Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: misstia on March 05, 2011, 02:24:40 PM
-
What transpired before I took the required steps and ended up here....I have vipre AV software...i could not get it to update....i couldn't go to the sunbeltsoftware.com website.....i ran a malwarebytes scan and it found a trojan....i ran an un-updated vipre scan and it found nothing....a friend uploaded the vipre update to their server for me to d/l and i d/l-ed and ran a deep vipre scan and it found 3 more trojans, a fraudware and a malware....i still could not go to sunbeltsoftware's website nor to ANY AV website, norton, etc....something is blocking me from that....my friend is a computer programmer and he studied my hijack this logs and saw nothing amiss....obviously something is.....i have windows XP media edition service pack 3....i have firefox, latest updated version with adblocker plus ad-on....
i have a laptop that i am using to access sites to d/l these programs from to d/l onto a SD card them putting them on my desktop as i can't access some of these sites with these programs on my desktop......
i am not a computer expert, but i can be walked through things and i know enough to know what NOT to mess with (i would not mess with my registry or BIOS)....
i have spent a couple days trying figure this out on my own---reading forums, etc and have found nothing....so here i am!!!
i read the steps i had to take before posting....this is what happened for each step....
Step 1. I saw nothing unusual in add/remove programs
Step 2. Ran the CCleaner.com Did not really understand it. Saved cookies I wanted. Ran the Cleaner. Did not understand the registry cleaner and I know enough to NOT mess with the registry, so i did nothing there, as i didn't want to mess anything up.
Step 3. Downloaded and ran SUPERAntiSpyware, here is the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/05/2011 at 03:35 PM
Application Version : 4.49.1000
Core Rules Database Version : 6538
Trace Rules Database Version: 4350
Scan type : Quick Scan
Total Scan Time : 01:52:49
Memory items scanned : 585
Memory threats detected : 0
Registry items scanned : 1837
Registry threats detected : 3
File items scanned : 64113
File threats detected : 31
Trojan.Unclassified/PotPWS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
HKCR\CLSID\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}
Adware.Tracking Cookie
interclick.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\8JNYAJW9 ]
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@azjmp[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@chitika[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media-servers[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@reduxmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[2].txt
Trojan.Dropper/Gen
C:\IOMEGA\WCDPLAYR.EXE
Step 4. Malwarebytes log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5957
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
3/5/2011 4:07:51 PM
mbam-log-2011-03-05 (16-07-51).txt
Scan type: Quick scan
Objects scanned: 155357
Time elapsed: 5 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\config\systemprofile\application data\microsoft\profile.dat (Malware.Trace) -> Quarantined and deleted successfully.
Step 5. Updated Java
installed newer version of java, it did not give me a box with toolbar options
d/l-ed javara and removed old version of java, i saved the log file in case it needs to be seen.
i reran the ccleaner
Step 6. Hijack This, i already had hijack this on my computer.....i did not understand renaming it sniper.....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:35 PM, on 3/5/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\Tia\LOCALS~1\Temp\clclean.0001
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\ArGo Software Design\FTP Server\ftpsrvnt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061211
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061211
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168029457701
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files\WildTangent Games\App\GamesAppService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ArGoSoft FTP Server (msFTPServerForm) - ArGo Software Design - c:\Program Files\ArGo Software Design\FTP Server\ftpsrvnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VIPRE Antivirus Premium (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
--
End of file - 7524 bytes
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
******************************************************
Download DDS from HERE (http://download.bleepingcomputer.com/sUBs/dds.scr) or HERE (http://www.forospyware.com/sUBs/dds) and save it to your desktop.
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
****************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
-
Thank you SuperDave!
Here are the DDS scan results:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tia at 14:24:50.93 on Sun 03/06/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.373 [GMT -5:00]
.
AV: Sunbelt VIPRE *Enabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\Tia\LOCALS~1\Temp\clclean.0001
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\ArGo Software Design\FTP Server\ftpsrvnt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tia\My Documents\ads\your advertising WHAT\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061211
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [PE2CKFNT SE] c:\program files\ulead systems\ulead photo express 2 se\ChkFont.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168029457701
DPF: {7681D853-E78E-437D-ADEC-783E7938EE82} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-95B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DCBD975B-306A-48AD-8EB7-8D799067DFA9} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {F43F321C-BB43-4E33-BF97-9469F4A6E976} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\tia\applic~1\mozilla\firefox\profiles\z8504by0.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\1\NP_wtapp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {C4D5B765-355A-4F33-8352-0D2BB7B421B3} - c:\documents and settings\tia\local settings\application data\{C4D5B765-355A-4F33-8352-0D2BB7B421B3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-8-27 21464]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-8-13 331992]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-8-26 212568]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-7-14 13824]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 msFTPServerForm;ArGoSoft FTP Server;c:\program files\argo software design\ftp server\ftpsrvnt.exe [2007-1-6 1206784]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-8-20 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-8-27 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-8-20 181584]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-7-14 13696]
R3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2007-2-26 15104]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-8-13 68696]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 SbHips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-8-26 94040]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-16 24652]
.
=============== Created Last 30 ================
.
2011-03-05 21:14:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-05 21:14:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-05 21:14:50 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-05 18:38:39 -------- d-----w- c:\docume~1\tia\applic~1\SUPERAntiSpyware.com
2011-03-05 18:38:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-05 18:38:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-04 22:47:38 65536 ----a-r- c:\docume~1\tia\applic~1\microsoft\installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-04 22:47:38 65536 ----a-r- c:\docume~1\tia\applic~1\microsoft\installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-04 22:47:38 65536 ----a-r- c:\docume~1\tia\applic~1\microsoft\installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\ARPPRODUCTICON.exe
2011-03-04 22:47:37 -------- d-----w- c:\program files\Sophos
2011-03-03 16:55:58 -------- d-----w- C:\VIPRERESCUE
2011-03-02 21:13:14 -------- d-----w- c:\docume~1\tia\locals~1\applic~1\PCHealth
2011-03-02 14:14:35 -------- d-----w- C:\spoolerlogs
2011-02-15 15:49:43 -------- d-----w- C:\Alice in Chains Discography
2011-02-15 15:47:18 -------- d-----w- C:\Alice in Chains
2011-02-10 03:33:27 -------- d-----w- C:\3D Sound - Holophonic Music & Sound Effects
2011-02-10 01:37:11 -------- d-----w- C:\Ektomorf_-_What_Dosent_Kill_Me-Limited_Edition-2009-FKK
2011-02-06 16:53:50 -------- d-----w- C:\Ektomorf
2011-02-06 16:52:20 -------- d-----w- C:\Ektomorf - Redemption (2010) [mp3@vbr] [Groove-Thrash Metal]
.
==================== Find3M ====================
.
2011-01-21 14:44:37 439296 ------w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ------w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15:52 61952 ------w- c:\windows\system32\tdc.ocx
2010-12-20 22:15:51 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26:00 730112 ------w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30:29 369664 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ------w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ------w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
2009-03-01 23:12:32 45861104 ----a-w- c:\program files\boggle-setup.exe
2009-02-28 22:16:16 27375624 ----a-w- c:\program files\yahoo_bogglenew_tm5-3.exe
2009-01-16 01:50:05 8981504 ----a-w- c:\program files\winamp5541_full_emusic-7plus_en-us.exe
2008-12-27 22:02:26 7518240 ----a-w- c:\program files\Firefox Setup 3.0.5.exe
2008-12-27 21:30:54 15452536 ----a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-12-27 18:06:33 3165824 ----a-w- c:\program files\ccsetup215.exe
2008-12-27 18:03:05 2539400 ----a-w- c:\program files\mbam-setup.exe
2008-12-27 17:14:27 1311784 ----a-w- c:\program files\WindowsXP-KB938464-x86-ENU.exe
2008-12-27 17:13:36 532520 ----a-w- c:\program files\WindowsXP-KB952954-x86-ENU.exe
2008-12-27 17:12:44 648560 ----a-w- c:\program files\WindowsXP-KB958644-x86-ENU.exe
2008-12-27 16:09:40 605224 ----a-w- c:\program files\WindowsXP-KB951376-v2-x86-ENU.exe
2008-12-27 16:09:16 7771584 ----a-w- c:\program files\windows-kb890830-v2.5.exe
2008-12-26 22:37:15 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-12-25 17:09:04 73313504 ----a-w- c:\program files\VIPRE.exe
2008-03-23 14:35:46 390235 ----a-w- c:\program files\GoogleVideoUploaderInstaller.exe
2008-03-18 23:42:14 1491843 ----a-w- c:\program files\RADTools.exe
2008-01-26 02:35:16 219952 ----a-w- c:\program files\utorrent.exe
2007-09-27 13:45:04 2720039 ----a-w- c:\program files\txpeng503.exe
2007-09-18 02:44:37 20765656 ----a-w- c:\program files\setupUS.exe
2007-07-25 19:36:36 4526458 ----a-w- c:\program files\WinAVI_Video_Converter.exe
2007-02-23 18:03:47 8107600 ----a-w- c:\program files\R127097.EXE
2007-02-22 19:03:33 13872152 ----a-w- c:\program files\polarbowler-setup.exe
2007-02-21 19:23:32 14705768 ----a-w- c:\program files\DivXInstaller.exe
2007-02-21 19:22:36 1681752 ----a-w- c:\program files\DivXWebPlayerInstaller.exe
2007-01-27 19:10:55 407680 ----a-w- c:\program files\Install_AIM.exe
2007-01-08 14:45:05 4267744 ----a-w- c:\program files\mw9791enu.exe
2007-01-08 14:41:53 155648 ----a-w- c:\program files\mwadvanced_enu.exe
2007-01-08 13:22:05 41116951 ----a-w- c:\program files\setpoint310.exe
2007-01-07 12:08:09 13046467 ----a-w- c:\program files\WSFTP_ProT128_Install.exe
2007-01-05 21:27:06 9453630 ----a-w- c:\program files\vlc-0.8.6a-win32.exe
2007-01-05 20:47:05 6653000 ----a-w- c:\program files\winamp532_full_emusic-7plus.exe
2007-01-05 20:19:49 181752 ----a-w- c:\program files\yinst_current.exe
2006-12-12 19:19:50 1005104 ----a-w- c:\program files\aolsetup.exe
2003-08-27 19:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
2000-09-18 23:09:58 2487727 ----a-w- c:\program files\Iridescence.exe
.
============= FINISH: 14:25:16.20 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\Harddisk0\DP(2)0x2738a00-0x241514b200+2
Install Date: 12/15/2006 3:55:00 PM
System Uptime: 3/6/2011 11:18:58 AM (3 hours ago)
.
Motherboard: Dell Inc | | 0CT103
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket M2 | 2004/1000mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 8.084 GiB free.
D: is CDROM ()
E: is FIXED (FAT) - 0 GiB total, 0.03 GiB free.
F: is FIXED (FAT32) - 5 GiB total, 0.529 GiB free.
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
3ivx MPEG-4 5.0.3 (remove only)
Acrobat.com
Adobe Acrobat 5.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Adobe Reader 9.1
Adobe Shockwave Player 11.5
Advanced Decoder Patch
AOLIcon
ArGoSoft FTP Server
AutoUpdate
Bejeweled 2 Deluxe 1.0
Bejeweled 3
Broadcom Management Programs
CCleaner
Chuzzle Deluxe 1.0
Cisco Systems VPN Client 5.0.04.0300
Conexant D850 56K V.9x DFVc Modem
Corel Snapfire Plus
Coupon Printer for Windows
Creative Audio Pack
Creative MediaSource 5
Cypress USB Mass Storage Driver Installation
Dell CinePlayer
Dell Network Assistant
Dell Resource CD
Dell System Restore
Digital Content Portal
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Documentation & Support Launcher
EarthLink Setup Files
EducateU
EPSON Printer Software
ESPNMotion
FlipShare
Games, Music, & Photos Launcher
GemMaster Mystic
Get High Speed Internet!
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Internet Service Offers Launcher
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 24
JEOPARDY! Deluxe (remove only)
KBD
Learn2 Player (Uninstall Only)
ljArchive
Logitech MouseWare 9.79
Logitech Resource Center
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
Modem Diagnostic Tool
Monopoly (remove only)
Mozilla Firefox (3.6.15)
MS Access 97 SP2
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MUSTEK 1200 UB v2.1
NetWaiting
NVIDIA Drivers
Octoshape add-in for Adobe Flash Player
Otto
QuickTime
RealPlayer Basic
SCRABBLE
SearchAssist
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SigmaTel Audio
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Sophos confic-a Cleanup Tool
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
SUPERAntiSpyware
SureThing Express Labeler
TextPad 5
Ulead Photo Express 2.0 SE
Ultimate Mahjongg
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Update Installer for WildTangent Games App
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
USB Storage Adapter FX (SM1)
V4100 Digital Camera Driver
VideoLAN VLC media player 0.8.6a
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VIPRE Antivirus Premium
WebEx Support Manager for Internet Explorer
WebFldrs XP
Wheel of Fortune Deluxe (remove only)
WildTangent Games
WildTangent Games App
WildTangent Web Driver
Winamp
WinAVI Video Converter
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Yahoo! Install Manager
.
==== Event Viewer Messages From Past Week ========
.
3/5/2011 4:13:58 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/4/2011 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
3/4/2011 7:00:00 AM, error: Schedule [7901] - The At32.job command failed to start due to the following error: %%2147942402
3/4/2011 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
3/4/2011 6:00:00 AM, error: Schedule [7901] - The At31.job command failed to start due to the following error: %%2147942402
3/4/2011 5:15:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/4/2011 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
3/4/2011 5:00:00 AM, error: Schedule [7901] - The At30.job command failed to start due to the following error: %%2147942402
3/4/2011 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
3/4/2011 4:00:00 AM, error: Schedule [7901] - The At29.job command failed to start due to the following error: %%2147942402
3/4/2011 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
3/4/2011 3:00:00 AM, error: Schedule [7901] - The At28.job command failed to start due to the following error: %%2147942402
3/4/2011 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
3/4/2011 2:00:00 AM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402
3/4/2011 12:12:00 AM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402
3/4/2011 12:06:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
3/4/2011 1:00:00 AM, error: Schedule [7901] - The At26.job command failed to start due to the following error: %%2147942402
3/4/2011 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
3/3/2011 9:10:15 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer TIA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{26858158-EFCC-48F3-B0. The master browser is stopping or an election is being forced.
3/3/2011 12:12:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec MRxSmb NetBIOS NetBT nvatabus nvraid RasAcd Rdbss sbaphd SbFw SbTis Tcpip
3/3/2011 12:12:00 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2011 12:12:00 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2011 12:12:00 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2011 12:12:00 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2011 12:11:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/3/2011 12:11:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/2/2011 9:14:57 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/2/2011 9:14:57 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
3/1/2011 9:00:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
3/1/2011 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
3/1/2011 9:00:00 AM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402
3/1/2011 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
3/1/2011 8:28:43 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: nvatabus nvraid
3/1/2011 8:00:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
3/1/2011 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
3/1/2011 7:00:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
3/1/2011 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
3/1/2011 6:00:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
3/1/2011 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
3/1/2011 5:00:00 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
3/1/2011 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
3/1/2011 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
3/1/2011 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
3/1/2011 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
3/1/2011 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
3/1/2011 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
3/1/2011 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
3/1/2011 12:00:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402
3/1/2011 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
3/1/2011 11:00:00 AM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402
3/1/2011 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
3/1/2011 10:00:00 AM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402
3/1/2011 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
3/1/2011 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
3/1/2011 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
2/28/2011 11:00:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
2/28/2011 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
2/28/2011 10:00:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
2/28/2011 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
.
==== End Of File ===========================
here is the log from the SecurityCheck
Results of screen317's Security Check version 0.99.9
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
VIPRE Antivirus Premium
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 24
Adobe Flash Player 10.1.85.3
Adobe Reader 8.1.0
Adobe Reader 9.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````
-
Wow! That was quick.
You have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
More information:
* ViewMgr.exe - Useless (http://www.greatis.com/appdata/u/v/viewmgr.exe.htm)
* Viewpoint to Plunge Into Adware (http://www.clickz.com/news/article.php/3561546/)
It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.
* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology
****************************************
Please read here for more information about WildTangent (http://it.toolbox.com/blogs/enterprise-solutions/question-of-the-week-is-wildtanget-actually-spyware-6472). Your choice if you want to remove it or not.
If you choose to follow my advice, please follow these instructions.
Go to Start > Control Panel > Add/Remove Programs and remove the following programs.
•WildTangent Web Driveror anything related to WildTangent.
*********************************************************
The log shows that you only have 8 Gb of free space on your C drive. Ideally, for Windows to operate correctly you need 15% of more or 21 Gb of free space. You will have to find some way of freeing up some space otherwise, your computer will start crashing and doing other wierd things. You can do this by removing programs that you no longer use, transferring pictures, videos, music and personal files to DVD's or an external harddrive.Please try to do this before running anymore scans.
Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)
Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.
Once old versions are gone, please install the newest version.
****************************************************
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
and save it to your Desktop.
If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
(http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
There was only 2 viewpoints in add/remove programs, which I deleted.
I deleted the all Wild Tangent Items in add/remove programs. I am going to follow your advice to the letter as I want my problem resolved.
I deleted the old Adobe Readers and installed the new one, which also installed some McAfee Security Scan.
I deleted files on my computer that I have backed up to an external drive and I have 21.4GB free now on my hard drive. If I need more space needed I can delete more.
I turned off Vipre and d/l-ed and ran combofix, it restarted my computer and reran and here is the log it gave me.
ComboFix 11-03-05.02 - Tia 03/06/2011 15:30:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.619 [GMT -5:00]
Running from: c:\documents and settings\Tia\My Documents\ads\your advertising WHAT\ComboFix.exe
AV: Sunbelt VIPRE *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *Disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Data
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
.
2011-03-06 20:30 . 2011-03-06 20:30 -------- d-----w- c:\windows\LastGood
2011-03-06 20:05 . 2011-03-06 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-06 20:05 . 2011-03-06 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-03-06 20:05 . 2011-03-06 20:05 -------- d-----w- c:\program files\McAfee Security Scan
2011-03-05 21:14 . 2011-03-05 21:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-05 21:14 . 2011-03-05 21:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-05 21:14 . 2011-03-05 21:14 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-05 18:38 . 2011-03-05 18:38 -------- d-----w- c:\documents and settings\Tia\Application Data\SUPERAntiSpyware.com
2011-03-05 18:38 . 2011-03-05 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-05 18:38 . 2011-03-05 18:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-04 22:47 . 2011-03-04 22:47 65536 ----a-r- c:\documents and settings\Tia\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-04 22:47 . 2011-03-04 22:47 65536 ----a-r- c:\documents and settings\Tia\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2011-03-04 22:47 . 2011-03-04 22:47 65536 ----a-r- c:\documents and settings\Tia\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\ARPPRODUCTICON.exe
2011-03-04 22:47 . 2011-03-04 22:47 -------- d-----w- c:\program files\Sophos
2011-03-03 17:11 . 2011-03-03 17:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-03-03 16:55 . 2011-03-03 22:03 -------- d-----w- C:\VIPRERESCUE
2011-03-02 21:13 . 2011-03-02 21:13 -------- d-----w- c:\documents and settings\Tia\Local Settings\Application Data\PCHealth
2011-03-02 14:14 . 2011-03-02 14:14 -------- d-----w- C:\spoolerlogs
2011-03-01 00:11 . 2011-03-01 00:11 110080 ------w- c:\documents and settings\Tia\Application Data\Ebxixm.exe
2011-02-15 15:49 . 2011-02-15 15:50 -------- d-----w- C:\Alice in Chains Discography
2011-02-15 15:47 . 2011-02-15 16:27 -------- d-----w- C:\Alice in Chains
2011-02-10 03:33 . 2011-02-10 03:55 -------- d-----w- C:\3D Sound - Holophonic Music & Sound Effects
2011-02-06 16:53 . 2011-02-06 17:24 -------- d-----w- C:\Ektomorf
2011-02-06 16:52 . 2011-02-14 22:16 -------- d-----w- C:\Ektomorf - Redemption (2010) [mp3@vbr] [Groove-Thrash Metal]
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2005-08-16 10:18 439296 ------w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 10:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 10:18 1854976 ------w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-08-16 10:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2008-12-27 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2008-12-27 18:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 22:15 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2005-08-16 10:18 61952 ------w- c:\windows\system32\tdc.ocx
2010-12-20 22:15 . 2005-08-16 10:18 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26 . 2005-08-16 10:18 730112 ------w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30 . 2005-08-16 10:18 369664 ------w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2005-08-16 10:18 718336 ------w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2005-08-16 10:18 33280 ------w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2005-08-16 10:18 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 04:59 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
2009-03-01 23:12 . 2009-03-01 23:11 45861104 ----a-w- c:\program files\boggle-setup.exe
2009-02-28 22:16 . 2009-02-28 21:10 27375624 ----a-w- c:\program files\yahoo_bogglenew_tm5-3.exe
2009-01-16 01:50 . 2009-01-16 01:48 8981504 ----a-w- c:\program files\winamp5541_full_emusic-7plus_en-us.exe
2008-12-27 22:02 . 2008-12-26 21:36 7518240 ----a-w- c:\program files\Firefox Setup 3.0.5.exe
2008-12-27 21:30 . 2008-12-27 21:30 15452536 ----a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-12-27 18:06 . 2008-12-27 18:06 3165824 ----a-w- c:\program files\ccsetup215.exe
2008-12-27 18:03 . 2008-12-27 18:03 2539400 ----a-w- c:\program files\mbam-setup.exe
2008-12-27 17:14 . 2008-12-27 17:14 1311784 ----a-w- c:\program files\WindowsXP-KB938464-x86-ENU.exe
2008-12-27 17:13 . 2008-12-27 17:13 532520 ----a-w- c:\program files\WindowsXP-KB952954-x86-ENU.exe
2008-12-27 17:12 . 2008-12-27 17:12 648560 ----a-w- c:\program files\WindowsXP-KB958644-x86-ENU.exe
2008-12-27 16:09 . 2008-12-27 16:08 605224 ----a-w- c:\program files\WindowsXP-KB951376-v2-x86-ENU.exe
2008-12-27 16:09 . 2008-12-27 16:09 7771584 ----a-w- c:\program files\windows-kb890830-v2.5.exe
2008-12-26 22:37 . 2008-12-26 22:34 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-12-25 17:09 . 2008-12-25 17:07 73313504 ----a-w- c:\program files\VIPRE.exe
2008-03-23 14:35 . 2008-03-23 14:35 390235 ----a-w- c:\program files\GoogleVideoUploaderInstaller.exe
2008-03-18 23:42 . 2007-02-21 19:24 1491843 ----a-w- c:\program files\RADTools.exe
2008-01-26 02:35 . 2007-02-12 17:56 219952 ----a-w- c:\program files\utorrent.exe
2007-09-27 13:45 . 2007-09-27 13:44 2720039 ----a-w- c:\program files\txpeng503.exe
2007-09-18 02:44 . 2007-09-18 02:44 20765656 ----a-w- c:\program files\setupUS.exe
2007-07-25 19:36 . 2007-07-25 19:36 4526458 ----a-w- c:\program files\WinAVI_Video_Converter.exe
2007-02-23 18:03 . 2007-02-23 18:03 8107600 ----a-w- c:\program files\R127097.EXE
2007-02-22 19:03 . 2007-01-25 15:28 13872152 ----a-w- c:\program files\polarbowler-setup.exe
2007-02-21 19:23 . 2007-01-05 21:46 14705768 ----a-w- c:\program files\DivXInstaller.exe
2007-02-21 19:22 . 2007-02-21 19:22 1681752 ----a-w- c:\program files\DivXWebPlayerInstaller.exe
2007-01-27 19:10 . 2007-01-27 19:10 407680 ----a-w- c:\program files\Install_AIM.exe
2007-01-08 14:45 . 2007-01-08 13:20 4267744 ----a-w- c:\program files\mw9791enu.exe
2007-01-08 14:41 . 2007-01-08 14:41 155648 ----a-w- c:\program files\mwadvanced_enu.exe
2007-01-08 13:22 . 2007-01-08 13:20 41116951 ----a-w- c:\program files\setpoint310.exe
2007-01-07 12:08 . 2007-01-07 12:08 13046467 ----a-w- c:\program files\WSFTP_ProT128_Install.exe
2007-01-05 21:27 . 2007-01-05 21:27 9453630 ----a-w- c:\program files\vlc-0.8.6a-win32.exe
2007-01-05 20:47 . 2007-01-05 20:46 6653000 ----a-w- c:\program files\winamp532_full_emusic-7plus.exe
2007-01-05 20:19 . 2007-01-05 20:19 181752 ----a-w- c:\program files\yinst_current.exe
2006-12-12 19:19 . 2006-12-12 19:19 1005104 ----a-w- c:\program files\aolsetup.exe
2003-08-27 19:19 . 2007-01-19 21:15 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2000-09-18 23:09 . 2000-09-18 23:09 2487727 ----a-w- c:\program files\Iridescence.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576]
"Ebxixm"="c:\documents and settings\Tia\Application Data\Ebxixm.exe" [2011-03-01 110080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"PE2CKFNT SE"="c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-03-16 1355468]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-08-20 1348944]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-2-12 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\utorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:*:Disabled:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:*:Disabled:SingleClick ICC
"21:TCP"= 21:TCP:FTP
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [8/27/2010 9:39 AM 21464]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [8/13/2010 3:54 PM 331992]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [8/26/2010 11:23 AM 212568]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [7/14/2006 2:01 AM 13824]
R2 msFTPServerForm;ArGoSoft FTP Server;c:\program files\ArGo Software Design\FTP Server\ftpsrvnt.exe [1/6/2007 3:14 PM 1206784]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [8/20/2010 9:16 AM 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [8/27/2010 9:39 AM 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [8/20/2010 9:15 AM 181584]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [7/14/2006 2:02 AM 13696]
R3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2/26/2007 10:54 AM 15104]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [8/13/2010 3:54 PM 68696]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 SbHips;sbhips;c:\windows\system32\drivers\sbhips.sys [8/26/2010 11:23 AM 94040]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/13/2010 7:56 AM 98392]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Tia\Application Data\Mozilla\Firefox\Profiles\z8504by0.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {C4D5B765-355A-4F33-8352-0D2BB7B421B3} - c:\documents and settings\Tia\Local Settings\Application Data\{C4D5B765-355A-4F33-8352-0D2BB7B421B3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
Notify-WgaLogon - (no file)
AddRemove-WT070215 - c:\program files\WildGames\SpongeBob SquarePants Krabby Quest\Uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Tia\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05AC2CA4-9D93-32D8-AE673619A46BB764}\{B5C3A2C7-0F69-BCDD-BACA5675DFFD204D}\{69E387FB-63DC-7F36-9B03233CFCE1F807}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D96284CB-92E6-3E1E-196BB0273B005327}\{BCF0CDFC-4A0B-26E5-259182A4D665E8F2}\{6E248836-421D-F84C-CF6B8AC08EBF0D43}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1308)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-03-06 15:41:06
ComboFix-quarantined-files.txt 2011-03-06 20:41
.
Pre-Run: 22,979,936,256 bytes free
Post-Run: 22,996,680,704 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - CA57D90CADC1B17AD5644FBA00B9132D
-
I might have messed things up...after i ran the combofix i tried to go to sunbelt's site and I COULD!! YEAH!! i even tried going to nortons and yes! SUCCESS!
but...
i just got a notice from Windows that there was an update and i, without thinking, downloaded it, and it required I restart my computer, so I did. After i restarted my computer, i can no longer go to sunbelt's website. So I did mess things up and I apologize. I should have thought twice before downloading and updating the windows security update, but it's just automatic for me to do that and especially with all the issues i've had.
Should I rerun the combofix? Sorry again, I will NOT restart my computer no matter WHAT, unless combofix restarts it.
-
I deleted the old Adobe Readers and installed the new one, which also installed some McAfee Security Scan.
You can get rid of the McAfee Security Scan, if you wish. Not needed.
I deleted files on my computer that I have backed up to an external drive and I have 21.4GB free now on my hard drive. If I need more space needed I can delete more.
Good work. You'll need to keep an eye on this so that it doesn't drop below 15%
Why do you have this: c:\program files\Sophos? Sophos is another AV program
P2P - I see you have P2P software installed on your machine (utorrent). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
********************************************
So I did mess things up and I apologize. I should have thought twice before downloading and updating the windows security update, but it's just automatic for me to do that and especially with all the issues i've had.
Apologies are not necessary. What browser are you using? Can you access any other sites?
Please download TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick TDSSKiller.exe to run the tool
- Click the Start Scan button (If prompted with a "hidden service warning" do go ahead and delete it.)
- After the scan has finished, click the Close button
- Click the Report button and copy/paste the contents of it into your next reply
- Note:It will also create a log in the C:\ directory.
-
I went into add/remove programs and did remove the McAfee. I also removed the Sophos, I just added that to run a scan for a friend who was trying to help me before I came here and forgot to delete it: different programs give different scans. I could not find utorrent in add/remove programs, so I deleted it from the program files folder---I am unsure if that will fully delete the program or not; but believe me, I want to avoid situations like this in the future! If there is another way or something else I have to do to fully remove utorrent from my computer, please let me know and I will take those steps.
I am using the latest version of Firefox. I had to save the TDSSKiller onto a SD card on my laptop and then put it on my desktop as I could not access that website on my desktop via Firefox or IE, no matter the browser I cannot access any AV sites (Though I could for a short bit after I ran combofix yesterday before the Windows update restarted my computer!)
Here is the log file for the TDSSKiller:
2011/03/07 15:30:02.0875 3032 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30
2011/03/07 15:30:02.0921 3032 ================================================================================
2011/03/07 15:30:02.0921 3032 SystemInfo:
2011/03/07 15:30:02.0921 3032
2011/03/07 15:30:02.0921 3032 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/07 15:30:02.0921 3032 Product type: Workstation
2011/03/07 15:30:02.0921 3032 ComputerName: NEWTOY
2011/03/07 15:30:02.0921 3032 UserName: Tia
2011/03/07 15:30:02.0921 3032 Windows directory: C:\WINDOWS
2011/03/07 15:30:02.0921 3032 System windows directory: C:\WINDOWS
2011/03/07 15:30:02.0921 3032 Processor architecture: Intel x86
2011/03/07 15:30:02.0921 3032 Number of processors: 2
2011/03/07 15:30:02.0921 3032 Page size: 0x1000
2011/03/07 15:30:02.0921 3032 Boot type: Normal boot
2011/03/07 15:30:02.0921 3032 ================================================================================
2011/03/07 15:30:03.0234 3032 Initialize success
2011/03/07 15:30:06.0546 0428 ================================================================================
2011/03/07 15:30:06.0546 0428 Scan started
2011/03/07 15:30:06.0546 0428 Mode: Manual;
2011/03/07 15:30:06.0546 0428 ================================================================================
2011/03/07 15:30:10.0437 0428 ================================================================================
2011/03/07 15:30:10.0437 0428 Scan finished
2011/03/07 15:30:10.0437 0428 ================================================================================
-
Please try running another ComboFix scan and then see if you access those sites.
-
YES! SUCCESS!! I can now access those sites!!! Here is the Combofix log if you needed it. I am NOT going to restart my computer or turn it off, as I know last time that then put things back to how they were---to where I couldn't access those sites and I don't want that to happen again!! I am turning in soon, and will just disconnect my computer from the internet overnight but will keep it on, as it seems i have to do something else before restarting for the changes to take effect.
I have a vipre update to d/l but i am unsure if it requires a computer reboot or not and i don't want to risk that. the update popped up this evening when i was unable to access their site, now that i can, i still want to wait in case it requires a reboot.
ComboFix 11-03-07.04 - Tia 03/07/2011 22:51:19.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.620 [GMT -5:00]
Running from: c:\documents and settings\Tia\My Documents\ads\your advertising WHAT\ComboFix.exe
AV: Sunbelt VIPRE *Disabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *Disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-06 20:05 . 2011-03-06 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-05 21:14 . 2011-03-05 21:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-05 21:14 . 2011-03-05 21:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-05 21:14 . 2011-03-05 21:14 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-05 18:38 . 2011-03-05 18:38 -------- d-----w- c:\documents and settings\Tia\Application Data\SUPERAntiSpyware.com
2011-03-05 18:38 . 2011-03-05 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-05 18:38 . 2011-03-05 18:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-03 17:11 . 2011-03-03 17:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-03-03 16:55 . 2011-03-03 22:03 -------- d-----w- C:\VIPRERESCUE
2011-03-02 21:13 . 2011-03-02 21:13 -------- d-----w- c:\documents and settings\Tia\Local Settings\Application Data\PCHealth
2011-03-02 14:14 . 2011-03-02 14:14 -------- d-----w- C:\spoolerlogs
2011-03-01 00:11 . 2011-03-01 00:11 110080 ------w- c:\documents and settings\Tia\Application Data\Ebxixm.exe
2011-02-15 15:49 . 2011-02-15 15:50 -------- d-----w- C:\Alice in Chains Discography
2011-02-15 15:47 . 2011-02-15 16:27 -------- d-----w- C:\Alice in Chains
2011-02-10 03:33 . 2011-02-10 03:55 -------- d-----w- C:\3D Sound - Holophonic Music & Sound Effects
2011-02-06 16:53 . 2011-02-06 17:24 -------- d-----w- C:\Ektomorf
2011-02-06 16:52 . 2011-02-14 22:16 -------- d-----w- C:\Ektomorf - Redemption (2010) [mp3@vbr] [Groove-Thrash Metal]
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2005-08-16 10:18 439296 ------w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-08-16 10:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 10:18 1854976 ------w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-08-16 10:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2008-12-27 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2008-12-27 18:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 22:15 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2005-08-16 10:18 61952 ------w- c:\windows\system32\tdc.ocx
2010-12-20 22:15 . 2005-08-16 10:18 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26 . 2005-08-16 10:18 730112 ------w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30 . 2005-08-16 10:18 369664 ------w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2005-08-16 10:18 718336 ------w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2005-08-16 10:18 33280 ------w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2005-08-16 10:18 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 04:59 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
2009-03-01 23:12 . 2009-03-01 23:11 45861104 ----a-w- c:\program files\boggle-setup.exe
2009-02-28 22:16 . 2009-02-28 21:10 27375624 ----a-w- c:\program files\yahoo_bogglenew_tm5-3.exe
2009-01-16 01:50 . 2009-01-16 01:48 8981504 ----a-w- c:\program files\winamp5541_full_emusic-7plus_en-us.exe
2008-12-27 22:02 . 2008-12-26 21:36 7518240 ----a-w- c:\program files\Firefox Setup 3.0.5.exe
2008-12-27 21:30 . 2008-12-27 21:30 15452536 ----a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-12-27 18:06 . 2008-12-27 18:06 3165824 ----a-w- c:\program files\ccsetup215.exe
2008-12-27 18:03 . 2008-12-27 18:03 2539400 ----a-w- c:\program files\mbam-setup.exe
2008-12-27 17:14 . 2008-12-27 17:14 1311784 ----a-w- c:\program files\WindowsXP-KB938464-x86-ENU.exe
2008-12-27 17:13 . 2008-12-27 17:13 532520 ----a-w- c:\program files\WindowsXP-KB952954-x86-ENU.exe
2008-12-27 17:12 . 2008-12-27 17:12 648560 ----a-w- c:\program files\WindowsXP-KB958644-x86-ENU.exe
2008-12-27 16:09 . 2008-12-27 16:08 605224 ----a-w- c:\program files\WindowsXP-KB951376-v2-x86-ENU.exe
2008-12-27 16:09 . 2008-12-27 16:09 7771584 ----a-w- c:\program files\windows-kb890830-v2.5.exe
2008-12-26 22:37 . 2008-12-26 22:34 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-12-25 17:09 . 2008-12-25 17:07 73313504 ----a-w- c:\program files\VIPRE.exe
2008-03-23 14:35 . 2008-03-23 14:35 390235 ----a-w- c:\program files\GoogleVideoUploaderInstaller.exe
2008-03-18 23:42 . 2007-02-21 19:24 1491843 ----a-w- c:\program files\RADTools.exe
2007-09-27 13:45 . 2007-09-27 13:44 2720039 ----a-w- c:\program files\txpeng503.exe
2007-09-18 02:44 . 2007-09-18 02:44 20765656 ----a-w- c:\program files\setupUS.exe
2007-07-25 19:36 . 2007-07-25 19:36 4526458 ----a-w- c:\program files\WinAVI_Video_Converter.exe
2007-02-23 18:03 . 2007-02-23 18:03 8107600 ----a-w- c:\program files\R127097.EXE
2007-02-22 19:03 . 2007-01-25 15:28 13872152 ----a-w- c:\program files\polarbowler-setup.exe
2007-02-21 19:23 . 2007-01-05 21:46 14705768 ----a-w- c:\program files\DivXInstaller.exe
2007-02-21 19:22 . 2007-02-21 19:22 1681752 ----a-w- c:\program files\DivXWebPlayerInstaller.exe
2007-01-27 19:10 . 2007-01-27 19:10 407680 ----a-w- c:\program files\Install_AIM.exe
2007-01-08 14:45 . 2007-01-08 13:20 4267744 ----a-w- c:\program files\mw9791enu.exe
2007-01-08 14:41 . 2007-01-08 14:41 155648 ----a-w- c:\program files\mwadvanced_enu.exe
2007-01-08 13:22 . 2007-01-08 13:20 41116951 ----a-w- c:\program files\setpoint310.exe
2007-01-07 12:08 . 2007-01-07 12:08 13046467 ----a-w- c:\program files\WSFTP_ProT128_Install.exe
2007-01-05 21:27 . 2007-01-05 21:27 9453630 ----a-w- c:\program files\vlc-0.8.6a-win32.exe
2007-01-05 20:47 . 2007-01-05 20:46 6653000 ----a-w- c:\program files\winamp532_full_emusic-7plus.exe
2007-01-05 20:19 . 2007-01-05 20:19 181752 ----a-w- c:\program files\yinst_current.exe
2006-12-12 19:19 . 2006-12-12 19:19 1005104 ----a-w- c:\program files\aolsetup.exe
2003-08-27 19:19 . 2007-01-19 21:15 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2000-09-18 23:09 . 2000-09-18 23:09 2487727 ----a-w- c:\program files\Iridescence.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-06_20.39.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-08 03:49 . 2011-03-08 03:49 16384 c:\windows\Temp\Perflib_Perfdata_250.dat
- 2010-12-06 16:44 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2010-12-06 16:44 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2005-08-16 10:18 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
- 2005-08-16 10:18 . 2008-04-14 00:12 135168 c:\windows\system32\shsvcs.dll
+ 2009-07-27 23:17 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576]
"Ebxixm"="c:\documents and settings\Tia\Application Data\Ebxixm.exe" [2011-03-01 110080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"PE2CKFNT SE"="c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-03-16 1355468]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-08-20 1348944]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-2-12 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:*:Disabled:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:*:Disabled:SingleClick ICC
"21:TCP"= 21:TCP:FTP
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [8/27/2010 9:39 AM 21464]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [8/13/2010 3:54 PM 331992]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [8/26/2010 11:23 AM 212568]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [7/14/2006 2:01 AM 13824]
R2 msFTPServerForm;ArGoSoft FTP Server;c:\program files\ArGo Software Design\FTP Server\ftpsrvnt.exe [1/6/2007 3:14 PM 1206784]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [8/20/2010 9:16 AM 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [8/27/2010 9:39 AM 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [8/20/2010 9:15 AM 181584]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [7/14/2006 2:02 AM 13696]
R3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2/26/2007 10:54 AM 15104]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [8/13/2010 3:54 PM 68696]
S3 SbHips;sbhips;c:\windows\system32\drivers\sbhips.sys [8/26/2010 11:23 AM 94040]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/13/2010 7:56 AM 98392]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Tia\Application Data\Mozilla\Firefox\Profiles\z8504by0.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {C4D5B765-355A-4F33-8352-0D2BB7B421B3} - c:\documents and settings\Tia\Local Settings\Application Data\{C4D5B765-355A-4F33-8352-0D2BB7B421B3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05AC2CA4-9D93-32D8-AE673619A46BB764}\{B5C3A2C7-0F69-BCDD-BACA5675DFFD204D}\{69E387FB-63DC-7F36-9B03233CFCE1F807}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D96284CB-92E6-3E1E-196BB0273B005327}\{BCF0CDFC-4A0B-26E5-259182A4D665E8F2}\{6E248836-421D-F84C-CF6B8AC08EBF0D43}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1304)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-03-07 23:02:00
ComboFix-quarantined-files.txt 2011-03-08 04:01
ComboFix2.txt 2011-03-07 12:17
ComboFix3.txt 2011-03-06 23:18
ComboFix4.txt 2011-03-06 20:41
.
Pre-Run: 22,792,761,344 bytes free
Post-Run: 22,777,327,616 bytes free
.
- - End Of File - - 3D29138AEFBD3BC1D413CB8201839DEF
-
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
-
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F37C4000
Module End: F37DC000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79E1000
Module End: F79E3000
Hidden: Yes
Module Name: \??\C:\DOCUME~1\Tia\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: F781F000
Module End: F7827000
Hidden: Yes
Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F7A31000
Module End: F7A33000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F79474D0
Driver Base: F7947000
Driver End: F794B000
Driver Name: \SystemRoot\system32\drivers\sbaphd.sys
Function Name: ZwSetValueKey
Address: F7947520
Driver Base: F7947000
Driver End: F794B000
Driver Name: \SystemRoot\system32\drivers\sbaphd.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied
-
AVENGER
- Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
- Unzip/extract it to a folder on your desktop.
- Double click on avenger.exe to run The Avenger.
- Click OK.
- Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
- Click the Execute button.
- You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
- Click Yes.
- You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
- Click Yes.
- Your PC will now be rebooted.
- After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
- Please post this log, along with a new HijackThis log in your next reply.
-
I did as instructed, logs posted below. I had not rebooted my computer in days and had been able to go to sunbelt and other AV websites after I reran the combofix the other day. I cannot go to any AV websites now again. I just tried. I get the 'problem loading page' error as I had been before.
Also when the computer reboot I got this error box, I don't have screen capture but this is exactly what it said:
Exception Processing Message
c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6f7c
I had the option to 'cancel' 'try again' 'continue', i tried to X out of the box and it wouldn't let me, i was unsure what to do, so i hit cancel. I hope that was the right option. I have never gotten an error like that before.
Here are the logs:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Completed script processing.
*******************
Finished! Terminate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:10 PM, on 3/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\DOCUME~1\Tia\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\ArGo Software Design\FTP Server\ftpsrvnt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3061211
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168029457701
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ArGoSoft FTP Server (msFTPServerForm) - ArGo Software Design - c:\Program Files\ArGo Software Design\FTP Server\ftpsrvnt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VIPRE Antivirus Premium (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
--
End of file - 7108 bytes
-
I don't have screen capture but this is exactly what it said:
How to post screenshots or images (http://www.computerhope.com/forum/index.php/topic,61232.0.html)
I had the option to 'cancel' 'try again' 'continue', i tried to X out of the box and it wouldn't let me, i was unsure what to do, so i hit cancel. I hope that was the right option. I have never gotten an error like that before.
It could be caused by a number of things. Let's hope it doesn't come back.
Let's try this:
Please navigate to Start>Run and type cmd
in the window that pops up type ipconfig /flushdns
***************************************
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
Okay, i easily went to the Start>Run and did that.
I could NOT go to the ESET page on my desktop as whatever I have is obviously blocking me from that page. So I went to the ESET page from my laptop and put the .exe file on my SD card to then put it onto my desktop as I have done with other programs that I haven't been able to access from my desktop.
I cannot get ESET to run because it goes to update first and it says it can not get update is proxy configured? I do not know what to do now or how to get the ESET update from my laptop onto my desktop.
-
Ok. Let's try this one:
Run the BitDefender Online scanner (http://www.bitdefender.com/scanner/online/free.html)
Agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.
Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.
When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.
This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.
Post the bdscan.txt file as an Attachment.
-
I cannot get to that page from my desktop. I went to it on my laptop but there was no file, that I could find, to download to put on my SD card to then transfer onto my desktop. Whatever I have is blocking me from these sites.
-
Please try this:
Please download TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick TDSSKiller.exe to run the tool
- Click the Start Scan button (If prompted with a "hidden service warning" do go ahead and delete it.)
- After the scan has finished, click the Close button
- Click the Report button and copy/paste the contents of it into your next reply
- Note:It will also create a log in the C:\ directory.