Computer Hope
Software => Computer viruses and spyware => Topic started by: Stone163 on April 16, 2009, 11:39:43 AM
-
Hello,
Over the past week, there has been a box popping up. The title of the box is: 16 bit MS-DOS Subsystem
Inside the box it reads:
C:\WINDOWS\Sysxvd.exe
C:\WINDOWS/system32/AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.
Then it gives 2 options: 'Close' 'Ignore'
After hitting either one of these, I get a message about my Windows Firewall being disabled. When I go to enable it, another window appears and says that ICS has to been enabled. Once I click 'Ok', my firewall goes back to normal.
I'm pretty sure I've followed the directions as outlined in this forum. And thanks in advance for any and all help.
Here are my logs:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 04/16/2009 at 12:43 PM
Application Version : 4.26.1000
Core Rules Database Version : 3846
Trace Rules Database Version: 1801
Scan type : Complete Scan
Total Scan Time : 01:37:40
Memory items scanned : 450
Memory threats detected : 1
Registry items scanned : 6676
Registry threats detected : 8
File items scanned : 94100
File threats detected : 55
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
[SVCHOST.EXE] C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\Prefetch\SVCHOST.EXE-060F5E7E.pf
Adware.F1 Organizer
HKU\S-1-5-21-1214440339-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000EF1-0786-4633-87C6-1AA7A44296DA}
Transponder Parasite Variant BHO
HKU\S-1-5-21-1214440339-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00320615-B6C2-40A6-8F99-F1C52D674FAD}
Adware.IE Plugin Variant
HKU\S-1-5-21-1214440339-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}
Unclassified.Unknown Origin
HKU\S-1-5-21-1214440339-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{13197ACE-6851-45C3-A7FF-C281324D5489}
Adware.Avenue Media/Internet Optimizer
HKU\S-1-5-21-1214440339-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}
Trojan.FavoriteMan Variant
HKU\S-1-5-21-1214440339-838170752-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B}
Adware.IST/ISTBar (Slotch Bar)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest
Adware.Tracking Cookie
C:\Documents and Settings\Steve\Cookies\steve@adinterax[1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][2].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][2].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\steve@atwola[2].txt
C:\Documents and Settings\Steve\Cookies\steve@bannerads[1].txt
C:\Documents and Settings\Steve\Cookies\steve@centralmedia[1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\steve@empornium[2].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\steve@hypertracker[1].txt
C:\Documents and Settings\Steve\Cookies\steve@insightexpress[2].txt
C:\Documents and Settings\Steve\Cookies\[email protected][2].txt
C:\Documents and Settings\Steve\Cookies\steve@mediaplayer[1].txt
C:\Documents and Settings\Steve\Cookies\steve@metareward[1].txt
C:\Documents and Settings\Steve\Cookies\steve@nextag[1].txt
C:\Documents and Settings\Steve\Cookies\steve@oddcast[1].txt
C:\Documents and Settings\Steve\Cookies\steve@offeroptimizer[2].txt
C:\Documents and Settings\Steve\Cookies\steve@optimost[2].txt
C:\Documents and Settings\Steve\Cookies\steve@partner2profit[2].txt
C:\Documents and Settings\Steve\Cookies\steve@rightmedia[2].txt
C:\Documents and Settings\Steve\Cookies\steve@sirsearch[1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\steve@techtracker[1].txt
C:\Documents and Settings\Steve\Cookies\steve@tracking[1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][2].txt
C:\Documents and Settings\Steve\Cookies\steve@windowsmedia[1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][2].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][2].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Cookies\steve@xiti[1].txt
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@atwola[1].txt
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@exitexchange[1].txt
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@insightexpress[1].txt
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@offeroptimizer[2].txt
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\[email protected][1].txt
Adware.MyWay
C:\DOCUMENTS AND SETTINGS\STEVE\LOCAL SETTINGS\TEMP\MYSETP.EXE
Trojan.Agent/Gen-Keygen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{496747ED-AC55-448F-994C-647369E29722}\RP1830\A0144845.EXE
Trace.Known Threat Sources
C:\Documents and Settings\Steve\Local Settings\Temp\Temporary Internet Files\Content.IE5\UHNS7Q0A\Twista%20-%20Kamikaze%20(2004)%20-%20Rap%20[www.torrentazos.com]%20by%20Markusss-rar[1].torrent
C:\Documents and Settings\Steve\Local Settings\Temp\Temporary Internet Files\Content.IE5\MTRZHBV8\ivw[2].htm
Malwarebytes' Anti-Malware 1.36
Database version: 1989
Windows 5.1.2600 Service Pack 3
4/16/2009 1:19:02 PM
mbam-log-2009-04-16 (13-19-02).txt
Scan type: Quick Scan
Objects scanned: 109698
Time elapsed: 8 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Steve\Application Data\NetPumper (Adware.NetPumper) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Application Data\NetPumper\Steve.ini (Adware.NetPumper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Cookies\MM2048.DAT (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Cookies\MM256.DAT (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steven Guiles\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steven Guiles\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steven Guiles\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:52 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Steven Guiles\Desktop\sniper.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [abkqczn] C:\WINDOWS\system32\abgoum.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239502760031
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 9746 bytes
-
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
ComboFix 09-04-17.01 - Steven Guiles 04/16/2009 16:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.231 [GMT -4:00]
Running from: c:\documents and settings\Steven Guiles\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Steven Guiles\Application Data\inst.exe
c:\documents and settings\Steven Guiles\nah_yjew.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.
2009-04-16 17:00 . 2009-04-16 17:00 -------- d-----w c:\documents and settings\Steven Guiles\Application Data\Malwarebytes
2009-04-16 17:00 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 17:00 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 16:59 . 2009-04-16 16:59 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-04-16 16:59 . 2009-04-16 17:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 15:01 . 2009-04-16 15:01 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-04-16 15:01 . 2009-04-16 15:01 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-16 15:01 . 2009-04-16 15:01 -------- d-----w c:\documents and settings\Steven Guiles\Application Data\SUPERAntiSpyware.com
2009-04-16 15:00 . 2009-04-16 15:00 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-16 14:51 . 2009-04-16 14:51 -------- d-----w c:\program files\CCleaner
2009-04-16 12:39 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 12:39 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 12:39 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 12:39 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 12:39 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 12:39 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 12:39 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 12:39 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 12:39 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 12:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 12:38 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 12:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 15:12 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-14 02:03 . 2009-04-14 02:03 4096 --sha-w C:\Thumbs.db
2009-04-14 00:10 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-14 00:09 . 2009-04-14 00:09 -------- dc-h--w c:\documents and settings\All Users.WINDOWS\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-14 00:08 . 2009-04-14 00:10 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-04-13 02:29 . 2009-04-13 02:29 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\vsosdk
2009-04-13 00:54 . 2009-04-13 11:20 47360 ----a-w c:\documents and settings\Steven Guiles\Application Data\pcouffin.sys
2009-04-13 00:54 . 2009-04-13 00:54 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-04-13 00:54 . 2009-04-13 11:20 -------- d-----w c:\documents and settings\Steven Guiles\Application Data\Vso
2009-04-13 00:53 . 2008-10-16 18:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-13 00:53 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll
2009-03-17 23:34 . 2009-03-17 23:34 -------- d-----w c:\program files\iPod
2009-03-17 23:34 . 2009-03-17 23:36 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 20:39 . 2005-08-18 03:22 86828 ----a-w C:\hpfr3425.log
2009-04-16 20:39 . 2004-06-07 20:08 519 ----a-w C:\hpfr3420.xml
2009-04-16 20:37 . 2007-12-18 04:19 -------- d-----w c:\program files\Mozilla Firefox 3 Beta 1
2009-04-16 17:24 . 2009-04-16 17:23 22451 ----a-w C:\JavaRa.log
2009-04-16 17:23 . 2004-03-15 08:08 -------- d-----w c:\program files\Java
2009-04-16 17:21 . 2009-04-14 19:03 1315 ----a-w C:\aaw7boot.log
2009-04-16 14:28 . 2004-07-29 05:40 -------- d-----w c:\documents and settings\Steven Guiles\Application Data\Azureus
2009-04-14 20:40 . 2007-05-28 02:58 -------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-04-14 15:22 . 2004-07-29 05:39 -------- d-----w c:\program files\Azureus
2009-04-14 00:08 . 2004-04-05 08:07 -------- d-----w c:\program files\Lavasoft
2009-04-13 23:51 . 2004-08-26 01:06 -------- d-----w c:\documents and settings\Steven Guiles\Application Data\Lavasoft
2009-04-03 23:26 . 2003-11-19 19:56 -------- d-----w c:\program files\Winamp
2009-03-17 23:36 . 2008-11-27 04:58 -------- d-----w c:\program files\iTunes
2009-03-17 23:34 . 2007-07-04 15:17 -------- d-----w c:\program files\Common Files\Apple
2009-03-17 23:25 . 2002-08-06 20:07 -------- d-----w c:\program files\QuickTime
2009-03-09 09:19 . 2008-12-06 16:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-01-08 18:23 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-15 23:41 . 2007-02-28 01:04 -------- d-----w c:\program files\ESET
2009-02-09 12:10 . 2001-08-18 12:00 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-05-31 06:29 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ------w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2001-08-18 12:00 2066048 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ------w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-01 17:35 . 2009-02-01 17:35 48583 ----a-w c:\documents and settings\Steven Guiles\Application Data\upd.exe
2008-07-31 00:51 . 2006-09-05 20:56 35296 ----a-w c:\documents and settings\Steven Guiles\Application Data\GDIPFONTCACHEV1.DAT
2007-01-23 00:56 . 2004-07-30 06:56 35296 ----a-w c:\documents and settings\Steven Guiles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-09-25 17:51 . 2005-09-25 17:51 774144 ----a-w c:\program files\RngInterstitial.dll
2004-07-22 05:00 . 2004-07-22 05:00 0 -c-ha-w c:\documents and settings\Steven Guiles\hpothb07.dat
2004-05-14 22:41 . 2004-05-14 22:41 151 ---ha-w c:\documents and settings\Steve\hpothb07.dat
2004-05-14 22:41 . 2004-05-14 22:41 161 ---ha-w c:\documents and settings\Owner\hpothb07.dat
2004-05-14 22:34 . 2004-05-14 22:34 164 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2004-03-08 03:40 . 2003-02-17 05:09 58128 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-19 02:19 . 2008-09-19 02:20 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091820080919\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-30 57344]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"DeadAIM"="c:\program files\AIM95\\DeadAIM.ocm" [2003-02-24 266313]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-30 40960]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-25 1451264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
c:\documents and settings\Steven Guiles\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Steven Guiles^Start Menu^Programs^Startup^TDK Launcher.lnk]
path=c:\documents and settings\Steven Guiles\Start Menu\Programs\Startup\TDK Launcher.lnk
backup=c:\windows\pss\TDK Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
2004-02-28 16:12 144896 ----a-w c:\progra~1\AIM\\DeadAIM.ocm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
2002-04-25 01:37 1544192 ----a-w c:\program files\support.com\bin\tgcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-10-06 18:16 741376 ----a-w c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"61112:TCP"= 61112:TCP:Port
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-08-18 3584]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-10-25 34824]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-25 468224]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Microsoft Works Portfolio - c:\program files\Microsoft Works\WksSb.exe
HKLM-Run-RoxioEngineUtility - c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
HKLM-Run-abkqczn - c:\windows\system32\abgoum.exe
MSConfigStartUp-Adstartup - c:\windows\System32\Adstartup.exe
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-fash - c:\windows\fash.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-npbmcwpwwdy - c:\windows\System32\abgoum.exe
MSConfigStartUp-PopUpStopperFreeEdition - c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
MSConfigStartUp-RoxioAudioCentral - c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
MSConfigStartUp-RoxioEngineUtility - c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
MSConfigStartUp-TV Media - c:\program files\TV Media\Tvm.exe
MSConfigStartUp-wcmdmgr - c:\windows\wt\updater\wcmdmgrl.exe
MSConfigStartUp-Win Server Updt - c:\windows\wupdt.exe
MSConfigStartUp-73si36X - clustat.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Steven Guiles\Application Data\Mozilla\Firefox\Profiles\default.lv3\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 16:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\ins]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(516)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-16 16:57
ComboFix-quarantined-files.txt 2009-04-16 20:56
Pre-Run: 23,280,439,296 bytes free
Post-Run: 24,582,291,456 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
263 --- E O F --- 2009-04-16 12:53
-
Download the Norton Removal Tool (SymNRT) (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039) to your Desktop.
Once downloaded please close ALL open browsers, also save any work because this may require a restart.
- Go to your desktop and double click on the removal tool and then click Setup.
- Once open Click Next
- Accept the license agreement and click Next
- Type in the letters/numbers that you see into the text box then click Next.
- Then click Next and the tool will start running.
- Once finished restart the PC.
- Delete Nortonremoval tool from your Desktop.
.
----------
Download DDS by sUBs (http://www.forospyware.com/sUBs/dds) and save it to your desktop. Alternate DDS download link (http://download.bleepingcomputer.com/sUBs/dds.scr)
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
-
DDS (Ver_09-03-16.01) - NTFSx86
Run by Steven Guiles at 19:42:35.07 on Thu 04/16/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.210 [GMT -4:00]
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Steven Guiles\Desktop\dds.pif
C:\WINDOWS\system32\wuauclt.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DeadAIM] rundll32.exe "c:\program files\aim95\\DeadAIM.ocm",ExportedCheckODLs
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Google Search - c:\program files\google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\googletoolbar.dll/cmcache.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Si&milar Pages - c:\program files\google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\googletoolbar.dll/cmtrans.html
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} c:\program files\partygaming\partypoker\runapp.exe - c:\program files\partygaming\partypoker\runapp.exe\inprocserver32 does not exist!
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239502760031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://zone.msn.com/binGame/ZAxRcMgr.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\steven~1\applic~1\mozilla\firefox\profiles\default.lv3\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-13 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 34824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-10-24 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2001-8-18 3584]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
=============== Created Last 30 ================
2009-04-16 19:36 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\NortonInstaller
2009-04-16 19:33 <DIR> --d-h--- c:\windows\PIF
2009-04-16 16:46 <DIR> a-dshr-- C:\cmdcons
2009-04-16 16:42 161,792 a------- c:\windows\SWREG.exe
2009-04-16 16:42 98,816 a------- c:\windows\sed.exe
2009-04-16 13:00 <DIR> --d----- c:\docume~1\steven~1\applic~1\Malwarebytes
2009-04-16 13:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-16 13:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 12:59 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-04-16 12:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-16 11:01 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-04-16 11:01 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-16 11:01 <DIR> --d----- c:\docume~1\steven~1\applic~1\SUPERAntiSpyware.com
2009-04-16 11:00 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-16 10:51 <DIR> --d----- c:\program files\CCleaner
2009-04-16 08:39 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 08:39 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 08:39 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 08:39 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 08:39 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 08:39 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 08:39 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 08:39 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 08:39 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 08:38 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 08:38 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 08:38 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 11:12 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-13 22:03 4,096 a--sh--- C:\Thumbs.db
2009-04-13 20:10 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-13 20:09 <DIR> -cd-h--- c:\docume~1\alluse~1.win\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-12 22:29 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\vsosdk
2009-04-12 20:54 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-04-12 20:54 47,360 a------- c:\docume~1\steven~1\applic~1\pcouffin.sys
2009-04-12 20:53 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-04-12 20:53 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-21 10:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll
==================== Find3M ====================
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\advapi32.dll
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\sc.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-01 13:35 48,583 a------- c:\docume~1\steven~1\applic~1\upd.exe
2008-07-30 20:51 35,296 a------- c:\docume~1\steven~1\applic~1\GDIPFONTCACHEV1.DAT
2005-09-25 13:51 774,144 a------- c:\program files\RngInterstitial.dll
2004-07-22 01:00 0 ac--h--- c:\documents and settings\steven guiles\hpothb07.dat
2008-09-18 22:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091820080919\index.dat
============= FINISH: 19:45:38.50 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-03-16.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/29/2004 10:25:12 PM
System Uptime: 4/16/2009 7:40:55 PM (0 hours ago)
Motherboard: Intel Corporation | | D845EPT2
Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz | X1 | 1794/100mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 23.548 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01321028&REV_01\3&267A616A&0&EF
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01321028&REV_01\3&267A616A&0&EF
Service:
==== System Restore Points ===================
RP1752: 1/29/2009 10:03:30 AM - System Checkpoint
RP1753: 1/30/2009 12:57:14 PM - System Checkpoint
RP1754: 1/31/2009 1:15:31 PM - System Checkpoint
RP1755: 2/1/2009 2:15:55 PM - System Checkpoint
RP1756: 2/2/2009 2:27:33 PM - System Checkpoint
RP1757: 2/3/2009 3:15:37 PM - System Checkpoint
RP1758: 2/4/2009 4:15:31 PM - System Checkpoint
RP1759: 2/5/2009 5:14:31 PM - System Checkpoint
RP1760: 2/6/2009 6:14:33 PM - System Checkpoint
RP1761: 2/7/2009 8:38:45 PM - System Checkpoint
RP1762: 2/8/2009 9:34:12 PM - System Checkpoint
RP1763: 2/9/2009 10:45:11 PM - System Checkpoint
RP1764: 2/10/2009 11:33:02 PM - System Checkpoint
RP1765: 2/11/2009 4:44:33 PM - Software Distribution Service 3.0
RP1766: 2/12/2009 5:40:00 PM - System Checkpoint
RP1767: 2/13/2009 5:54:43 PM - System Checkpoint
RP1768: 2/14/2009 6:36:25 PM - System Checkpoint
RP1769: 2/15/2009 6:41:17 PM - Removed ESET NOD32 Antivirus
RP1770: 2/15/2009 6:42:00 PM - Removed ESET NOD32 Antivirus
RP1771: 2/15/2009 6:46:43 PM - Installed ESET NOD32 Antivirus
RP1772: 2/16/2009 6:47:36 PM - System Checkpoint
RP1773: 2/17/2009 8:50:50 PM - System Checkpoint
RP1774: 2/18/2009 9:18:39 PM - System Checkpoint
RP1775: 2/19/2009 9:50:30 PM - System Checkpoint
RP1776: 2/20/2009 11:03:01 PM - System Checkpoint
RP1777: 2/21/2009 11:50:28 PM - System Checkpoint
RP1778: 2/23/2009 12:50:32 AM - System Checkpoint
RP1779: 2/24/2009 2:03:02 AM - System Checkpoint
RP1780: 2/25/2009 2:49:29 AM - System Checkpoint
RP1781: 2/25/2009 8:29:43 AM - Software Distribution Service 3.0
RP1782: 2/26/2009 8:39:37 AM - System Checkpoint
RP1783: 2/27/2009 8:40:21 AM - System Checkpoint
RP1784: 2/28/2009 11:13:29 AM - System Checkpoint
RP1785: 3/1/2009 11:20:43 AM - System Checkpoint
RP1786: 3/2/2009 12:08:43 PM - System Checkpoint
RP1787: 3/3/2009 1:08:43 PM - System Checkpoint
RP1788: 3/4/2009 2:07:45 PM - System Checkpoint
RP1789: 3/5/2009 3:07:50 PM - System Checkpoint
RP1790: 3/6/2009 4:07:45 PM - System Checkpoint
RP1791: 3/7/2009 5:06:56 PM - System Checkpoint
RP1792: 3/8/2009 5:27:10 PM - System Checkpoint
RP1793: 3/9/2009 6:07:54 PM - System Checkpoint
RP1794: 3/10/2009 7:18:58 PM - System Checkpoint
RP1795: 3/11/2009 8:06:54 PM - System Checkpoint
RP1796: 3/12/2009 2:00:25 AM - Software Distribution Service 3.0
RP1797: 3/13/2009 2:12:00 AM - System Checkpoint
RP1798: 3/14/2009 3:12:00 AM - System Checkpoint
RP1799: 3/15/2009 10:37:34 AM - Removed Java(TM) 6 Update 11
RP1800: 3/15/2009 10:38:33 AM - Installed Java(TM) 6 Update 12
RP1801: 3/16/2009 11:09:57 AM - System Checkpoint
RP1802: 3/17/2009 12:09:52 PM - System Checkpoint
RP1803: 3/18/2009 12:47:35 PM - System Checkpoint
RP1804: 3/19/2009 12:51:53 PM - System Checkpoint
RP1805: 3/20/2009 8:23:31 AM - Software Distribution Service 3.0
RP1806: 3/21/2009 9:30:35 AM - System Checkpoint
RP1807: 3/22/2009 9:52:10 AM - System Checkpoint
RP1808: 3/23/2009 10:52:02 AM - System Checkpoint
RP1809: 3/24/2009 11:50:59 AM - System Checkpoint
RP1810: 3/25/2009 12:51:04 PM - System Checkpoint
RP1811: 3/26/2009 1:50:11 PM - System Checkpoint
RP1812: 3/27/2009 2:50:07 PM - System Checkpoint
RP1813: 3/28/2009 3:35:16 PM - System Checkpoint
RP1814: 3/29/2009 10:58:03 PM - System Checkpoint
RP1815: 3/31/2009 10:11:13 AM - System Checkpoint
RP1816: 4/1/2009 6:31:47 PM - Installed Java(TM) 6 Update 13
RP1817: 4/2/2009 9:29:16 PM - System Checkpoint
RP1818: 4/3/2009 10:03:13 PM - System Checkpoint
RP1819: 4/4/2009 10:56:54 PM - System Checkpoint
RP1820: 4/7/2009 8:22:54 AM - System Checkpoint
RP1821: 4/8/2009 6:20:09 PM - System Checkpoint
RP1822: 4/9/2009 9:12:10 PM - System Checkpoint
RP1823: 4/10/2009 9:48:08 PM - System Checkpoint
RP1824: 4/11/2009 8:31:04 PM - Removed Bonjour
RP1825: 4/11/2009 8:32:00 PM - Removed MobileMe Control Panel
RP1826: 4/11/2009 8:32:55 PM - Removed Norton Security Scan
RP1827: 4/11/2009 8:33:51 PM - Removed Safari
RP1828: 4/11/2009 10:16:38 PM - Software Distribution Service 3.0
RP1829: 4/11/2009 10:27:11 PM - Software Distribution Service 3.0
RP1830: 4/12/2009 11:21:33 PM - System Checkpoint
RP1831: 4/13/2009 11:56:54 PM - System Checkpoint
RP1832: 4/15/2009 5:49:02 PM - System Checkpoint
RP1833: 4/16/2009 8:45:57 AM - Software Distribution Service 3.0
RP1834: 4/16/2009 11:01:00 AM - Installed SUPERAntiSpyware Free Edition
RP1835: 4/16/2009 4:43:22 PM - ComboFix created restore point
RP1836: 4/16/2009 5:31:52 PM - Removed Adobe Photoshop CS2
RP1837: 4/16/2009 5:37:51 PM - Removed Apple Mobile Device Support
RP1838: 4/16/2009 5:39:46 PM - Removed Apple Software Update
RP1839: 4/16/2009 5:42:01 PM - Removed HP Memories Disc
RP1840: 4/16/2009 5:42:49 PM - Removed LiveUpdate Notice (Symantec Corporation)
==== Installed Programs ======================
Ad-Aware
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Audition 1.5
Adobe Bridge 1.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.1.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
AOL Instant Messenger
Autodesk MapGuide(R) Viewer ActiveX Control Release 6.5
Azureus
CCleaner (remove only)
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Critical Update for Windows Media Player 11 (KB959772)
DeadAIM
Dell ResourceCD
DVD Decrypter (Remove Only)
ESET NOD32 Antivirus
FLAC Installer 1.1.0k (remove only)
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
mkw Audio Compression Toolkit
Mozilla Firefox (3.0.9)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up
NVIDIA Display Driver
OLYMPUS Master
QuickTime
Remote Control USB Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SoundMAX
Spybot - Search & Destroy 1.2
SUPERAntiSpyware Free Edition
TDK Launcher
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.6.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WildTangent Multiplayer Library
Winamp
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Works Suite OS Pack
Works Synchronization
==== Event Viewer Messages From Past Week ========
4/16/2009 5:39:19 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
4/16/2009 5:25:14 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/16/2009 5:13:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Eset Nod32 Boot service to connect.
4/16/2009 5:13:52 PM, error: Service Control Manager [7000] - The Eset Nod32 Boot service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/16/2009 1:22:05 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
4/14/2009 3:45:25 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
4/14/2009 3:44:11 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
4/14/2009 3:44:00 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
4/14/2009 3:42:17 PM, error: Service Control Manager [7034] - The PC Tools Auxiliary Service service terminated unexpectedly. It has done this 1 time(s).
4/14/2009 3:04:09 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The class is configured to run as a security id different from the caller
4/13/2009 5:39:54 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
==== End Of File ===========================
-
Go to Add or Remove programs and uninstall:
- Java(TM) 6 Update 7
- Spybot - Search & Destroy 1.2 <-Way out of date!
- Viewpoint Manager (Remove Only)
- Viewpoint Media Player (Remove Only)
.
----------
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Run CCleaner.
----------
How is the computer running now?
-
It is running much better. The error message came up once today and that was before I ran MBAM. Since then, the message hasn't popped up. The 'PF Usage' is hovering around 260mb, but that's considerably down from what it was at the last few days.
Many thanks!
-
Sounds good.
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.