Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: jsranchmn22 on May 03, 2010, 10:40:43 PM
-
I accepted a gift on an application on facebook and boy would I like to return it!
I meticulously followed the forums directions "Read this before requesting Malware Help" I do understand that this is a critical step. That wasn't working. The Superanyispyware page would not load and I tried to get there independently, No luck.
AVG identified a Trojan virus and kicked in, firefox went on the blitz. Microsoft reporting popped up for all my executable programs because none of them can be executed. MS stating they were going to upload the name of different txt file associated with each program. These are located in my temp folder in the local settings. (Deleted them b4 I found your site but they are back) My browser redirects to junk sites. I keep doing workarounds. Internet Explorer is letting some stuff through but not Superantispyware. Fortunately, you have posted alternative links that may work. That is how I got Malabytes. I downloaded Malabytes and glanced at 28 infected files but it closed down as soon as it stated it was done and I clicked okay. Tried that twice.
There was a new program added: Advertisement Service. It had the Internet Explorer icon in front of it and I use firefox. I just removed that because nothing else was working.
AVG did say it vaulted some stuff; a couple:
Trojan horse backdoor.Generic12.BIES and Clicker.AFJE
If I can't get these malware downloads and when I do download them they can't do anything, what can I do?
-
Running XP Service Pack 3
I ran Malabytes again and clicked rapidly and here is log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4063
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
5/4/2010 11:08:13 AM
mbam-log-2010-05-04 (11-08-13).txt
Scan type: Quick scan
Objects scanned: 115629
Time elapsed: 9 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmadcdivnyrbc (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jbjdleuq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jbjdleuq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.163,93.188.161.179 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98b00566-12f1-445c-a83d-399bf19a8306}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.163,93.188.161.179 -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\PRAGMAdcdivnyrbc (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\PRAGMAdcdivnyrbc\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAdcdivnyrbc\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAdcdivnyrbc\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\SUSAN TXX\Local Settings\Application Data\vvxhxatin\yrgxabwtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Each time I start my computer, I get error messages on all executable programs including utility, AVG, hpcmpmgr. My browser continues to redirect ; firefox and now IE. I downloaded GOogle Chrome and that won't load pages. I can get to facebook and yahoo with firefox and IE. The trojan seems happy there. I am on another computer.
-
re-name hijack this to snipper.exe and run also post the log
-
I did mange to make it through Step 3 Superantivirus Spyware
Here is log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 05/04/2010 at 02:15 PM
Application Version : 4.36.1006
Core Rules Database Version : 4888
Trace Rules Database Version: 2700
Scan type : Complete Scan
Total Scan Time : 01:38:34
Memory items scanned : 409
Memory threats detected : 0
Registry items scanned : 6001
Registry threats detected : 16
File items scanned : 60837
File threats detected : 32
Trojan.Agent/Gen
[BisonMnt] C:\WINDOWS\BISONC07\BISONM07.EXE
C:\WINDOWS\BISONC07\BISONM07.EXE
[EnergyUtility] C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\UTILITY.EXE
C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\UTILITY.EXE
[Energy Management] C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\ENERGY MANAGEMENT.EXE
C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\ENERGY MANAGEMENT.EXE
[HP Component Manager] C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
[HP Software Update] C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
[HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZTSB09.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZTSB09.EXE
[iTunesHelper] C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
[AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\AVGTRAY.EXE
C:\PROGRA~1\AVG\AVG9\AVGTRAY.EXE
[QuickTime Task] C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE
[DivXUpdate] C:\PROGRAM FILES\DIVX\DIVX UPDATE\DIVXUPDATE.EXE
C:\PROGRAM FILES\DIVX\DIVX UPDATE\DIVXUPDATE.EXE
[swg] C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE
C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE
[SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
[H/PC Connection Agent] C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\WCESCOMM.EXE
C:\PROGRAM FILES\AVG\AVG9\AVGTRAY.EXE
C:\WINDOWS\Prefetch\AVGTRAY.EXE-0F97EFEF.pf
C:\WINDOWS\Prefetch\AVGTRAY.EXE-3209AA20.pf
C:\WINDOWS\Prefetch\BISONM07.EXE-0190AC3B.pf
C:\WINDOWS\Prefetch\DIVXUPDATE.EXE-24EAF9C6.pf
C:\WINDOWS\Prefetch\ENERGY MANAGEMENT.EXE-35BAAFC9.pf
C:\WINDOWS\Prefetch\GOOGLETOOLBARNOTIFIER.EXE-3629C61D.pf
C:\WINDOWS\Prefetch\HPCMPMGR.EXE-0D8BF169.pf
C:\WINDOWS\Prefetch\HPWUSCHD.EXE-1AC4276F.pf
C:\WINDOWS\Prefetch\HPZTSB09.EXE-17B97A12.pf
C:\WINDOWS\Prefetch\ITUNESHELPER.EXE-15823303.pf
C:\WINDOWS\Prefetch\QTTASK.EXE-342507FB.pf
C:\WINDOWS\Prefetch\TEATIMER.EXE-1F57E47A.pf
C:\WINDOWS\Prefetch\UTILITY.EXE-1B84E6D5.pf
C:\WINDOWS\Prefetch\WCESCOMM.EXE-062FDF7F.pf
Adware.Tracking Cookie
C:\Documents and Settings\SUSAN TXX\Cookies\susan_tXX@serving-sys[2].txt
C:\Documents and Settings\SUSAN TXX\Cookies\[email protected][2].txt
Rootkit.Agent/Gen-TDS[Pragma]
HKU\.DEFAULT\Software\Pragma
HKU\S-1-5-18\Software\Pragma
Trojan.RootKit/Gen
C:\DOCUMENTS AND SETTINGS\SUSAN TORK\DESKTOP\TEMP\PRAGMA4E70.TMP
Adware.Vundo/Variant-LockDown
C:\WINDOWS\SYSTEM32\PRAGMASERF.DLL
Now off to fulfill next request; running Hijack and posting log. Thank you very much!
-
I first did step 5 and updated my java then downloaded hijack per your instructions. Just an FYI: I goggled Java add-ons to tweak the add-ons. When I went into the Java website, I was still being redirected.
I did this on firefox. I switched back from IE on this request because I thought it might be safe now ~ guess not
Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:54 PM, on 5/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\Program Files\DDNI\DIBS\DDNIService.exe
C:\QSTART.SYS\config\DVMExportService.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\SUSAN TXX\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SUSAN TXX\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lenovo.live.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: GuardId.MSIEBrowser.BHO - {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SUSAN TXX\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: LENOVO - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.lenovo.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: PicNotify - C:\WINDOWS\SYSTEM32\PicNotify.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DDNIMSGService - Digital Delivery Networks, Inc. - C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
O23 - Service: DDNIService - Digital Delivery Networks, Inc. - C:\Program Files\DDNI\DIBS\DDNIService.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM - C:\QSTART.SYS\config\DVMExportService.exe
O23 - Service: Google Update Service (gupdate1ca1a13d4570dfa) (gupdate1ca1a13d4570dfa) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SUSANT~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: System Repair Windows Update Monitor (System_Repair_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
--
End of file - 7581 bytes
-
Oh thought I should report this. Not sure if it would have affected outcome of antimalware scans.
Another trick(stupid?) I tried was relocating the temp file from local settings. I did this because none of my programs would execute and Microsoft reporting was asking for me to upload problems for their general reporting.
When I looked closer at what they were asking for it was a bunch of txt files in the temp folder. There was a different one associated with each executable program.. Even though I deleted them (which was probably also wrong but I couldn't connect to the internet to ask for help) they would reappear when I rebooted.
I relocated the temp folder to the desktop and created a new blank one. May or may not make a difference to report this.
-
ok , you will have to wait for a malware expert to help you
-
Hello jsranchmn22.
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
- O2 - BHO: GuardId.MSIEBrowser.BHO - {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll (file missing)
- O20 - Winlogon Notify: PicNotify - C:\WINDOWS\SYSTEM32\PicNotify.dll
- O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SUSANT~1\LOCALS~1\Temp\hpdj.exe (file missing)
.
Important: Close all open windows except for HijackThis and then click Fix checked.
Do not restart the computer if HijackThis asks you to.
Next in HijackThis select Main Menu
Click on the Open the MISC tools section button.
Copy this red text -> hpdj
- In HijackThis select Delete an NT Service
- Paste the text into the box that opens and then click OK
- If you receive any error messages just ignore them and continue.
.
Now exit HijackThis and reboot when it tells you it needs to.
----------
Clearing Temp Folder
- Click on Start and then Run.
- In the text box in the Run window, type %Temp% and click OK. A folder full of files and other folders will appear.
- Remove everything inside the Temp folder, choose Edit and then Select All from the menu.
- Note: If you're prompted that there are hidden files in this folder, just click on OK to bypass the message.
- Now that all of the files and folders are selected, hit your Delete key or choose File and then Delete from the menu.
- Confirm that you want to delete the files by clicking Yes on the Confirm Multiple File Delete window that opens.
- After all of the files have been deleted close the window and empty your Recycle Bin.
.
----------
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
----------
If you already have ComboFix be sure to delete it and download a new copy.
Download ComboFix© by sUBs from one of the below links. Be sure to save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Thank u Mr Evilfantasy
Instructions followed verbatim (I assume they are in order and specific for a reason)
Combofix stopped and rebooted in middle siting the presence of root activity and resumed. I didn't expect it to log off and reboot just b4 "Preparing Log Report" but maybe that is normal.
AVG was removed from tray and other things moved around through this ordeal
Combofix log:
ComboFix 10-05-04.04 - SUSAN TORK 05/04/2010 21:36:56.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.601 [GMT -5:00]
Running from: c:\documents and settings\SUSAN TORK\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\WindowsUpdate
c:\recycler\S-1-5-21-522090433-925392414-3357670280-1003
c:\windows\system32\avgrsstx.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\drivers\xakcj.sys
c:\windows\system32\pragmabbr.dll
c:\windows\system32\PRAGMAsrcr.dat
c:\windows\system32\sqlite3.dll
----- BITS: Possible infected sites -----
hxxp://dibs.ddni.net
Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ocskb
-------\Service_ocskb
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.
2010-05-04 20:46 . 2010-05-04 20:46 -------- d-----w- c:\program files\Trend Micro
2010-05-04 20:43 . 2010-05-04 20:43 -------- d-----w- c:\program files\Common Files\Java
2010-05-04 20:42 . 2010-05-04 20:42 503808 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\msvcp71.dll
2010-05-04 20:42 . 2010-05-04 20:42 499712 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\jmc.dll
2010-05-04 20:42 . 2010-05-04 20:42 348160 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\msvcr71.dll
2010-05-04 20:42 . 2010-05-04 20:42 12800 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-529f682a-n\decora-d3d.dll
2010-05-04 20:42 . 2010-05-04 20:42 61440 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-529f682a-n\decora-sse.dll
2010-05-04 20:42 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 17:25 . 2010-05-04 17:25 63488 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 17:25 . 2010-05-04 17:25 52224 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-04 17:25 . 2010-05-04 17:25 117760 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 17:24 . 2010-05-04 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-04 17:24 . 2010-05-04 17:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-04 17:24 . 2010-05-04 17:24 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com
2010-05-04 17:22 . 2010-05-04 17:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-04 03:45 . 2010-05-04 03:45 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\Malwarebytes
2010-05-04 03:45 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 03:45 . 2010-05-04 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-04 03:45 . 2010-05-04 03:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 03:45 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-03 17:46 . 2010-05-04 16:08 -------- d-----w- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin
2010-05-03 17:45 . 2010-05-03 17:46 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\0E6F04692F7986568160CFC22A3747AF
2010-05-03 17:45 . 2010-05-03 17:45 107008 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll
2010-04-24 15:49 . 2010-04-24 15:49 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\MSNInstaller
2010-04-24 03:50 . 2010-04-24 03:50 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-24 03:50 . 2010-04-24 03:50 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-24 03:50 . 2010-04-24 03:50 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-21 23:29 . 2010-04-21 23:29 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\DivX
2010-04-21 23:17 . 2010-04-21 23:17 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-21 23:14 . 2010-04-21 23:10 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-04-21 23:14 . 2010-04-21 23:09 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-04-21 23:10 . 2010-04-21 23:10 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-21 23:10 . 2010-04-21 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-04-15 00:07 . 2010-04-15 00:07 -------- d-----w- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\WMTools Downloaded Files
2010-04-10 15:35 . 2010-04-10 15:35 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-04-10 15:18 . 2007-04-02 10:00 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP8U.DLL
2010-04-10 15:18 . 2007-04-02 10:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD8U.DLL
2010-04-10 15:18 . 2008-02-06 10:00 216064 ----a-w- c:\windows\system32\CNMLM8U.DLL
2010-04-10 15:18 . 2010-04-10 15:18 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2010-04-10 15:18 . 2007-03-15 19:12 188416 ----a-w- c:\windows\system32\CNC470O.DLL
2010-04-10 15:18 . 2007-03-23 21:30 1400832 ----a-w- c:\windows\system32\CNC470C.DLL
2010-04-10 15:18 . 2007-03-23 21:29 98304 ----a-w- c:\windows\system32\CNC470I.DLL
2010-04-10 15:18 . 2007-03-19 15:21 200704 ----a-w- c:\windows\system32\CNC470L.DLL
2010-04-10 15:17 . 2010-04-10 15:17 -------- d--h--w- c:\program files\CanonBJ
2010-04-09 16:40 . 2010-05-04 20:14 -------- d-----w- c:\program files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 22:50 . 2010-03-13 05:50 0 ----a-w- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\prvlcl.dat
2010-05-04 20:41 . 2009-08-27 00:07 -------- d-----w- c:\program files\Java
2010-05-04 20:14 . 2010-03-12 07:02 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-05-04 20:14 . 2010-02-07 19:00 -------- d-----w- c:\program files\iTunes
2010-05-04 20:14 . 2009-09-26 05:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-04 05:56 . 2009-06-18 20:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-04 02:21 . 2009-12-08 04:44 -------- d-----w- c:\program files\CCleaner
2010-04-24 03:50 . 2010-03-06 23:11 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-24 03:50 . 2009-09-01 14:57 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-24 03:48 . 2009-09-01 14:57 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-24 03:02 . 2010-04-24 03:23 244142 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-04-21 23:14 . 2010-04-21 23:14 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:12 -------- d-----w- c:\program files\DivX
2010-04-21 23:14 . 2010-04-21 23:14 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-21 23:13 . 2010-04-21 23:13 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-21 23:13 . 2010-04-21 23:13 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-21 23:13 . 2010-04-21 23:13 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-04-21 23:00 . 2010-02-07 19:01 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\Apple Computer
2010-04-17 20:29 . 2009-08-10 23:36 -------- d-----w- c:\program files\Google
2010-04-15 00:45 . 2009-05-04 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 05:13 . 2010-04-03 00:13 165312 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-02 23:09 . 2009-06-18 20:31 72040 ----a-w- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2004-08-04 20:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 20:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 20:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 20:00 430080 ------w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-06 23:11 . 2010-03-06 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-06 23:11 . 2009-09-01 14:57 -------- d-----w- c:\program files\AVG
2010-02-24 13:11 . 2004-08-04 20:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-16 14:08 . 2004-08-04 20:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 06:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 20:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 20:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\DivX\DivX Update\divxupdate .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\HP Software Update\hpwuschd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Lenovo\Energy Management\energy management .exe
c:\program files\Lenovo\Energy Management\utility .exe
c:\program files\Microsoft ActiveSync\wcescomm .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\BisonC07\bisonm07 .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-06-06 14:52 241752 ----a-w- c:\windows\system32\IcnOvrly.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ID Vault.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ID Vault.lnk
backup=c:\windows\pss\ID Vault.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-12-02 18:34 35184 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 07:00 166424 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IdeaNotesUser]
2009-08-24 14:15 221872 ----a-w- c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 07:00 141848 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\program files\Messenger\msmsgs.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-28 07:00 137752 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-03-24 11:10 17567744 ----a-w- c:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-04-09 13:13 1512744 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeriFaceManager]
2009-06-06 14:52 323584 ----a-w- c:\program files\Lenovo\VeriFaceIII\PManage.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spoolsv.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/1/2009 9:57 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/6/2010 6:11 PM 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 61440]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/23/2010 10:50 PM 308064]
R2 DDNIMSGService;DDNIMSGService;c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [1/17/2009 1:59 AM 172720]
R2 DDNIService;DDNIService;c:\program files\DDNI\DIBS\DDNIService.exe [5/4/2009 6:52 AM 160432]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [3/25/2009 9:20 PM 315392]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [5/4/2009 6:17 AM 430080]
R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/4/2009 6:17 AM 48192]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [6/6/2009 9:56 AM 9472]
S2 gupdate1ca1a13d4570dfa;Google Update Service (gupdate1ca1a13d4570dfa);c:\program files\Google\Update\GoogleUpdate.exe [8/10/2009 6:39 PM 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/4/2009 6:10 AM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [5/4/2009 6:17 AM 81192]
.
Contents of the 'Scheduled Tasks' folder
2010-05-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 07:54]
2010-05-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-10 23:36]
2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]
2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]
2010-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-409764278-1039016446-177758585-1008Core.job
- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-04 15:08]
2010-05-05 c:\windows\Tasks\User_Feed_Synchronization-{E0937533-BB98-490D-955D-A0280C0E943C}.job
- c:\windows\system32\msfeedssync.exe [2009-05-04 10:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://lenovo.live.com/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\SUSAN TORK\Application Data\Mozilla\Firefox\Profiles\s3wyq629.default\
FF - prefs.js: browser.search.selectedEngine - Google (Language: EN)
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
Notify-AutorunsDisabled - avgrsstx.dll
Notify-avgrsstarter - avgrsstx.dll
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 21:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
@DACL=(02 0000)
"AVG8_TRAY"="c:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3324)
c:\windows\system32\WININET.dll
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-05-04 21:51:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 02:51
Pre-Run: 78,300,327,936 bytes free
Post-Run: 78,216,916,992 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 285D74C3179E177ACF42BB9D282EADC5
-
AVG was removed from tray and other things moved around through this ordeal
Let me know how the computer is running and if AVG comes back after this next set of instructions.
c:\documents and settings\SUSAN TORK\My Documents\Downloads\ComboFix.exe
ComboFix needs to be on the desktop. Go to your Downloads folder and right click on ComboFix then choose Cut. Go to the desktop and right click then choose Paste.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Folder::
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin
c:\documents and settings\SUSAN TORK\Application Data\0E6F04692F7986568160CFC22A3747AF
File::
c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll
RenV::
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\DivX\DivX Update\divxupdate .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\HP Software Update\hpwuschd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Lenovo\Energy Management\energy management .exe
c:\program files\Lenovo\Energy Management\utility .exe
c:\program files\Microsoft ActiveSync\wcescomm .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\BisonC07\bisonm07 .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb09 .exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://img249.imageshack.us/img249/1218/cfscript1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
Caught me on that one. So much for verbatim :-[ I wasn't given an option on saving. That doesn't normally happen. Will do
-
Followed your instructions on Reply #9
Cut and paste Combofix to desktop.
Executed Notepad through run.
Cut and paste code you posted.
Saved txt file to desktop and named CFScript.txt.
Drug text file into Combofix
Combo ran and went through stages but hung all night on preparing log report & screen froze.
Turned off computer this morning. Started back up. Combofix did not resume
Note: After 1st Combofix run (one not saved on desktop) Icons
on desktop are all highlighted.
AVG not in tray. Internet slow. Not sure on redirecting.
-
Found log: (Meant to check b4 last post)
ComboFix 10-05-04.04 - SUSAN TORK 05/05/2010 0:04:44.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.546 [GMT -5:00]
Running from: C:\Documents and Settings\SUSAN TORK\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SUSAN TORK\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\SUSAN TORK\Application Data\0E6F04692F7986568160CFC22A3747AF
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin\yrgxabwtssd .exe
c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll
.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.
-
That didn't work right.
Try it again please. Restart the computer just before dragging the CFScript into the CF icon.
-
Log results:
ComboFix 10-05-05.04 - SUSAN TORK 05/05/2010 22:09:57.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.592 [GMT -5:00]
Running from: c:\documents and settings\SUSAN TORK\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\SUSAN TORK\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin\yrgxabwtssd .exe
c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll
.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.
2010-05-04 20:46 . 2010-05-04 20:46 -------- d-----w- c:\program files\Trend Micro
2010-05-04 20:43 . 2010-05-04 20:43 -------- d-----w- c:\program files\Common Files\Java
2010-05-04 20:42 . 2010-05-04 20:42 503808 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\msvcp71.dll
2010-05-04 20:42 . 2010-05-04 20:42 499712 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\jmc.dll
2010-05-04 20:42 . 2010-05-04 20:42 348160 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\msvcr71.dll
2010-05-04 20:42 . 2010-05-04 20:42 12800 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-529f682a-n\decora-d3d.dll
2010-05-04 20:42 . 2010-05-04 20:42 61440 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-529f682a-n\decora-sse.dll
2010-05-04 20:42 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-04 17:25 . 2010-05-04 17:25 63488 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 17:25 . 2010-05-04 17:25 52224 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-04 17:25 . 2010-05-04 17:25 117760 ----a-w- c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 17:24 . 2010-05-04 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-04 17:24 . 2010-05-04 17:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-04 17:24 . 2010-05-04 17:24 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com
2010-05-04 17:22 . 2010-05-04 17:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-04 03:45 . 2010-05-04 03:45 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\Malwarebytes
2010-05-04 03:45 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 03:45 . 2010-05-04 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-04 03:45 . 2010-05-04 03:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 03:45 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 15:49 . 2010-04-24 15:49 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\MSNInstaller
2010-04-24 03:50 . 2010-04-24 03:50 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-24 03:50 . 2010-04-24 03:50 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-24 03:50 . 2010-04-24 03:50 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-21 23:29 . 2010-04-21 23:29 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\DivX
2010-04-21 23:17 . 2010-04-21 23:17 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-21 23:14 . 2010-04-21 23:10 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-04-21 23:14 . 2010-04-21 23:09 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-04-21 23:10 . 2010-04-21 23:10 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-21 23:10 . 2010-04-21 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-04-15 00:07 . 2010-04-15 00:07 -------- d-----w- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\WMTools Downloaded Files
2010-04-10 15:35 . 2010-04-10 15:35 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-04-10 15:18 . 2007-04-02 10:00 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP8U.DLL
2010-04-10 15:18 . 2007-04-02 10:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD8U.DLL
2010-04-10 15:18 . 2008-02-06 10:00 216064 ----a-w- c:\windows\system32\CNMLM8U.DLL
2010-04-10 15:18 . 2010-04-10 15:18 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2010-04-10 15:18 . 2007-03-15 19:12 188416 ----a-w- c:\windows\system32\CNC470O.DLL
2010-04-10 15:18 . 2007-03-23 21:30 1400832 ----a-w- c:\windows\system32\CNC470C.DLL
2010-04-10 15:18 . 2007-03-23 21:29 98304 ----a-w- c:\windows\system32\CNC470I.DLL
2010-04-10 15:18 . 2007-03-19 15:21 200704 ----a-w- c:\windows\system32\CNC470L.DLL
2010-04-10 15:17 . 2010-04-10 15:17 -------- d--h--w- c:\program files\CanonBJ
2010-04-09 16:40 . 2010-05-05 05:12 -------- d-----w- c:\program files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 21:50 . 2010-03-13 05:50 0 ----a-w- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\prvlcl.dat
2010-05-05 05:12 . 2010-03-12 07:02 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-05-05 05:12 . 2010-02-07 19:00 -------- d-----w- c:\program files\iTunes
2010-05-05 05:12 . 2009-09-26 05:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-04 20:41 . 2009-08-27 00:07 -------- d-----w- c:\program files\Java
2010-05-04 05:56 . 2009-06-18 20:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-04 02:21 . 2009-12-08 04:44 -------- d-----w- c:\program files\CCleaner
2010-04-24 03:50 . 2010-03-06 23:11 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-24 03:50 . 2009-09-01 14:57 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-24 03:48 . 2009-09-01 14:57 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-24 03:02 . 2010-04-24 03:23 244142 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-04-21 23:14 . 2010-04-21 23:14 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:12 -------- d-----w- c:\program files\DivX
2010-04-21 23:14 . 2010-04-21 23:14 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-21 23:13 . 2010-04-21 23:13 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-21 23:13 . 2010-04-21 23:13 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-21 23:13 . 2010-04-21 23:13 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-04-21 23:00 . 2010-02-07 19:01 -------- d-----w- c:\documents and settings\SUSAN TORK\Application Data\Apple Computer
2010-04-17 20:29 . 2009-08-10 23:36 -------- d-----w- c:\program files\Google
2010-04-15 00:45 . 2009-05-04 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 05:13 . 2010-04-03 00:13 165312 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-02 23:09 . 2009-06-18 20:31 72040 ----a-w- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2004-08-04 20:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 20:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 20:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 20:00 430080 ------w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-24 13:11 . 2004-08-04 20:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-16 14:08 . 2004-08-04 20:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 06:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 20:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 20:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-05-05_02.46.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-06 03:17 . 2010-05-06 03:17 16384 c:\windows\temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-06-06 14:52 241752 ----a-w- c:\windows\system32\IcnOvrly.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ID Vault.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ID Vault.lnk
backup=c:\windows\pss\ID Vault.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-12-02 18:34 35184 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 07:00 166424 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IdeaNotesUser]
2009-08-24 14:15 221872 ----a-w- c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 07:00 141848 ----a-w- c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-28 07:00 137752 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-03-24 11:10 17567744 ----a-w- c:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-04-09 13:13 1512744 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeriFaceManager]
2009-06-06 14:52 323584 ----a-w- c:\program files\Lenovo\VeriFaceIII\PManage.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spoolsv.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/1/2009 9:57 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/6/2010 6:11 PM 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 61440]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/23/2010 10:50 PM 308064]
R2 DDNIMSGService;DDNIMSGService;c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [1/17/2009 1:59 AM 172720]
R2 DDNIService;DDNIService;c:\program files\DDNI\DIBS\DDNIService.exe [5/4/2009 6:52 AM 160432]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [3/25/2009 9:20 PM 315392]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [5/4/2009 6:17 AM 430080]
R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/4/2009 6:17 AM 48192]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [6/6/2009 9:56 AM 9472]
S2 gupdate1ca1a13d4570dfa;Google Update Service (gupdate1ca1a13d4570dfa);c:\program files\Google\Update\GoogleUpdate.exe [8/10/2009 6:39 PM 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/4/2009 6:10 AM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [5/4/2009 6:17 AM 81192]
.
Contents of the 'Scheduled Tasks' folder
2010-05-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 07:54]
2010-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-10 23:36]
2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]
2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]
2010-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-409764278-1039016446-177758585-1008Core.job
- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-04 15:08]
2010-05-06 c:\windows\Tasks\User_Feed_Synchronization-{E0937533-BB98-490D-955D-A0280C0E943C}.job
- c:\windows\system32\msfeedssync.exe [2009-05-04 10:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://lenovo.live.com/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\SUSAN TORK\Application Data\Mozilla\Firefox\Profiles\s3wyq629.default\
FF - prefs.js: browser.search.selectedEngine - Google (Language: EN)
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 22:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
@DACL=(02 0000)
"AVG8_TRAY"="c:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WININET.dll
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-05-05 22:23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 03:23
ComboFix2.txt 2010-05-05 02:51
Pre-Run: 78,175,629,312 bytes free
Post-Run: 78,145,376,256 bytes free
- - End Of File - - 45FDEF245E014C74F520869ACADD4897
-
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
----------
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
----------
ESET Online Scan
Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)
* Click the ESET Online Scanner button.
* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.
* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.
In your next reply please include the ESET Online Scan Log
-
First of all I want to say thank you to the developers of this site for being here, for being available, and for assistance you give to the public.
Secondly I want to thank the experts for your knowledge, your responses and your relentless efforts to resolve our issues.
YOU ROCK!
Now onto this issue.
Eset gave me no options to pull a log. There was no Back>> button and the only option to select was Finish
The result was 0 found infections. Please advise.
-
First of all I want to say thank you to the developers of this site for being here, for being available, and for assistance you give to the public.
Secondly I want to thank the experts for your knowledge, your responses and your relentless efforts to resolve our issues.
YOU ROCK!
Thanks and your welcome.
Eset gave me no options to pull a log. There was no Back>> button and the only option to select was Finish
The result was 0 found infections. Please advise.
That's a good thing. ;D
If there are no more malware issues we can finish up now.
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
* Click Start Scanner
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page (http://www.microsoft.com/windows/ie/).
----------
I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.
I also suggest keeping CCleaner Slim (http://majorgeeks.com/download4191.html). It is an excellent and safe disk cleaner. Running CCleaner on a daily basis helps to protect your privacy and make your computer faster and more secure.
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy (http://www.safer-networking.org/en/spybotsd/index.html).
* Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.
-
Well I ran Secunia Software Inspector. It stated to update following programs:
Itunes
Adobe 9.XXX
Adobe Flaplayer 10.X
I am concerned because the initial virus messed with my HKEYS, AVG never returned to the tray and it appeared to have jumbled up paths to programs & they would not execute.
I attempt to upgrade Adobe Reader. I get the following message:
Error 1402 Could not open key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCompnents\MSFS
I google for a solution and settle on this:
http://kb2.adobe.com/cps/329/329137.html
I run regedit and I think the instructions say to put the HKEY line above here as follows:
1. In the Registry Editor dialog box, choose File > Export
2. Type a name for the file and choose the location. (Typed above HKEY here)
3. For Export Range, choose All.
4. Click Save.
5. Close Regedit.
Received error:
Error: Path does not exist
Please verify the correct path exists
I give up and just go to HKY_LOCAL_MACHINE and do this:
1.) Verify that the Administrators and SYSTEM is present and that Full Control is selected under the Allow column.
2.) In the Permissions dialog box, click Advanced.
3.) Select both "Allow inheritable permissions from parent to propagate to this object" and "Reset permissions on all child objects and enable propagation of inheritable permissions," (1) and then click Owner (2). Select the Administrators group (1) and "Replace owner on subcontainers and objects" (2).
Note: Select the current administrator account if the Administrators group is unavaliable. I DID
4.) Click OK (3) in the Permissions dialog box. Windows will now reset the permissions for each child object to correspond with its parent. Click yes on any prompts.
But I receive this error:
Registry Editor could not set owner on the key currently selected or some subkeys.
The next solution listed was this:
* If the error reoccurs with the same key proceed to Solution 4.
Which says check for viruses lol
Must be be fun for you to a.) work with complications viruses create and more importantly b.) work with people who have no experience with viruses and even worse aren't technically inclined.
I was thinking it would just be nice to restore to previrus since it appears to be cleaned up. I believe virus was downloaded 5/4. I appear to have 5/2 date as restore option.
I await your response...
Continue to use PC. Not considering it disabled.
-
One more question. Just went into system restore and it stated it had been turned after. After the virus it was on and I had a 5/2/10 option to restore.
Did one of the many programs I ran turn it off. I am certain I did not do it manually.. Probably no biggie but seems like I would like it on and customized
-
Please post a new HijackThis log.
-
Is this the virus my PC caught?
http://www.bcs.org/server.php?show=conWebDoc.35478
or this:
http://www.zdnet.com/blog/hardware/update-new-attack-bypasses-every-windows-security-product/8268
-
Hijackthis/Sniper Log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:31:38 PM, on 5/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\DDNI\DIBS\DDNIService.exe
C:\QSTART.SYS\config\DVMExportService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SUSAN TORK\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\SUSAN TORK\Desktop\sniper.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lenovo.live.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DDNIMSGService - Digital Delivery Networks, Inc. - C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
O23 - Service: DDNIService - Digital Delivery Networks, Inc. - C:\Program Files\DDNI\DIBS\DDNIService.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM - C:\QSTART.SYS\config\DVMExportService.exe
O23 - Service: Google Update Service (gupdate1ca1a13d4570dfa) (gupdate1ca1a13d4570dfa) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: System Repair Windows Update Monitor (System_Repair_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
--
End of file - 6980 bytes
-
Download the AVG installer and run it only choose the option to uninstall it.
Restart the computer.
Then run it again and install it fresh.
-
This is a portable netbook so I turn it on and off alot. Given AVG would not come on when I started my computer I did go ahead and uninstall it, downloaded again and reinstalled.
I just didn't uninstall via AVG (Kind of wish I had thought of that)
It is starting up with my PC now.
As well I downloaded Comodo Firewall and installed.
When I put the hijackthis into the self help tool it indicated I didn't have my firewall turned off. I did have Windows FW turned on. I am assuming it would just be better to have it supplemented as recommended by this site.
Allswell! Thank you so much for all of your assistance!. I will go back to your last post and make sure I have looked at all your recommendations!
YOU ROCK! (|
-
When I put the hijackthis into the self help tool it indicated I didn't have my firewall turned off. I did have Windows FW turned on. I am assuming it would just be better to have it supplemented as recommended by this site.
The online HJT readers have trouble reading the status of firewalls many times so you just have to make sure you know it is running.