoft Office\Office12\OUTLOOK.EXE
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\searchprotocolhost.exe
.
**************************************************************************
.
Completion time: 2009-05-04  1:41 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-04 00:40
ComboFix2.txt  2007-05-09 12:28

Pre-Run: 195,206,242,304 bytes free
Post-Run: 195,207,589,888 bytes free

297   --- E O F ---   2009-05-01 23:04
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: May 07, 2009, 11:13:49 PM »


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote



File::
c:\windows\popcinfo.dat
 c:\windows\Tasks\User_Feed_Synchronization-{E85D352D-3E6A-4C9E-AE82-0F83959A6A73}.job
c:\windows\Tasks\SA.DAT
c:\windows\winstart.bat



 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


Logged

An Australian Member of

EDDY
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« Reply #10 on: May 07, 2009, 11:32:14 PM »

Combofix log is (again split)

ComboFix 09-05-07.06 - Ian 08/05/2009  0:23.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1983.1038 [GMT 1:00]
Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ian\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::
c:\windows\popcinfo.dat
c:\windows\Tasks\SA.DAT
c:\windows\Tasks\User_Feed_Synchronization-{E85D352D-3E6A-4C9E-AE82-0F83959A6A73}.job
c:\windows\winstart.bat
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\popcinfo.dat
c:\windows\Tasks\SA.DAT
c:\windows\Tasks\User_Feed_Synchronization-{E85D352D-3E6A-4C9E-AE82-0F83959A6A73}.job
c:\windows\winstart.bat

.
(((((((((((((((((((((((((   Files Created from 2009-04-07 to 2009-05-07  )))))))))))))))))))))))))))))))
.

2009-05-07 22:03 . 2009-05-07 22:03   --------   d-----w   c:\documents and settings\Ian\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-05-07 22:03 . 2009-05-07 22:03   --------   d-----w   c:\program files\BBC iPlayer Desktop
2009-04-30 10:47 . 2009-04-30 10:47   --------   d-----w   c:\documents and settings\Ian\Application Data\Malwarebytes
2009-04-30 10:47 . 2009-04-06 14:32   15504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-04-30 10:47 . 2009-04-06 14:32   38496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 10:47 . 2009-04-30 10:47   --------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 10:47 . 2009-04-30 10:47   --------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-29 11:46 . 2009-04-29 11:48   --------   d-----w   c:\program files\Windows Live Safety Center
2009-04-28 09:41 . 2009-04-28 09:41   --------   d-----w   c:\program files\TomTom International B.V
2009-04-23 23:24 . 2009-04-23 23:24   --------   d-sh--w   c:\windows\system32\config\systemprofile\IETldCache
2009-04-21 23:43 . 2009-04-21 23:43   --------   d-----w   c:\program files\iPod
2009-04-21 23:43 . 2009-04-21 23:43   --------   d-----w   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 23:43 . 2009-04-21 23:43   --------   d-----w   c:\program files\iTunes
2009-04-16 02:00 . 2009-04-16 02:00   --------   d-sh--w   c:\documents and settings\Default User\IETldCache
2009-04-15 21:39 . 2009-03-06 14:22   284160   -c----w   c:\windows\system32\dllcache\pdh.dll
2009-04-15 21:39 . 2009-02-09 12:10   401408   -c----w   c:\windows\system32\dllcache\rpcss.dll
2009-04-15 21:39 . 2009-02-06 11:11   110592   -c----w   c:\windows\system32\dllcache\services.exe
2009-04-15 21:39 . 2009-02-09 12:10   473600   -c----w   c:\windows\system32\dllcache\fastprox.dll
2009-04-15 21:39 . 2009-02-06 10:10   227840   -c----w   c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 21:39 . 2009-02-09 12:10   453120   -c----w   c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 21:39 . 2009-02-09 12:10   729088   -c----w   c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 21:39 . 2009-02-09 12:10   617472   -c----w   c:\windows\system32\dllcache\advapi32.dll
2009-04-15 21:39 . 2009-02-09 12:10   714752   -c----w   c:\windows\system32\dllcache\ntdll.dll
2009-04-15 21:37 . 2008-05-03 11:55   2560   ------w   c:\windows\system32\xpsp4res.dll
2009-04-15 21:37 . 2008-04-21 12:08   215552   -c----w   c:\windows\system32\dllcache\wordpad.exe
2009-04-13 23:25 . 2009-04-13 23:25   --------   d-sh--w   c:\documents and settings\Ian\IECompatCache
2009-04-12 00:29 . 2009-04-12 00:29   --------   d-sh--w   c:\documents and settings\NetworkService\IETldCache
2009-04-11 15:32 . 2009-04-11 15:32   --------   d-sh--w   c:\documents and settings\Ian\PrivacIE
2009-04-11 13:52 . 2009-04-11 13:52   --------   d-sh--w   c:\documents and settings\LocalService\IETldCache
2009-04-11 13:48 . 2009-04-11 13:48   --------   d-sh--w   c:\documents and settings\Ian\IETldCache
2009-04-11 13:38 . 2009-04-11 13:38   --------   d-----w   c:\windows\ie8updates
2009-04-11 13:37 . 2009-04-11 13:38   --------   dc-h--w   c:\windows\ie8
2009-04-11 13:35 . 2009-02-28 04:55   105984   -c----w   c:\windows\system32\dllcache\iecompat.dll
2009-04-11 10:46 . 2009-04-11 10:46   --------   d-----w   c:\documents and settings\Ian\Local Settings\Application Data\Gruss_Software
2009-04-11 10:40 . 2009-04-11 11:21   --------   d-----w   c:\temp\Betting Assistant Logs
2009-04-11 10:40 . 2009-04-11 10:40   --------   d-----w   c:\documents and settings\Ian\Application Data\Betting Assistant
2009-04-11 10:40 . 2009-04-11 11:21   165   ----a-w   c:\temp\debug_betting_assistant.bat
2009-04-11 10:21 . 2009-04-21 23:31   --------   d-----w   c:\program files\Betting Assistant

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 14:00 . 2006-07-25 23:35   --------   d-----w   c:\program files\Microsoft Picture It! PhotoPub
2009-05-05 07:36 . 2008-09-18 13:32   11952   ----a-w   c:\windows\system32\avgrsstx.dll
2009-05-05 07:36 . 2008-09-18 13:32   325896   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-04-29 10:07 . 2008-02-08 00:48   --------   d-----w   c:\program files\Kontiki
2009-04-28 09:41 . 2007-11-29 01:27   --------   d-----w   c:\program files\TomTom HOME 2
2009-04-23 23:24 . 2009-01-25 21:49   15688   ----a-w   c:\windows\system32\lsdelete.exe
2009-04-23 23:24 . 2009-01-25 01:30   64160   ----a-w   c:\windows\system32\drivers\Lbd.sys
2009-04-23 23:23 . 2008-09-26 12:11   --------   d-----w   c:\program files\SpywareBlaster
2009-04-21 23:43 . 2008-10-13 12:23   --------   d-----w   c:\program files\Common Files\Apple
2009-04-14 21:26 . 2007-09-27 22:44   --------   d-----w   c:\program files\MozyHome
2009-04-01 23:33 . 2009-04-01 23:33   --------   d-----w   c:\program files\Adobe Media Player
2009-04-01 23:33 . 2009-04-01 23:33   --------   d-----w   c:\program files\Common Files\Adobe AIR
2009-03-31 13:17 . 2009-03-31 13:17   --------   d-----w   c:\program files\Common Files\xing shared
2009-03-31 13:17 . 2008-02-29 14:47   --------   d-----w   c:\program files\Common Files\Real
2009-03-19 15:32 . 2005-02-02 00:21   23400   ----a-w   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 13:48 . 2006-07-26 17:21   --------   d-----w   c:\program files\Common Files\Adobe
2009-03-12 23:14 . 2009-03-12 23:14   --------   d-----w   c:\program files\QuickTime
2009-03-12 23:10 . 2009-03-12 23:09   --------   d-----w   c:\program files\Safari
2009-03-08 03:34 . 2004-08-04 12:00   914944   ----a-w   c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2004-08-04 12:00   43008   ----a-w   c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2004-08-04 12:00   18944   ----a-w   c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2004-08-04 12:00   420352   ----a-w   c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2004-08-04 12:00   72704   ----a-w   c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2004-08-04 12:00   71680   ----a-w   c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2004-08-04 12:00   34816   ----a-w   c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2004-08-04 12:00   48128   ----a-w   c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2004-08-04 12:00   45568   ----a-w   c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2004-08-04 12:00   156160   ----a-w   c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00   284160   ----a-w   c:\windows\system32\pdh.dll
2009-03-05 23:59 . 2009-03-12 23:13   1900544   ----a-w   c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 . 2008-10-13 12:23   36864   ----a-w   c:\windows\system32\drivers\usbaapl.sys
2009-02-09 12:10 . 2004-08-04 12:00   729088   ----a-w   c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00   714752   ----a-w   c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00   617472   ----a-w   c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00   401408   ----a-w   c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00   1846784   ----a-w   c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2004-08-03 22:59   2066048   ----a-w   c:\windows\system32\ntkrnlpa.exe
2007-09-12 16:27 . 2007-03-21 11:39   34531872   --sha-w   c:\windows\system32\drivers\fidbox.dat
2007-09-12 16:27 . 2007-03-21 11:39   1191968   --sha-w   c:\windows\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((   SnapShot@2009-05-04_00.35.49   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-05 22:50 . 2009-05-05 22:50   16384              c:\windows\Temp\Perflib_Perfdata_720.dat
+ 2009-05-05 22:50 . 2009-05-05 22:50   16384              c:\windows\Temp\Perflib_Perfdata_4f4.dat
+ 2009-05-05 22:50 . 2009-05-05 22:50   16384              c:\windows\Temp\Perflib_Perfdata_484.dat
+ 2008-09-18 13:32 . 2009-05-05 07:36   27784              c:\windows\system32\drivers\avgmfx86.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-04-06 09:33   2823168   ----a-w   c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-04-06 09:33   2823168   ----a-w   c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-14 160592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"Google Update"="c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-05 1947928]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-23 516440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-31 198160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-23 101136]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Ian\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-5-7 95744]
Logged

 
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« Reply #11 on: May 07, 2009, 11:32:53 PM »

Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [2007-3-6 845584]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-5-6 688128]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-4-6 2829312]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-05 07:36   11952   ----a-w   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Roxio\\Sound Editor 10\\SoundEdit10.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUPnPRenderer10.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/01/2009 02:30 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/09/2008 14:32 325896]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [27/09/2007 23:44 53752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [18/09/2008 14:32 298776]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [24/08/2007 15:52 166384]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys [27/10/2006 11:59 57640]
R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\drivers\BtKrnBdg.sys [27/10/2006 11:59 15876]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [24/08/2007 15:52 1083888]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22:34 953168]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [24/08/2007 15:53 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [24/08/2007 15:52 309744]
S2 SessionLauncher;SessionLauncher;c:\docume~1\Ian\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Ian\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 CSRBC01;%CSRBC01.SvcDesc%;c:\windows\system32\drivers\CSRBC01.sys [27/10/2006 11:59 24859]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [18/09/2008 13:10 23096]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [18/09/2008 13:10 3768]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [24/08/2007 15:53 72176]
S3 vad_multi;Windigo Virtual Audio Device (WDM);c:\windows\system32\drivers\vadmulti.sys [27/10/2006 11:59 17792]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:24]

2009-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-448539723-682003330-1004.job
- c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-07 14:58]

2009-05-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&rlz=1G1GGLQ_ENGB275
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 00:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-05-07  0:27
ComboFix-quarantined-files.txt  2009-05-07 23:26
ComboFix2.txt  2009-05-04 00:41
ComboFix3.txt  2007-05-09 12:28

Pre-Run: 193,882,574,848 bytes free
Post-Run: 193,934,790,656 bytes free

254   --- E O F ---   2009-05-07 14:53
Logged

 
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« Reply #12 on: May 07, 2009, 11:34:03 PM »

HJT file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:33:42, on 08/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Axon Data\AxCrypt\1.6.4.4\AxCrypt.exe
C:\Documents and Settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en&rlz=1G1GGLQ_ENGB275
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Startup: Microsoft Office Outlook 2007.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154772262687
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Ian\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 15345 bytes
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #13 on: May 08, 2009, 12:50:47 AM »

I dont see anymore malware now so you should be fine...all done.

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below into the box  and click OK.



ComboFix /u


Logged

An Australian Member of

EDDY
mrtubs
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 163


Bookmark and Share

View Profile
« Reply #14 on: May 08, 2009, 08:16:44 AM »

Many Thanks for all your help

Ian
Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page January 13, 2018, 09:58:07 AM