Computer Hope
Software => Computer viruses and spyware => Topic started by: Mr.Hopeless on July 06, 2010, 06:38:29 PM
-
While I was on a business trip, somebody got my computer infected it seems. I first knew something was wrong when the the sound kept going out and I had to reset the sound settings to get the sound back on on. Since, other things were happening, including a pop-up, messages about wanting to make IE my default browser, etc. My computer has AVG Anti-Virus (Free Version 8, I'll be upgrading ASAP), and on three separate scans it found infections, including Trojan house Clicker.AJUP, Tracking cooking.Trafficmp, Tracking cooking.Overture, Virus FakeAlert, and the latest on separate scans Trojan horse Downloader.Tiny.BB.
Whatever is going on, iexplore.exe keeps opening up, even after I End Process from the Windows Task Manager. It's rather disturbing. (Firefox is my default browser.)
And one more thing I've found. hxxp://www.yadaying.com/index.php?aff_id=979 (on Windows Internet Explorer) is running in the background, and I don't know how to stop it from running.
It seems there must be something lodged in the computer that's bringing about these infections, but I don't know where to start looking for it. At this point, I'm a bit afraid to turn that computer on (I'm using a different laptop). If anyone can get me started on this, I'd really appreciate it.
For the record, that computer is running Windows XP.
-
Hello, and welcome to Computer Hope.
Please note the following information about the malware forum:
- Only the Malware Specialist Team is allowed to give advice on removing malware from your computer.
- From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
- Please do not attach logs or post them in Quote/Code boxes unless requested.
- Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
- If you have already asked for help somewhere, please post the link to the topic you were helped.
- We try our best to reply quickly, but for any reason we do not reply in two days, reply to this topic with the word BUMP
- Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
(http://www.malwarebytes.org/forums/style_images/1/bf_new.gif) Please download Malwarebytes Anti-Malware from Malwarebytes.org (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).
Alternate link: BleepingComputer.com (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe).
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)
Double Click mbam-setup.exe to install the application.
(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
- Copy and paste the entire report in your next reply.
-
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
7/7/2010 8:56:08 PM
mbam-log-2010-07-07 (20-56-08).txt
Scan type: Quick scan
Objects scanned: 144970
Time elapsed: 16 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Please visit this webpage for a tutorial on downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
See the area: Using ComboFix, and when done, post the log back here.
-
ComboFix 10-07-06.05 - Brett 07/07/2010 22:53:31.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.794 [GMT -4:00]
Running from: c:\documents and settings\Brett\My Documents\Temp\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Brett\g2mdlhlpx.exe
c:\documents and settings\Deborah\Favorites\DBLY1.exe
c:\documents and settings\Deborah\Favorites\Launcher.exe
c:\documents and settings\Deborah\g2mdlhlpx.exe
c:\windows\settings.reg
c:\windows\system32\bszip.dll
c:\windows\system32\Data
.
((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.
2010-07-07 01:16 . 2010-07-07 01:16 495616 ----a-w- c:\windows\system32\igfxcfg.exe
2010-07-05 00:31 . 2010-07-05 00:31 -------- d-sh--w- c:\documents and settings\Deborah\IECompatCache
2010-07-04 18:25 . 2010-07-04 18:25 -------- d-----w- C:\$AVG
2010-07-04 18:21 . 2010-07-04 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-04 03:41 . 2010-07-04 03:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-04 03:13 . 2010-07-04 03:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 04:45 . 2010-07-02 04:45 -------- d-----w- c:\program files\Trend Micro
2010-07-01 17:20 . 2010-07-01 17:20 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-01 17:20 . 2010-07-01 17:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-01 17:20 . 2010-07-01 17:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-01 17:19 . 2010-07-01 17:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-13 04:47 . 2010-06-13 04:47 -------- d-----w- c:\documents and settings\Brett\Application Data\ZipGenius
2010-06-13 04:46 . 2010-06-13 04:46 -------- d-----w- c:\program files\ZipGenius 6
2010-06-08 18:33 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 01:45 . 2009-02-16 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 18:25 . 2009-02-16 03:30 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-04 18:25 . 2009-02-16 03:30 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-04 18:25 . 2009-02-16 03:30 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-04 18:25 . 2009-02-16 03:30 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-04 18:21 . 2009-02-16 03:30 -------- d-----w- c:\program files\AVG
2010-07-04 16:52 . 2009-02-16 03:45 -------- d-----w- c:\program files\CCleaner
2010-07-04 16:50 . 2008-09-11 12:18 -------- d-----w- c:\documents and settings\Brett\Application Data\Amazon
2010-07-04 16:50 . 2008-09-11 12:18 -------- d-----w- c:\program files\Amazon
2010-07-04 16:49 . 2005-04-20 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-02 04:45 . 2010-07-02 04:45 388096 ----a-r- c:\documents and settings\Brett\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-08 00:30 . 2010-06-08 00:30 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-08 00:30 . 2010-06-08 00:30 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-08 00:30 . 2010-06-08 00:30 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-08 00:30 . 2010-06-08 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-08 00:30 . 2010-06-08 00:30 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-08 00:30 . 2010-06-08 00:30 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 -------- d-----w- c:\documents and settings\Brett\Application Data\DivX
2010-06-08 00:29 . 2010-06-08 00:29 84062 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-04-27 18:40 . 2005-04-20 17:18 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-27 18:40 . 2005-04-20 17:18 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40 . 2004-08-02 07:03 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-11 16:00 . 2010-04-11 16:00 3303568 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockNY.exe
2010-04-11 15:39 . 2010-04-11 15:39 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901xupd.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="c:\program files\mozilla.org\Mozilla\Mozilla.exe" [2005-05-11 98192]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-22 149280]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SmcService"="c:\progra~1\COMPUT~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-04 2065760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-04 18:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 15:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-08 23:54 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/15/2009 11:30 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/15/2009 11:30 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/4/2010 2:23 PM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/21/2009 8:51 PM 133104]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [11/20/2005 11:11 PM 17432]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [2/10/2006 5:27 PM 45840]
.
Contents of the 'Scheduled Tasks' folder
2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 00:50]
2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 00:50]
2010-06-25 c:\windows\Tasks\Install.job
- c:\windows\system32\Macromed\Shockwave 10\nssstub.exe [2010-06-24 18:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Brett\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Brett\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Deborah\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Brett\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 23:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,1a,17,b4,52,54,7c,42,b2,a6,fd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,1a,17,b4,52,54,7c,42,b2,a6,fd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Computer Defense\Sygate\SPF\smc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\Rundll32.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2010-07-07 23:11:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 03:11
Pre-Run: 20,980,580,352 bytes free
Post-Run: 20,480,839,680 bytes free
- - End Of File - - 07495C7CAAE74387232C3FE48885798E
-
Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
-
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=1
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=109a82bd2f2d8043b7bac6a70eb93324
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-08 11:03:48
# local_time=2010-07-08 07:03:48 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 110339766 138927839 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=124280
# found=1
# cleaned=1
# scan_time=13844
C:\Documents and Settings\Deborah\Desktop\i386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
-
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
- Select Start > All Programs > Accessories > System tools > System Restore.
- On the dialogue box that appears select Create a Restore Point
- Click NEXT
- Enter a name e.g. Clean
- Click CREATE
You now have a clean restore point, to get rid of the bad ones:
- Select Start > All Programs > Accessories > System tools > Disk Cleanup.
- In the Drop down box that appears select your main drive e.g. C
- Click OK
- The System will do some calculation and the display a dialogue box with TABS
- Select the More Options Tab.
- At the bottom will be a system restore box with a CLEANUP button click this
- Accept the Warning and select OK again, the program will close and you are done
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe (http://oldtimer.geekstogo.com/OTC.exe) by OldTimer:
- Save it to your Desktop.
- Double click OTC.exe.
- Click the CleanUp! button.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
==
Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
==
Download Security Check by screen317 from SpywareInfoforum.org (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or Changelog.fr (http://screen317.changelog.fr/SecurityCheck.exe).- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG Free 9.0
ESET Online Scanner v3
Sygate Personal Firewall
```````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Ad-Aware
WinPatrol 2008 (Outdated! Latest version is WinPatrol 2009)[/b]
Malwarebytes' Anti-Malware
CCleaner (remove only)
Lavasoft VX2 Cleaner
Java(TM) 6 Update 16
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java 2 Runtime Environment Standard Edition v1.3.1_17
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Reader 7.1.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.6)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
WinPatrol winpatrol.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
BillP Studios WinPatrol winpatrol.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
-
Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)
Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.
Once old versions are gone, please install the newest version.
==
Please download the newest version of Java from Java.com (http://www.java.com/en/download/manual.jsp).
Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.
Once old versions are gone, please install the newest version.
=======================================
Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.
Software recommendations
Firewall- Tallemu Online Armor (http://www.tallemu.com/products-online-armor-free.php): the free version is just as good as the premium. I have linked you to the free version.
- Comodo Firewall (http://www.comodo.com/home/internet-security/firewall.php): the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
- PC Tools Firewall Plus (http://www.pctools.com/firewall/download/): free and excellent firewall.
AntiSpyware- SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here (http://www.bleepingcomputer.com/tutorials/tutorial49.html).
- Spybot - Search & Destroy (http://www.safer-networking.org/en/tutorial/index.html).
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.
Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.
Securing your computer- Windows Updates (http://update.microsoft.com) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
- hpHosts file (http://hosts-file.net) replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.
If you are interested:
- Firefox may be downloaded from here: http://www.getfirefox.com (http://www.getfirefox.com)
- Opera is available here: http://www.opera.com/download/ (http://www.opera.com/download/)
See this page (http://www.helpmyos.com/learn-security-f40/preventing-malware-and-being-resistant-to-the-dangers-of-the-internet-t1516.htm) for more info about malware and prevention.
-
Thanks for all of your help so far.
I've updated Adobe Acrobat Reader and Java.
Before I follow up with the Firewall and AntiSpyware software, two things:
1.) I still have problems with my computer (as I'm typing this, there is an Internet Explorer pop-up window saying "Internet Explorer is not currently your default browser. Would you like to make it your default browser?" (I never opened IE, and I rarely ever use it.) If I close IExplere.exe from the Task Manger, it just opens right back up again. I get this pop-up window when I first turn on the modem after starting up the computer. I also get warnings from WinPatrol that says:
Scotty the Windows Watchdog is on patrol and has detected a change to one of your file type associations [.URL].
The program currently associated with this file type is:
Run a DLL as an APP
Microsoft Corporation
C:\WINDOWS\system32\rundll32.exe C:\WIDOWS\system32\ieframe.dll,OpenURL %l
A change was made to use the following program for this file type.
Run a DLL as an App
Microsoft Corporation
rundll32.exe ieframe.dll,OpenURL %l
Is this change ok?
(I always say no.)
2.) I'm concerned about having too many firewalls, especially since this computer is on the older side, because I'm afraid the computer will get intolerably slow. I"m already running Sygate Personal Firewall and Windows Watchdog on top of AVG. Is my concern valid about the speed of my computer running so many firewalls?
Thanks.
-
Only have one firewall.
Internet Explorer has an auto-recovery mode. It will automatically re-launch if it gets crashed (shut down immediately). That is normal behavior for Internet Explorer.
Also, Internet Explorer will probably need to finish its install. Just follow any prompts with it, and see if you have any more issues.
-
I think where I'm concerned about IE is that I'm getting this prompt without launching IE. Doesn't that suggest that something is launching IE? I mean, IE shouldn't be asking me to make it the default browser if I didn't initiate opening it myself, I would think...
-
Hi M Hopeless,
I had exactly the same problem and could'nt fix it. I just solved today using bootkit_remover and the instructions found here: http://forums.majorgeeks.com/showthread.php?p=1507974 (http://forums.majorgeeks.com/showthread.php?p=1507974)
Hope it'll work for you!
-
I am having the exact samething Down to the T going on with my laptop,and Im doing everything in this post but nothings helping.Im really wondering is this like a recent/new malware/virus/trojan what have you going around this year.
-
@Mr. Hopeless
Please download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract the file and run it.
- Once completed it will create a log in your C:\ drive.
- Please post the contents of that log.
-
19:46:40:278 2988 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
19:46:40:278 2988 ================================================================================
19:46:40:278 2988 SystemInfo:
19:46:40:278 2988 OS Version: 5.1.2600 ServicePack: 3.0
19:46:40:278 2988 Product type: Workstation
19:46:40:278 2988 ComputerName: D2PGV571
19:46:40:278 2988 UserName: Brett
19:46:40:278 2988 Windows directory: C:\WINDOWS
19:46:40:278 2988 System windows directory: C:\WINDOWS
19:46:40:278 2988 Processor architecture: Intel x86
19:46:40:278 2988 Number of processors: 1
19:46:40:278 2988 Page size: 0x1000
19:46:40:278 2988 Boot type: Normal boot
19:46:40:278 2988 ================================================================================
19:46:40:700 2988 Initialize success
19:46:40:700 2988
19:46:40:700 2988 Scanning Services ...
19:46:41:372 2988 Raw services enum returned 360 services
19:46:41:387 2988
19:46:41:387 2988 Scanning Drivers ...
19:46:42:372 2988 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
19:46:42:450 2988 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:46:42:591 2988 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:46:42:653 2988 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
19:46:42:731 2988 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:46:42:825 2988 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
19:46:42:856 2988 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
19:46:42:934 2988 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
19:46:43:028 2988 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
19:46:43:044 2988 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
19:46:43:059 2988 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
19:46:43:091 2988 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
19:46:43:122 2988 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
19:46:43:153 2988 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
19:46:43:184 2988 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
19:46:43:247 2988 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
19:46:43:294 2988 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
19:46:43:341 2988 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
19:46:43:419 2988 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:46:43:481 2988 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:46:43:591 2988 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
19:46:43:700 2988 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:46:43:809 2988 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:46:43:966 2988 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
19:46:44:044 2988 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
19:46:44:122 2988 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
19:46:44:153 2988 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:46:44:200 2988 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
19:46:44:216 2988 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:46:44:231 2988 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
19:46:44:262 2988 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:46:44:294 2988 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:46:44:356 2988 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:46:44:403 2988 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
19:46:44:497 2988 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
19:46:44:637 2988 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
19:46:44:700 2988 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
19:46:44:762 2988 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
19:46:44:825 2988 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:46:44:903 2988 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:46:44:981 2988 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:46:45:028 2988 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:46:45:075 2988 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:46:45:106 2988 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
19:46:45:153 2988 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:46:45:169 2988 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
19:46:45:200 2988 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
19:46:45:294 2988 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
19:46:45:356 2988 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
19:46:45:481 2988 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
19:46:45:856 2988 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:46:45:903 2988 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:46:46:044 2988 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:46:46:075 2988 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:46:46:137 2988 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:46:46:153 2988 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:46:46:184 2988 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:46:46:231 2988 GEARAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
19:46:46:294 2988 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:46:46:356 2988 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:46:46:403 2988 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
19:46:46:466 2988 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:46:46:512 2988 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
19:46:46:544 2988 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
19:46:46:544 2988 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:46:46:591 2988 ialm (0acebb31989cbf9a5663fe4a33d28d21) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
19:46:46:778 2988 IcRecUsb (16e441dc4daf703fb0b0fe474830ff53) C:\WINDOWS\system32\Drivers\IcRecUsb.sys
19:46:47:028 2988 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:46:47:075 2988 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
19:46:47:137 2988 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
19:46:47:216 2988 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:46:47:278 2988 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:46:47:294 2988 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:46:47:356 2988 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:46:47:434 2988 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:46:47:528 2988 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:46:47:622 2988 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:46:47:653 2988 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:46:47:716 2988 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:46:47:762 2988 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
19:46:47:856 2988 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:46:47:966 2988 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:46:47:997 2988 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:46:48:059 2988 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:46:48:091 2988 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:46:48:169 2988 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:46:48:216 2988 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:46:48:262 2988 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
19:46:48:309 2988 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:46:48:372 2988 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:46:48:419 2988 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:46:48:481 2988 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:46:48:512 2988 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:46:48:544 2988 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:46:48:591 2988 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:46:48:637 2988 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
19:46:48:731 2988 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:46:48:762 2988 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:46:48:809 2988 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:46:48:872 2988 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:46:48:950 2988 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
19:46:49:075 2988 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:46:49:216 2988 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:46:49:325 2988 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:46:49:512 2988 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:46:49:637 2988 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:46:49:887 2988 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:46:50:262 2988 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:46:50:341 2988 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:46:50:434 2988 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
19:46:50:528 2988 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
19:46:50:684 2988 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
19:46:50:778 2988 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:46:50:825 2988 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:46:50:872 2988 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:46:50:934 2988 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:46:51:028 2988 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:46:51:091 2988 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:46:51:153 2988 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
19:46:51:184 2988 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
19:46:51:262 2988 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys
19:46:51:325 2988 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:46:51:356 2988 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:46:51:403 2988 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:46:51:497 2988 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:46:51:544 2988 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
19:46:51:637 2988 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
19:46:51:762 2988 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
19:46:51:841 2988 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
19:46:51:872 2988 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
19:46:51:919 2988 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:46:51:981 2988 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:46:52:028 2988 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:46:52:091 2988 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:46:52:122 2988 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:46:52:153 2988 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:46:52:356 2988 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:46:52:575 2988 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
19:46:52:637 2988 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:46:52:716 2988 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:46:52:872 2988 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
19:46:53:091 2988 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:46:53:137 2988 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
19:46:53:184 2988 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:46:53:278 2988 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
19:46:53:387 2988 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
19:46:53:497 2988 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
19:46:53:575 2988 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:46:53:622 2988 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:46:53:716 2988 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
19:46:53:794 2988 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
19:46:53:903 2988 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
19:46:54:012 2988 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:46:54:122 2988 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:46:54:169 2988 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
19:46:54:262 2988 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
19:46:54:309 2988 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
19:46:54:356 2988 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
19:46:54:450 2988 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:46:54:544 2988 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:46:54:669 2988 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:46:54:716 2988 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:46:54:778 2988 Teefer (99336d4da97b4eeaafab46a4f8e512e6) C:\WINDOWS\system32\Drivers\Teefer.sys
19:46:54:825 2988 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:46:54:919 2988 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
19:46:54:981 2988 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
19:46:55:028 2988 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
19:46:55:091 2988 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
19:46:55:153 2988 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
19:46:55:200 2988 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
19:46:55:262 2988 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
19:46:55:294 2988 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
19:46:55:309 2988 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
19:46:55:434 2988 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
19:46:55:544 2988 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:46:55:622 2988 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
19:46:55:762 2988 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:46:55:856 2988 usbbus (5353218b3265e3b8190335059f697a11) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
19:46:55:919 2988 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
19:46:55:934 2988 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:46:55:997 2988 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:46:56:028 2988 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
19:46:56:044 2988 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:46:56:075 2988 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:46:56:106 2988 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:46:56:153 2988 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:46:56:262 2988 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
19:46:56:325 2988 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
19:46:56:372 2988 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:46:56:419 2988 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:46:56:481 2988 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:46:56:606 2988 wg3n (a67340b874df9eaf5b226e5f3473b9da) C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
19:46:56:637 2988 wg4n (851216e2816b7b7e74b5f7ef1d4acfb7) C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
19:46:56:684 2988 wg5n (aedd1fe0df660411d15da3c57cfc2402) C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
19:46:56:731 2988 wg6n (dd0d719a58df79086462bd5fc972a908) C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
19:46:56:841 2988 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
19:46:56:856 2988 wpsdrvnt (93c145dceb13156322423efd62d4549a) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
19:46:57:044 2988 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:46:57:122 2988 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:46:57:137 2988
19:46:57:137 2988 Completed
19:46:57:137 2988
19:46:57:137 2988 Results:
19:46:57:137 2988 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:46:57:137 2988 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:46:57:137 2988
19:46:57:137 2988 KLMD(ARK) unloaded successfully
-
I have exactly same problem, too bad, I tried Microsoft Security Essential, spybot s&d, malwarebytes, Hijackthis, superantispyware, combofix, all can't find the source of the spyware.
I also looked at start up on registry and services. Everything seems normal. I wonder where that comes from. Is it brand new spyware and why all those known antispyware can't delete, clean and kill it?!
-
not working... still popping up.
-
@Mr. Hopeless
Please run the F-Secure Online Scanner (http://www.f-secure.com/en_US/security/security-lab/tools-and-services/online-scanner/)
- Follow the Instruction Here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
- Accept the License Agreement.
- Once the ActiveX installs,Click Full System Scan
- Once the download completes,the scan will begin automatically.
- The scan will take some time to finish,so please be patient.
- When the scan completes, click the Automatic cleaning (recommended) button.
- Click the Show Report button and Copy&Paste the entire report in your next reply.
-
@dragonmaster Jay
Hey, not sure if your link works or combo fix worked. Yesterday, after I ran combofix, it worked about 20 so mins, and the popups came back up again. Then this morning, it didn't come up. Anyway, saw your post, and tried your link and found 1 malware and 2 spyware and cleaned it.
After that, I also ran full scan for malware and microsoft security essential (nothing found)
then reboot it and run combofix again, and my norton antivirus found quite a few hacking spyware/virus
Now it seems like everything works okay, sound is back to normal. No popups. Thanks!
@Mr. Hopeless.
Try what I did, it may work for you. If it doesn't, download a software called popup killer, and it close all the popups you specify, but that is surface or temporary fix. Either continue trying or reformat the whole C drive (last resource which I don't recommend because sooner or later this kind of spyware/malware will come back, we need to know how to fix it)
My advise is once everything is fine and okay, backup your whole C drive as image or copy c:\windows\*.* , if there is problem, you can ren your old c:\windows to something and restore the good c:\windows\*.* back, then it should be okay (that is my last resource.. instead of formatting whole drive) by the way, I use apricon to backup.
-
Cancel that. According to a nice colleague, you seem to have what is called a Black Internet Bootkit, which is a fairly newer bootkit.
Download Bootkit Remover (http://www.esagelab.com/files/bootkit_remover.rar) to your Desktop.
- You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/ (http://www.7-zip.org/)
- After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
- It will show a Black screen with some data on it.
- Right click on the screen and click Select All.
- Press CTRL C
- Open a Notepad and press CTRL V
- Post the output back here.
-
While I was on a business trip, somebody got my computer infected it seems. I first knew something was wrong when the the sound kept going out and I had to reset the sound settings to get the sound back on on. Since, other things were happening, including a pop-up, messages about wanting to make IE my default browser, etc. My computer has AVG Anti-Virus (Free Version 8, I'll be upgrading ASAP), and on three separate scans it found infections, including Trojan house Clicker.AJUP, Tracking cooking.Trafficmp, Tracking cooking.Overture, Virus FakeAlert, and the latest on separate scans Trojan horse Downloader.Tiny.BB.
Whatever is going on, iexplore.exe keeps opening up, even after I End Process from the Windows Task Manager. It's rather disturbing. (Firefox is my default browser.)
And one more thing I've found. hxxp://www.yadaying.com/index.php?aff_id=979 (on Windows Internet Explorer) is running in the background, and I don't know how to stop it from running.
It seems there must be something lodged in the computer that's bringing about these infections, but I don't know where to start looking for it. At this point, I'm a bit afraid to turn that computer on (I'm using a different laptop). If anyone can get me started on this, I'd really appreciate it.
For the record, that computer is running Windows XP.
Cancel that. According to a nice colleague, you seem to have what is called a Black Internet Bootkit, which is a fairly newer bootkit.
Download Bootkit Remover (http://www.esagelab.com/files/bootkit_remover.rar) to your Desktop.
- You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/ (http://www.7-zip.org/)
- After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
- It will show a Black screen with some data on it.
- Right click on the screen and click Select All.
- Press CTRL C
- Open a Notepad and press CTRL V
- Post the output back here.
Hola, solucioné este mismo problema (no sound on wave and pop-up´s in iexplore, i´m use firefox) el 11/07/10 con BootKit (Bootkit Remover (http://www.esagelab.com/files/bootkit_remover.rar))
Sigue las instrucciones de DragonMaster Jay, al final serán más o menos éstas:
Generar un archivo por lotes (batch file) con el siguiente texto:
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
SHUTDOWN -r
EXIT
ejecutar el archivo por lotes y ya está...
A fecha de hoy (18/07/10) AVG ha encontrado un virus "Troyano Downloader.Tiny.BB" pero no sé si tendrán relacción.
AVG lo ha eliminado sin ningún problema.
No contestes al correo, estoy usando una cuenta de BugMeNot.
-
Sorry it's taking me long between posts. The dread on turning this computer on is really getting to me. Anyway... when I run remover.exe and I get the black screen window, the window closes when I try to copy the information. Here's what the screen says before it closes:
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
------------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Press any key to quit...
-
Please open Notepad and enter in the following:
@echo off
start remover.exe fix \.\PhysicalDrive0
exit
Then, click File > Save as...
Save as remove.bat to the same location as remover.exe.
Choose Save as type... All Files.
Click Save.
Then, exit Notepad.
Double-click on remove.bat.
Please re-run remover.exe and post a new log in your next reply.
-
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Press any key to quit...
-
How is the computer running?
What signs of infection remain?
-
Sound is still out. The computer is making a ticking noise. Sygate gives the following message:
WMI has changed since the last time you used it. This could happen if you have updated it recently. Click Detail to see more information. Do you want to allow it to access the network?
The executable has changed since the last time you used: C:\WINDOWS\system32\wbem\wmiprvse.exe
And in another window, Sygate says:
Prevalence reporter [avgcmgr.exe] is trying to connect to mmi.explabs.net [64.88.164.170] using remote port 80 [HTTP - World Wide Web]. Do you want to allow this program to access the network?
The last time I ran an AVG full scan of the computer, the scan took less than an hour and half. Usually the scan takes more than three and half hours. (That's got me a bit nervous.)
A WinPatrol File Type Change Alert says:
Scotty the Windows Watchdog is on patrol and has detected a change to one of your file type associations
The program currently associated with this file type is:
Run a DLL as an App
Microsoft Corporation
C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ieframe.dll,OpenURL %|
A change was made to use the following program for this file type.
Run a DLL as an App
Microsoft Corporation
rundll32.exe iefram.dll,OpenURL %|
I'm getting pretty close to pulling files off of the hard drive and then reinstalling Windows from scratch. It's feeling like desperate times...
-
Prevalence reporter [avgcmgr.exe] is trying to connect to mmi.explabs.net [64.88.164.170] using remote port 80 [HTTP - World Wide Web]. Do you want to allow this program to access the network?
This is AVG connecting to its Exploit Prevention Labs Server. It is a safe operation.
Please re-run ComboFix and post a new log.
-
ComboFix 10-07-31.02 - Brett 07/31/2010 22:15:50.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.451 [GMT -4:00]
Running from: c:\documents and settings\Brett\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.
2010-07-23 21:25 . 2010-07-23 21:25 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-23 21:25 . 2010-07-23 21:25 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-23 21:25 . 2010-07-23 21:25 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-23 21:25 . 2010-07-23 21:25 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-14 14:34 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 00:16 . 2010-07-14 00:22 -------- d-----w- c:\program files\bootkit
2010-07-11 03:46 . 2010-07-11 03:46 503808 ----a-w- c:\documents and settings\Brett\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5e417fcb-n\msvcp71.dll
2010-07-11 03:46 . 2010-07-11 03:46 499712 ----a-w- c:\documents and settings\Brett\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5e417fcb-n\jmc.dll
2010-07-11 03:46 . 2010-07-11 03:46 348160 ----a-w- c:\documents and settings\Brett\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5e417fcb-n\msvcr71.dll
2010-07-11 03:46 . 2010-07-11 03:46 61440 ----a-w- c:\documents and settings\Brett\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1bd8a20e-n\decora-sse.dll
2010-07-11 03:46 . 2010-07-11 03:46 12800 ----a-w- c:\documents and settings\Brett\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1bd8a20e-n\decora-d3d.dll
2010-07-11 03:45 . 2010-07-11 03:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 03:24 . 2010-07-11 03:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-11 03:22 . 2010-07-11 03:22 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-11 03:21 . 2010-07-11 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-08 19:08 . 2010-07-08 19:08 -------- d-----w- c:\program files\ESET
2010-07-07 01:16 . 2010-07-07 01:16 495616 ----a-w- c:\windows\system32\igfxcfg.exe
2010-07-05 00:31 . 2010-07-05 00:31 -------- d-sh--w- c:\documents and settings\Deborah\IECompatCache
2010-07-04 18:25 . 2010-07-04 18:25 -------- d-----w- C:\$AVG
2010-07-04 18:21 . 2010-07-04 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-04 03:41 . 2010-07-04 03:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-04 03:13 . 2010-07-04 03:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 04:45 . 2010-07-02 04:45 388096 ----a-r- c:\documents and settings\Brett\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-02 04:45 . 2010-07-02 04:45 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 03:46 . 2005-04-20 17:21 -------- d-----w- c:\program files\Common Files\Java
2010-07-11 03:45 . 2005-04-20 17:21 -------- d-----w- c:\program files\Java
2010-07-11 03:37 . 2005-04-20 17:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-11 03:28 . 2005-04-21 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-07 01:45 . 2009-02-16 01:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 18:25 . 2009-02-16 03:30 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-04 18:25 . 2009-02-16 03:30 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-04 18:25 . 2009-02-16 03:30 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-04 18:25 . 2009-02-16 03:30 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-04 18:21 . 2009-02-16 03:30 -------- d-----w- c:\program files\AVG
2010-07-04 16:52 . 2009-02-16 03:45 -------- d-----w- c:\program files\CCleaner
2010-07-04 16:50 . 2008-09-11 12:18 -------- d-----w- c:\documents and settings\Brett\Application Data\Amazon
2010-07-04 16:50 . 2008-09-11 12:18 -------- d-----w- c:\program files\Amazon
2010-07-04 16:49 . 2005-04-20 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-13 04:47 . 2010-06-13 04:47 -------- d-----w- c:\documents and settings\Brett\Application Data\ZipGenius
2010-06-13 04:46 . 2010-06-13 04:46 -------- d-----w- c:\program files\ZipGenius 6
2010-06-08 00:30 . 2010-06-08 00:30 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-08 00:30 . 2010-06-08 00:30 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-08 00:30 . 2010-06-08 00:30 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-08 00:30 . 2010-06-08 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-08 00:30 . 2010-06-08 00:30 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-08 00:30 . 2010-06-08 00:30 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 -------- d-----w- c:\documents and settings\Brett\Application Data\DivX
2010-06-08 00:29 . 2010-06-08 00:29 84062 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-06-08 00:29 . 2010-06-08 00:29 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-08 00:28 . 2010-06-08 00:28 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-06-08 00:28 . 2010-06-08 00:28 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-06-08 00:28 . 2010-06-08 00:28 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-06-08 00:28 . 2009-08-19 00:57 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-08 00:22 . 2010-06-08 00:30 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-08 00:19 . 2010-06-08 00:30 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-04 16:13 . 2008-08-12 01:07 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="c:\program files\mozilla.org\Mozilla\Mozilla.exe" [2005-05-11 98192]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SmcService"="c:\progra~1\COMPUT~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-04 2065760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-04 18:25 12536 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 15:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-08 23:54 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/15/2009 11:30 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/15/2009 11:30 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/4/2010 2:23 PM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/21/2009 8:51 PM 133104]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [11/20/2005 11:11 PM 17432]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [2/10/2006 5:27 PM 45840]
.
Contents of the 'Scheduled Tasks' folder
2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 00:50]
2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 00:50]
2010-06-25 c:\windows\Tasks\Install.job
- c:\windows\system32\Macromed\Shockwave 10\nssstub.exe [2010-06-24 18:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Brett\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Brett\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 22:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,1a,17,b4,52,54,7c,42,b2,a6,fd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,1a,17,b4,52,54,7c,42,b2,a6,fd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Microsoft Silverlight\xapauthenticodesip.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-31 22:23:19
ComboFix-quarantined-files.txt 2010-08-01 02:23
Pre-Run: 19,844,481,024 bytes free
Post-Run: 19,828,944,896 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 1BD2103E25EA95A703A92D477D221DA2
-
Please download DrWeb-CureIt (http://ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) and save it to your Desktop. Do NOT perform a scan yet
- Double-click on drweb-cureit.exe to start the program.
An Express Scan of your PC notice will appear.
- Under Start the Express Scan Now, Click OK to start the scan.
This is a short scan that will scan the files currently running in memory.
If something is found, click the Yes button when it asks you if you want to cure it.
- Once the short scan has finished, Click Options > Change settings
- Choose the Scan tab and UNcheck Heuristic analysis
- Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
- Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
- When finished, a message will be displayed at the bottom advising if any viruses were found.
- Click Yes to all if it asks if you want to cure/move the file.
- When the scan has finished, look if you can see the icon next to the files found.
If so, click it, then click the next icon right below and select Move incurable.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
- Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
- Save the DrWeb.csv report to your Desktop.
- Exit Dr.Web Cureit when you have finished.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
-
Wow. This got a lot of stuff...
1196745071jtun_firstexpirationpif.x00\Program Files\Common Files\PIF_B8E1\pifCrawl.exe;C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1196745071jtun_firstexpirationpif.x00;Trojan.Swizzor.based;;
1196745071jtun_firstexpirationpif.x00;C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads;Archive contains infected objects;Moved.;
005F6B55.tmp;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Trojan.DownLoader.3204;Deleted.;
0A532F1A.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Trojan.DownLoader.793;Deleted.;
10FF3461.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.AdBlaster;Incurable.Deleted.;
278E22DA.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.AdBlaster;Incurable.Deleted.;
441A342D.dll;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.Virtumonde;Incurable.Deleted.;
46DC7909.dll;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.Virtumonde;Incurable.Deleted.;
48D12855.dll;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Trojan.Virtumod;Deleted.;
49D62471.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.Winad;Incurable.Deleted.;
4D5725C8.EXE;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.AdBlaster;Incurable.Deleted.;
4D5A4FC5.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.AdBlaster;Incurable.Deleted.;
6A115978.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.AdBlaster;Incurable.Deleted.;
6A12297F.bat;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Joke.Opros;Incurable.Deleted.;
79AC3926.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Trojan.DownLoader.793;Deleted.;
7BD2172F.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.AdBlaster;Incurable.Deleted.;
7F5368CC.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Trojan.DownLoader.1959;Deleted.;
7F5712C9.dll;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.Winad;Incurable.Deleted.;
7F5712C9.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.Winad;Incurable.Deleted.;
7F5712C9.fr9;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Adware.Winad;Incurable.Deleted.;
Salary Survey.bat;C:\Documents and Settings\Brett\Desktop\Old Computer Stuff\Misc\Humor;Joke.Opros;Incurable.Deleted.;
ASAP Utilities 310 setup.exe\{app}\format.asap;C:\Documents and Settings\Brett\My Documents\Temp\ASAP Utilities 310 setup.exe;W97M.Iseng;;
ASAP Utilities 310 setup.exe;C:\Documents and Settings\Brett\My Documents\Temp;Container contains infected objects;Moved.;
VundoFix.exe\process.exe;C:\Documents and Settings\Brett\My Documents\Temp\VundoFix.exe;Tool.Killproc.3;;
VundoFix.exe;C:\Documents and Settings\Brett\My Documents\Temp;Container contains infected objects;Moved.;
pifCrawl.exe;C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08};Trojan.Swizzor.based;Deleted.;
VundoFix.exe\process.exe;C:\Program Files\Computer Defense\VundoFix\VundoFix.exe;Tool.Killproc.3;;
VundoFix.exe;C:\Program Files\Computer Defense\VundoFix;Container contains infected objects;Moved.;
process.exe;C:\Program Files\Computer Defense\VundoFix\VundoFix;Tool.Killproc.3;Incurable.Deleted.;
A0001440.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14;Trojan.DownLoader.793;Deleted.;
A0001441.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14;Trojan.Virtumod;Deleted.;
A0001442.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14;Trojan.DownLoader.793;Deleted.;
A0001443.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14;Trojan.DownLoader.1959;Deleted.;
A0001444.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14;Trojan.Swizzor.based;Deleted.;
A0001445.exe\process.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14\A0001445.exe;Tool.Killproc.3;;
A0001445.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP14;Container contains infected objects;Moved.;
-
Infections found in ComboFix Quarantine and System Restore
Virus and malware scanners detect infections found in ComboFix quarantine (C:\Qoobox\) and System Restore (C:\System Volume Information\). However, these infections are harmless, unless if certain conditions occur.
For ComboFix quarantine:
- ComboFix should be uninstalled. Otherwise, if a threat were to be restored or executed from the quarantine, the computer would become reinfected.
For System Restore:
- A new Restore Point should be created and System Restore should be reset after the infection has been removed.
- If you do not reset System Restore, and go to Restore your computer to an earlier time, it can reinfect your computer.
We will be cleaning all of it up.
Save these instructions so you can have access to them while in Safe Mode.
Please click here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to download AVP Tool by Kaspersky. - Save it to your desktop.
- Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
- Double click the setup file to run it.
- Click Next to continue.
- Accept the License agreement and click on next.
- It will, by default, install it to your desktop folder. Click Next.
- It will then open a box There will be a tab that says Automatic scan.
- Under Automatic scan make sure these are checked.
- Hidden Startup Objects
- System Memory
- Disk Boot Sectors.
- My Computer.
- Also any other drives (Removable that you may have)[/color]
Leave the rest of the settings as they appear as default. - Then click on Scan at the to right hand Corner.
- It will automatically Neutralize any objects found.
- If some objects are left un-neutralized then click the button that says Neutralize all
- If it says it cannot be neutralized then choose the delete option when prompted.
- After that is done click on the reports button at the bottom and save it to file name it Kas.
- Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.
-
I was unable to save the report since, in Safe Mode, I couldn't change the Display settings and, unfortunately, the button for creating the report was cut off below the end of the monitor and the top of the window kept snapping to the top of the monitor no matter what I did to try to move it up. Here are the actions (I had to type this out, so I hope it's accurate):
Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1134765A.exe/CryptFF/UPX
Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\112E2261.exe/CryptFF/UPX
Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1134765A.exe/CryptFF
Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\112E2261.exe/CryptFF/UPX
Deleted: HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1134765A.exe
Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\112E2261.exe
Detected: Trojan-Spy.HTML.Bankfraud.p C:\Documents and Settings\All Users\Application Data\Symante\Norton AntiVirusQuarantine\357F57F3.exe/CryptFF
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\Documents and Settings\All Users\Application Data\Symante\Norton AntiVirusQuarantine\4d5A4FC5.dll/CryptFF
Deleted: Trojan-Spy.HTML.Bankfraud.p C:\Documents and Settings\All Users\Application Data\Symante\Norton AntiVirusQuarantine\357F57F3.htm
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\Documents and Settings\All Users\Application Data\Symante\Norton AntiVirusQuarantine\4D5D79C1.dll/CryptFF
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\Documents and Settings\All Users\Application Data\Symante\Norton AntiVirusQuarantine\4D5D4FC5.dll/CryptFF
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\Documents and Settings\All Users\Application Data\Symante\Norton AntiVirusQuarantine\5D0C1A7E.dll/CryptFF
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\Documents and Settings\All Users\Application Data\Symante\Nortn AntiVirusQuarantine\4D5D79C1.dll
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\Documents and Settings\All Users\Application Data\Symante\Norton AntiVirusQuarantine\5D0C1A7E.dll
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\Documents and Settings\All Users\Application Data\Symante\Norton AntiVirusQuarantine\6A115978.dll/CryptFF
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\Documents and Settings\All Users\Application Data\Symante\Nortn AntiVirusQuarantine\6A115978.dll
Detected: Trojan-Spy.Win32.SpyAnyTime.c C:\Documents and Settings\Brett\My Documents\Temp\SANYTIMEsoftwarespy.zip/Spy Anytime PC Spy 2.3/setup.exe/data0001
Deleted: Trojan-Spy.Win32.SpyAnyTime.c C:\Documents and Settings\Brett\My Documents\Temp\SANYTIMEsoftwarespy.zip/Spy Anytime PC Spy 2.3/setup.exe
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001448.exe/CryptFF
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001449.exe/CryptFF
Detected: Trojan.Win32.Crypt.o C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001450.exe/CryptFF
Deleted: Trojan.Win32.Crypt.o C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001450.exe
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001448.exe
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001449.exe
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001453.EXE/CryptFF
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001452.exe/CryptFF
Detected: Trojan.Win32.Crypt.o C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001451.dll/CryptFF
Deleted: Trojan.Win32.Crypt.o C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001451.dll
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001454.exe/CryptFF
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001453.EXE
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001455.exe/CryptFF
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001452.exe
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001454.exe
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001455.exe
Detected: not-a-virus:Adware.Win32.WinAD.ak C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001458.dll/CryptFF/UPX
Detected: not-a-virus:Adware.Win32.WinAD.ak C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001459.exe/CryptFF/UPX
Detected: not-a-virus:Adware.Win32.WinAD.ak C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001457.exe/CryptFF
Deleted: not-a-virus:Adware.Win32.WinAD.ak C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001458.dll
Deleted: not-a-virus:Adware.Win32.WinAD.ak C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001459.exe
Detected: HEUR.Trojan.Win32.Generic C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001516.exe/CryptFF/UPX
Detected: HEUR.Trojan.Win32.Generic C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001517.exe/CryptFF/UPX
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001518.dll/CryptFF
Detected: HEUR.Trojan.Win32.Generic C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001516.exe/CryptFF
Deleted: HEUR.Trojan.Win32.Generic C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001516.exe
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001518.dll
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001520.dll/CryptFF
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001519.dll/CryptFF
Detected: HEUR.Trojan.Win32.Generic C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001517.exe/CryptFF
Deleted: HEUR.Trojan.Win32.Generic C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001517.exe
Detected: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001521.dll/CryptFF
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001521.dll/CryptFF
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001520.dll/CryptFF
Deleted: not-a-virus:AdWare.Win32.AdBlaster.b C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP15\A0001519.dll/CryptFF
Detected: not-a-virus:AdWare.Win32.Sahat.ao C:\WINDOWS\system32\70tovmto.ini
Detected: not-a-virus:AdWare.Win32.Sahat.ao C:\WINDOWS\system32\gah95on6.ini
Deleted: not-a-virus:AdWare.Win32.Sahat.ao C:\WINDOWS\system32\70tovmto.ini
Deleted: not-a-virus:AdWare.Win32.Sahat.ao C:\WINDOWS\system32\gah95on6.ini
-
Download SuperAntiSpyware (http://www.SuperAntiSpyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE)
- Load SuperAntiSpyware and click the Check for updates button.
- Once the update is finished click the Scan your computer button.
- Check Perform Complete Scan and then next.
- SuperAntiSpyware will now scan your computer and when its finished it will list all the infections it has found.
- Make sure that they all have a check next to them and press next.
- Click finish and you will be taken back to the main interface.
- Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
- Copy and paste the log onto the forum.
-
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/05/2010 at 01:46 PM
Application Version : 4.41.1000
Core Rules Database Version : 5322
Trace Rules Database Version: 3134
Scan type : Complete Scan
Total Scan Time : 00:46:51
Memory items scanned : 529
Memory threats detected : 0
Registry items scanned : 7287
Registry threats detected : 0
File items scanned : 28943
File threats detected : 266
Adware.Tracking Cookie
*Blocked Russian URL* [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.overture.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.overture.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.247realmedia.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.kontera.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.kontera.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.kontera.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.pointroll.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.pointroll.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.avgtechnologies.112.2o7.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.liveperson.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.liveperson.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.kaspersky.122.2o7.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.cyberdefender.122.2o7.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.ehg-eset.hitbox.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.hitbox.com [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
*Blocked Russian URL* [ C:\Documents and Settings\Brett\Application Data\Mozilla\Firefox\Profiles\jsow3vw5.default\cookies.sqlite ]
.adbureau.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.adinterax.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.s.clickability.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.s.clickability.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
server.cpmstar.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.redorbit.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.yieldmanager.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.nextag.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.nextag.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.at.atwola.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.edge.ru4.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.edge.ru4.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.specificmedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
cdn4.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
cdn4.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.richmedia.yahoo.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
citi.bridgetrack.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
citi.bridgetrack.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
citi.bridgetrack.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.newbalance.112.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.interclick.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
server.iad.liveperson.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
server.iad.liveperson.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
citi.bridgetrack.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
citi.bridgetrack.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
citi.bridgetrack.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.iacas.adbureau.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.iacas.adbureau.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.iacas.adbureau.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
ads.lucidmedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.michaelcfina.122.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.roiservice.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.adlegend.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.neoedge.adbureau.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.care2.112.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
ads.gamesbannernet.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
ads.gamesbannernet.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
ads.gamesbannernet.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.bizrate.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
media.mtvnservices.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.viacom.adbureau.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.viacom.adbureau.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.viacom.adbureau.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.adserver.adtechus.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
rotator.adjuggler.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
rotator.adjuggler.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
sales.liveperson.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
sales.liveperson.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
sales.liveperson.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.adinterax.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.adinterax.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.borders.112.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.azjmp.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.microsoftwindows.112.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.chitika.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.ads.pointroll.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.sixteenthstreetsynagogue.org [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.e-2dj6wjlyekcpodp.stats.esomniture.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.e-2dj6wjny-1gc5ec.stats.esomniture.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.e-2dj6wjkoknajgko.stats.esomniture.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.qnsr.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.qnsr.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
cdn4.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.videoegg.adbureau.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.afe.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
stat.onestat.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
stat.onestat.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.a1.interclick.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.cbs.112.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.lockedonmedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.eyewonder.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
sales.liveperson.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
www.skicountryantiques.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.kiplinger.112.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.healthgrades.112.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
cdn4.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
webstats.aetna.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.legolas-media.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
adserver.webads.co.il [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
cdn4.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
cdn4.specificclick.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.dmtracker.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.avgtechnologies.112.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
dc.tremormedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.socialmedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
stats.amnh.org [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.hotelscom.122.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.server.cpmstar.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.network.realmedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.server.cpmstar.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.chicagosuntimes.122.2o7.net [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.kontera.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
secure.sussexdirectories.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.sussexdirectories.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.sussexdirectories.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.secure3.sussexdirectories.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.secure3.sussexdirectories.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.at.atwola.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.insightexpressai.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
www.googleadservices.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.nextag.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.nextag.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.nextag.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.nextag.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.at.atwola.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.nextag.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
.nextag.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
www.clickmanage.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
www.clickmanage.com [ C:\Documents and Settings\Deborah\Application Data\Mozilla\Firefox\Profiles\r183vqyk.default\cookies.sqlite ]
Adware.Vundo/Variant-X32[Header]
C:\PROGRAM FILES\GIFCONSTRUCTIONSETPROFESSIONAL\GCSGIF32.DLL
C:\PROGRAM FILES\GIFCONSTRUCTIONSETPROFESSIONAL\GCSJPG32.DLL
C:\PROGRAM FILES\GIFCONSTRUCTIONSETPROFESSIONAL\GCSPCX32.DLL
C:\PROGRAM FILES\GIFCONSTRUCTIONSETPROFESSIONAL\GCSPNG32.DLL
C:\PROGRAM FILES\GIFCONSTRUCTIONSETPROFESSIONAL\GCSTGA32.DLL
Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\IESH12052004.CFG
-
We'll do another scan here, to check for anymore malware.
Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky (http://telecharger.kaspersky.fr/GSI/GetSystemInfo.exe) and save it to your Desktop.
Note: please close all other applications running on your system.
Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.
Click the Settings button.(http://i40.tinypic.com/2hd457o.gif)
(http://img38.imageshack.us/img38/8376/settingsslider.png)
Set the slider to Maximum.
(http://img14.imageshack.us/img14/7973/driversports.png)
IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.
(http://img683.imageshack.us/img683/9388/generaltab.png)
On the General tab, make sure all of the boxes are checked.
(http://img687.imageshack.us/img687/4604/misce.png)
On the Misc tab, make sure all the checkboxes are checked.
Then, click OK on the windows that you launched.
(http://i44.tinypic.com/2ekm73m.gif)
Click Create Report to run it.
(http://img227.imageshack.us/img227/371/beginscanning.png)
It will begin scanning.
It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.
It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.
It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.
-
http://www.getsysteminfo.com/read.php?file=bc6955735edde6db53c8a4cae6aedfb6
-
Are there any other signs of infection?
Shall we clean up or continue searching?
-
Please open Notepad and enter in the following:Then, click File > Save as...
Save as remove.bat to the same location as remover.exe.
Choose Save as type... All Files.
Click Save.
Then, exit Notepad.
Double-click on remove.bat.
Please re-run remover.exe and post a new log in your next reply.
Sorry, I know, it's not my topic, but I read it here and because I have also some problems with my sound on my laptop, I tried this. But after doing exactly like you have described it, my laptop does not boot. Is there a solution?
-
Right now the sound is working again and the ticking noise seems to have abated... We could go for the clean up now unless you think I should use that computer again for the next few days to see if anything else comes up. (I've been borrowing a laptop for the past month or so...)
-
Why not give it a few days, and let me know if anything shows up. :)
-
Okay, so after a using the computer a bunch of times, the sound is still working and the only thing I'm seeing that gets me nervous is this message still pops up, and I'm not sure what it's related to:
WMI has changed since the last time you used it. This could happen if you have updated it recently. Click Detail to see more information. Do you want to allow it to access the network?
The executable has changed since the last time you used: C:\WINDOWS\system32\wbem\wmiprvse.exe
My computer also seems to be sluggish. It may be because I've been borrowing my wife's faster laptop a lot lately, but it just seems slow and that also gets me nervous. Maybe I need to remove some of the software we've added?
-
Download and run this utility, and tell me any results: http://www.microsoft.com/downloads/details.aspx?FamilyID=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&displaylang=en
-
Hey guys, for those of you who are having this problem but this solution isn't working for you (or is too long and you are lazy):
There is a program called ProcessGuard, which allows you to deny a program to ever run. You can use it to just block iexplore.exe from ever running. This blocks the symptoms, so its nice as a quick fix, but keep in mind you still have the disease! I have just done this, it is also nice because it allows you to remain functional while actually fixing it as well without the iexplore's to worry about.
-
18424 09:15:45 (0) ** WMIDiag v2.0 started on Tuesday, September 14, 2010 at 09:11.
18425 09:15:45 (0) **
18426 09:15:45 (0) ** Copyright (c) Microsoft Corporation. All rights reserved - January 2007.
18427 09:15:45 (0) **
18428 09:15:45 (0) ** This script is not supported under any Microsoft standard support program or service.
18429 09:15:45 (0) ** The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
18430 09:15:45 (0) ** implied warranties including, without limitation, any implied warranties of merchantability
18431 09:15:45 (0) ** or of fitness for a particular purpose. The entire risk arising out of the use or performance
18432 09:15:45 (0) ** of the scripts and documentation remains with you. In no event shall Microsoft, its authors,
18433 09:15:45 (0) ** or anyone else involved in the creation, production, or delivery of the script be liable for
18434 09:15:45 (0) ** any damages whatsoever (including, without limitation, damages for loss of business profits,
18435 09:15:45 (0) ** business interruption, loss of business information, or other pecuniary loss) arising out of
18436 09:15:45 (0) ** the use of or inability to use the script or documentation, even if Microsoft has been advised
18437 09:15:45 (0) ** of the possibility of such damages.
18438 09:15:45 (0) **
18439 09:15:45 (0) **
18440 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18441 09:15:45 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN ----------------------------------------------------------
18442 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18443 09:15:45 (0) **
18444 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18445 09:15:45 (0) ** Windows XP - No service pack - 32-bit (2600) - User 'D2PGV571\BRETT' on computer 'D2PGV571'.
18446 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18447 09:15:45 (0) ** Environment: ... OK..
18448 09:15:45 (0) ** System drive: ... C: (Disk #0 Partition #1).
18449 09:15:45 (0) ** Drive type: ... IDE (Maxtor 6Y080M0).
18450 09:15:45 (0) ** There are no missing WMI system files: ....................................... ....................................... OK.
18451 09:15:45 (0) ** There are no missing WMI repository files: ....................................... ................................... OK.
18452 09:15:45 (0) ** WMI repository state: ....................................... ....................................... ................. N/A.
18453 09:15:45 (0) ** BEFORE running WMIDiag:
18454 09:15:45 (0) ** The WMI repository has a size of: ....................................... ....................................... ..... 12 MB.
18455 09:15:45 (0) ** - Disk free space on 'C:': ....................................... ....................................... ............ 29517 MB.
18456 09:15:45 (0) ** - INDEX.BTR, 1826816 bytes, 9/14/2010 9:10:23 AM
18457 09:15:45 (0) ** - INDEX.MAP, 940 bytes, 9/14/2010 9:10:23 AM
18458 09:15:45 (0) ** - OBJECTS.DATA, 10575872 bytes, 9/14/2010 9:10:23 AM
18459 09:15:45 (0) ** - OBJECTS.MAP, 5208 bytes, 9/14/2010 9:10:24 AM
18460 09:15:45 (0) ** AFTER running WMIDiag:
18461 09:15:45 (0) ** The WMI repository has a size of: ....................................... ....................................... ..... 12 MB.
18462 09:15:45 (0) ** - Disk free space on 'C:': ....................................... ....................................... ............ 29512 MB.
18463 09:15:45 (0) ** - INDEX.BTR, 1826816 bytes, 9/14/2010 9:10:23 AM
18464 09:15:45 (0) ** - INDEX.MAP, 940 bytes, 9/14/2010 9:10:23 AM
18465 09:15:45 (0) ** - OBJECTS.DATA, 10575872 bytes, 9/14/2010 9:10:23 AM
18466 09:15:45 (0) ** - OBJECTS.MAP, 5208 bytes, 9/14/2010 9:10:24 AM
18467 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18468 09:15:45 (0) ** Windows Firewall: ....................................... ....................................... ..................... NOT INSTALLED.
18469 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18470 09:15:45 (0) ** DCOM Status: ... OK.
18471 09:15:45 (0) ** WMI registry setup: ....................................... ....................................... ................... OK.
18472 09:15:45 (0) ** WMI Service has no dependents: ....................................... ....................................... ........ OK.
18473 09:15:45 (0) ** RPCSS service: ... OK (Already started).
18474 09:15:45 (0) ** WINMGMT service: ... OK (Already started).
18475 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18476 09:15:45 (0) ** WMI service DCOM setup: ....................................... ....................................... ............... OK.
18477 09:15:45 (2) !! WARNING: WMI DCOM components registration is missing for the following EXE/DLLs: .................................... 6 WARNING(S)!
18478 09:15:45 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL (\CLSID\{7A0227F6-7108-11D1-AD90-00C04FD8FDFF}\InProcServer32)
18479 09:15:45 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL (\CLSID\{D71EE747-F455-4804-9DF6-2ED81025F2C1}\InProcServer32)
18480 09:15:45 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL (\CLSID\{ED51D12E-511F-4999-8DCD-C2BAC91BE86E}\InProcServer32)
18481 09:15:45 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL (\CLSID\{4C6055D8-84B9-4111-A7D3-6623894EEDB3}\InProcServer32)
18482 09:15:45 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL (\CLSID\{A1044801-8F7E-11D1-9E7C-00C04FC324A8}\InProcServer32)
18483 09:15:45 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL (\CLSID\{F7CE2E13-8C90-11D1-9E7B-00C04FC324A8}\InProcServer32)
18484 09:15:45 (0) ** => WMI System components are not properly registered as COM objects, which could make WMI to
18485 09:15:45 (0) ** fail depending on the operation requested.
18486 09:15:45 (0) ** => For a .DLL, you can correct the DCOM configuration by executing the 'REGSVR32.EXE <Filename.DLL>' command.
18487 09:15:45 (0) **
18488 09:15:45 (0) ** WMI ProgID registrations: ....................................... ....................................... ............. OK.
18489 09:15:45 (0) ** WMI provider DCOM registrations: ....................................... ....................................... ...... OK.
18490 09:15:45 (2) !! WARNING: WMI provider CIM registrations missing for the following provider(s): ...................................... 3 WARNING(S)!
18491 09:15:45 (0) ** - ROOT/INTELNCS, NcsEvent (i.e. WMI Class 'IANet_802dot3VlanEvent')
18492 09:15:45 (0) ** MOF Registration: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
18493 09:15:45 (0) ** - ROOT/INTELNCS, NcsEvent (i.e. WMI Class 'IANet_802dot3TeamEvent')
18494 09:15:45 (0) ** MOF Registration: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
18495 09:15:45 (0) ** - ROOT/INTELNCS, NcsEvent (i.e. WMI Class 'IANet_802dot3AdapterEvent')
18496 09:15:45 (0) ** MOF Registration: 'WMI information not available (This could be the case for an external application or a third party WMI provider)'
18497 09:15:45 (0) ** => This is an issue because there are still some WMI classes referencing this list of providers
18498 09:15:45 (0) ** while the CIM registration is wrong or missing. This can be due to:
18499 09:15:45 (0) ** - a de-installation of the software.
18500 09:15:45 (0) ** - a deletion of some CIM registration information.
18501 09:15:45 (0) ** => You can correct the CIM configuration by:
18502 09:15:45 (0) ** - Manually recompiling the MOF file(s) with the 'MOFCOMP <FileName.MOF>' command.
18503 09:15:45 (0) ** Note: You can build a list of classes in relation with their WMI provider and MOF file with WMIDiag.
18504 09:15:45 (0) ** (This list can be built on a similar and working WMI Windows installation)
18505 09:15:45 (0) ** The following command line must be used:
18506 09:15:45 (0) ** i.e. 'WMIDiag CorrelateClassAndProvider'
18507 09:15:45 (0) ** - Re-installing the software.
18508 09:15:45 (0) ** => If the software has been de-installed intentionally, then this information must be
18509 09:15:45 (0) ** removed from the WMI repository. You can use the 'WMIC.EXE' command to remove the provider
18510 09:15:45 (0) ** registration data and its set of associated classes.
18511 09:15:45 (0) ** i.e. 'WMIC.EXE /NAMESPACE:\\ROOT\INTELNCS path __Win32Provider Where Name='NcsEvent' DELETE'
18512 09:15:45 (0) ** i.e. 'WMIC.EXE /NAMESPACE:\\ROOT\INTELNCS Class IANet_802dot3AdapterEvent DELETE'
18513 09:15:45 (0) ** => If the namespace was ENTIRELY dedicated to the intentionally de-installed software,
18514 09:15:45 (0) ** the namespace and ALL its content can be ENTIRELY deleted.
18515 09:15:45 (0) ** i.e. 'WMIC.EXE /NAMESPACE:\\ROOT path __NAMESPACE Where Name='INTELNCS' DELETE'
18516 09:15:45 (0) **
18517 09:15:45 (0) ** WMI provider CLSIDs: ....................................... ....................................... .................. OK.
18518 09:15:45 (0) ** WMI providers EXE/DLL availability: ....................................... ....................................... ... OK.
18519 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18520 09:15:45 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
18521 09:15:45 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has been REMOVED!
18522 09:15:45 (0) ** - REMOVED ACE:
18523 09:15:45 (0) ** ACEType: &h0
18524 09:15:45 (0) ** ACCESS_ALLOWED_ACE_TYPE
18525 09:15:45 (0) ** ACEFlags: &h0
18526 09:15:45 (0) ** ACEMask: &h1
18527 09:15:45 (0) ** DCOM_RIGHT_EXECUTE
18528 09:15:45 (0) **
18529 09:15:45 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
18530 09:15:45 (0) ** Removing default security will cause some operations to fail!
18531 09:15:45 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
18532 09:15:45 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
18533 09:15:45 (0) **
18534 09:15:45 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
18535 09:15:45 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE' has been REMOVED!
18536 09:15:45 (0) ** - REMOVED ACE:
18537 09:15:45 (0) ** ACEType: &h0
18538 09:15:45 (0) ** ACCESS_ALLOWED_ACE_TYPE
18539 09:15:45 (0) ** ACEFlags: &h0
18540 09:15:45 (0) ** ACEMask: &h1
18541 09:15:45 (0) ** DCOM_RIGHT_EXECUTE
18542 09:15:45 (0) **
18543 09:15:45 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
18544 09:15:45 (0) ** Removing default security will cause some operations to fail!
18545 09:15:45 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
18546 09:15:45 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
18547 09:15:45 (0) **
18548 09:15:45 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
18549 09:15:45 (1) !! ERROR: Default trustee 'NT AUTHORITY\SYSTEM' has been REMOVED!
18550 09:15:45 (0) ** - REMOVED ACE:
18551 09:15:45 (0) ** ACEType: &h0
18552 09:15:45 (0) ** ACCESS_ALLOWED_ACE_TYPE
18553 09:15:45 (0) ** ACEFlags: &h0
18554 09:15:45 (0) ** ACEMask: &h1
18555 09:15:45 (0) ** DCOM_RIGHT_EXECUTE
18556 09:15:45 (0) **
18557 09:15:45 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
18558 09:15:45 (0) ** Removing default security will cause some operations to fail!
18559 09:15:45 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
18560 09:15:45 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
18561 09:15:45 (0) **
18562 09:15:45 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ....................................... .............................. MODIFIED.
18563 09:15:45 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE' DOES NOT match corresponding expected trustee rights (Actual->Default)
18564 09:15:45 (0) ** - ACTUAL ACE:
18565 09:15:45 (0) ** ACEType: &h0
18566 09:15:45 (0) ** ACCESS_ALLOWED_ACE_TYPE
18567 09:15:45 (0) ** ACEFlags: &h2
18568 09:15:45 (0) ** CONTAINER_INHERIT_ACE
18569 09:15:45 (0) ** ACEMask: &h1
18570 09:15:45 (0) ** WBEM_ENABLE
18571 09:15:45 (0) ** - EXPECTED ACE:
18572 09:15:45 (0) ** ACEType: &h0
18573 09:15:45 (0) ** ACCESS_ALLOWED_ACE_TYPE
18574 09:15:45 (0) ** ACEFlags: &h12
18575 09:15:45 (0) ** CONTAINER_INHERIT_ACE
18576 09:15:45 (0) ** INHERITED_ACE
18577 09:15:45 (0) ** ACEMask: &h13
18578 09:15:45 (0) ** WBEM_ENABLE
18579 09:15:45 (0) ** WBEM_METHOD_EXECUTE
18580 09:15:45 (0) ** WBEM_WRITE_PROVIDER
18581 09:15:45 (0) **
18582 09:15:45 (0) ** => The actual ACE has the right(s) '&h12 WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
18583 09:15:45 (0) ** This will cause some operations to fail!
18584 09:15:45 (0) ** It is possible to fix this issue by editing the security descriptor and adding the removed right.
18585 09:15:45 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
18586 09:15:45 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
18587 09:15:45 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
18588 09:15:45 (0) ** A specific WMI application can always require a security setup different
18589 09:15:45 (0) ** than the WMI security defaults.
18590 09:15:45 (0) **
18591 09:15:45 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ....................................... .............................. MODIFIED.
18592 09:15:45 (1) !! ERROR: Actual trustee 'NT AUTHORITY\LOCAL SERVICE' DOES NOT match corresponding expected trustee rights (Actual->Default)
18593 09:15:45 (0) ** - ACTUAL ACE:
18594 09:15:45 (0) ** ACEType: &h0
18595 09:15:45 (0) ** ACCESS_ALLOWED_ACE_TYPE
18596 09:15:45 (0) ** ACEFlags: &h2
18597 09:15:45 (0) ** CONTAINER_INHERIT_ACE
18598 09:15:45 (0) ** ACEMask: &h1
18599 09:15:45 (0) ** WBEM_ENABLE
18600 09:15:45 (0) ** - EXPECTED ACE:
18601 09:15:45 (0) ** ACEType: &h0
18602 09:15:45 (0) ** ACCESS_ALLOWED_ACE_TYPE
18603 09:15:45 (0) ** ACEFlags: &h12
18604 09:15:45 (0) ** CONTAINER_INHERIT_ACE
18605 09:15:45 (0) ** INHERITED_ACE
18606 09:15:45 (0) ** ACEMask: &h13
18607 09:15:45 (0) ** WBEM_ENABLE
18608 09:15:45 (0) ** WBEM_METHOD_EXECUTE
18609 09:15:45 (0) ** WBEM_WRITE_PROVIDER
18610 09:15:45 (0) **
18611 09:15:45 (0) ** => The actual ACE has the right(s) '&h12 WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
18612 09:15:45 (0) ** This will cause some operations to fail!
18613 09:15:45 (0) ** It is possible to fix this issue by editing the security descriptor and adding the removed right.
18614 09:15:45 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
18615 09:15:45 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
18616 09:15:45 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
18617 09:15:45 (0) ** A specific WMI application can always require a security setup different
18618 09:15:45 (0) ** than the WMI security defaults.
18619 09:15:45 (0) **
18620 09:15:45 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ....................................... .............................. MODIFIED.
18621 09:15:45 (1) !! ERROR: Default trustee 'EVERYONE' has been REMOVED!
18622 09:15:45 (0) ** - REMOVED ACE:
18623 09:15:45 (0) ** ACEType: &h0
18624 09:15:45 (0) ** ACCESS_ALLOWED_ACE_TYPE
18625 09:15:45 (0) ** ACEFlags: &h12
18626 09:15:45 (0) ** CONTAINER_INHERIT_ACE
18627 09:15:45 (0) ** INHERITED_ACE
18628 09:15:45 (0) ** ACEMask: &h13
18629 09:15:45 (0) ** WBEM_ENABLE
18630 09:15:45 (0) ** WBEM_METHOD_EXECUTE
18631 09:15:45 (0) ** WBEM_WRITE_PROVIDER
18632 09:15:45 (0) **
18633 09:15:45 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
18634 09:15:45 (0) ** Removing default security will cause some operations to fail!
18635 09:15:45 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
18636 09:15:45 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
18637 09:15:45 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
18638 09:15:45 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
18639 09:15:45 (0) ** A specific WMI application can always require a security setup different
18640 09:15:45 (0) ** than the WMI security defaults.
18641 09:15:45 (0) **
18642 09:15:45 (0) **
18643 09:15:45 (0) ** DCOM security warning(s) detected: ....................................... ....................................... .... 0.
18644 09:15:45 (0) ** DCOM security error(s) detected: ....................................... ....................................... ...... 3.
18645 09:15:45 (0) ** WMI security warning(s) detected: ....................................... ....................................... ..... 0.
18646 09:15:45 (0) ** WMI security error(s) detected: ....................................... ....................................... ....... 3.
18647 09:15:45 (0) **
18648 09:15:45 (1) !! ERROR: Overall DCOM security status: ....................................... ....................................... .. ERROR!
18649 09:15:45 (1) !! ERROR: Overall WMI security status: ....................................... ....................................... ... ERROR!
18650 09:15:45 (0) ** - Started at 'Root' --------------------------------------------------------------------------------------------------------------
18651 09:15:45 (0) ** INFO: WMI permanent SUBSCRIPTION(S): ....................................... ....................................... .. 2.
18652 09:15:45 (0) ** - ROOT/SUBSCRIPTION, MSFT_UCScenarioControl.Name="Microsoft WMI Updating Consumer Scenario Control".
18653 09:15:45 (0) ** 'SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'MSFT_UCScenario''
18654 09:15:45 (0) ** - ROOT/SUBSCRIPTION, NTEventLogEventConsumer.Name="SCM Event Log Consumer".
18655 09:15:45 (0) ** 'select * from MSFT_SCMEventLogEvent'
18656 09:15:45 (0) **
18657 09:15:45 (0) ** WMI TIMER instruction(s): ....................................... ....................................... ............. NONE.
18658 09:15:45 (0) ** INFO: WMI ADAP status: ....................................... ....................................... ................ 1.
18659 09:15:45 (0) ** => The WMI ADAP process is currently running (1).
18660 09:15:45 (0) ** Some WMI performance classes could be missing at the time WMIDiag was executed.
18661 09:15:45 (0) ** INFO: WMI namespace(s) requiring PACKET PRIVACY: ....................................... ............................. 1 NAMESPACE(S)!
18662 09:15:45 (0) ** - ROOT/SERVICEMODEL.
18663 09:15:45 (0) ** => When remotely connecting, the namespace(s) listed require(s) the WMI client to
18664 09:15:45 (0) ** use an encrypted connection by specifying the PACKET PRIVACY authentication level.
18665 09:15:45 (0) ** (RPC_C_AUTHN_LEVEL_PKT_PRIVACY or PktPrivacy flags)
18666 09:15:45 (0) ** i.e. 'WMIC.EXE /NODE:"D2PGV571" /AUTHLEVEL:Pktprivacy /NAMESPACE:\\ROOT\SERVICEMODEL Class __SystemSecurity'
18667 09:15:45 (0) **
18668 09:15:45 (0) ** WMI MONIKER CONNECTIONS: ....................................... ....................................... .............. OK.
18669 09:15:45 (0) ** WMI CONNECTIONS: ... OK.
18670 09:15:45 (0) ** WMI GET operations: ....................................... ....................................... ................... OK.
18671 09:15:45 (0) ** WMI MOF representations: ....................................... ....................................... .............. OK.
18672 09:15:45 (0) ** WMI QUALIFIER access operations: ....................................... ....................................... ...... OK.
18673 09:15:45 (0) ** WMI ENUMERATION operations: ....................................... ....................................... ........... OK.
18674 09:15:45 (0) ** WMI EXECQUERY operations: ....................................... ....................................... ............. OK.
18675 09:15:45 (0) ** WMI GET VALUE operations: ....................................... ....................................... ............. OK.
18676 09:15:45 (0) ** WMI WRITE operations: ....................................... ....................................... ................. NOT TESTED.
18677 09:15:45 (0) ** WMI PUT operations: ....................................... ....................................... ................... NOT TESTED.
18678 09:15:45 (0) ** WMI DELETE operations: ....................................... ....................................... ................ NOT TESTED.
18679 09:15:45 (0) ** WMI static instances retrieved: ....................................... ....................................... ....... 604.
18680 09:15:45 (0) ** WMI dynamic instances retrieved: ....................................... ....................................... ...... 0.
18681 09:15:45 (0) ** WMI instance request cancellations (to limit performance impact): ....................................... ............ 0.
18682 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18683 09:15:45 (0) ** # of Event Log events BEFORE WMIDiag execution since the last 20 day(s):
18684 09:15:45 (0) ** DCOM: ... 0.
18685 09:15:45 (0) ** WINMGMT: ... 0.
18686 09:15:45 (0) ** WMIADAPTER: ... 0.
18687 09:15:45 (0) **
18688 09:15:45 (0) ** # of additional Event Log events AFTER WMIDiag execution:
18689 09:15:45 (0) ** DCOM: ... 0.
18690 09:15:45 (0) ** WINMGMT: ... 0.
18691 09:15:45 (0) ** WMIADAPTER: ... 0.
18692 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18693 09:15:45 (0) ** WMI Registry key setup: ....................................... ....................................... ............... OK.
18694 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18695 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18696 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18697 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18698 09:15:45 (0) **
18699 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18700 09:15:45 (0) ** ------------------------------------------------------ WMI REPORT: END -----------------------------------------------------------
18701 09:15:45 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
18702 09:15:45 (0) **
18703 09:15:45 (0) ** ERROR: WMIDiag detected issues that could prevent WMI to work properly!. Check 'C:\DOCUMENTS AND SETTINGS\BRETT\LOCAL SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_D2PGV571_2010.09.14_09.11.33.LOG' for details.
18704 09:15:45 (0) **
18705 09:15:45 (0) ** WMIDiag v2.0 ended on Tuesday, September 14, 2010 at 09:15 (W:87 E:26 S:1).
-
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:filefind
FASTPROX.DLL
WBEMPROX.DLL- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
SystemLook 04.09.10 by jpshortstuff
Log created at 19:47 on 04/10/2010 by Brett
Administrator - Elevation successful
========== filefind ==========
Searching for "FASTPROX.DLL"
C:\Documents and Settings\Deborah\Desktop\i386\fastprox.dll --a---- 472064 bytes [02:08 22/04/2005] [10:00 04/08/2004] C28500101BC66FDABD830F8DE51A59A0
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\fastprox.dll --a---- 473600 bytes [03:14 17/04/2009] [10:56 09/02/2009] 600519339671DCFA3DD20216A19817BB
C:\WINDOWS\$NtServicePackUninstall$\fastprox.dll -----c- 472064 bytes [23:00 05/10/2008] [10:00 04/08/2004] C28500101BC66FDABD830F8DE51A59A0
C:\WINDOWS\$NtUninstallKB956572$\fastprox.dll -----c- 472064 bytes [04:58 17/04/2009] [00:11 14/04/2008] 60027BEA3E76D7DD8D96C02432BFDE82
C:\WINDOWS\ServicePackFiles\i386\fastprox.dll ------- 472064 bytes [16:47 04/09/2008] [00:11 14/04/2008] 60027BEA3E76D7DD8D96C02432BFDE82
C:\WINDOWS\system32\dllcache\fastprox.dll ------- 473600 bytes [03:14 17/04/2009] [12:10 09/02/2009] 378A0AEFB11D8B0DC8C27B9F7604B88D
C:\WINDOWS\system32\wbem\fastprox.dll --a---- 473600 bytes [18:01 10/08/2004] [12:10 09/02/2009] 378A0AEFB11D8B0DC8C27B9F7604B88D
Searching for "WBEMPROX.DLL"
C:\Documents and Settings\Deborah\Desktop\i386\wbemprox.dll --a---- 18944 bytes [02:08 22/04/2005] [10:00 04/08/2004] 851547797C2A7F8A04841644C471A567
C:\WINDOWS\$NtServicePackUninstall$\wbemprox.dll -----c- 18944 bytes [23:00 05/10/2008] [10:00 04/08/2004] 851547797C2A7F8A04841644C471A567
C:\WINDOWS\ServicePackFiles\i386\wbemprox.dll ------- 18944 bytes [16:49 04/09/2008] [00:12 14/04/2008] 205ADD80FF8099B1A8101EB490B933D1
C:\WINDOWS\system32\wbem\wbemprox.dll --a---- 18944 bytes [18:01 10/08/2004] [00:12 14/04/2008] 205ADD80FF8099B1A8101EB490B933D1
-= EOF =-
-
Please visit this webpage for a tutorial on downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
See the area: Using ComboFix, and when done, post the log back here.
Thanks for sharing the link!
-
Before we can continue, I need to know how your computer is running, Mr Hopeless.
-
It's making these ticking noises, they usually start after I turn on the modem. The sound works okay. Internet speed seems to be okay, no internet popups, etc. I'm getting those windows about the WMI change noted above.
-
What I highly recommend now is a reformat and a reinstallation of Windows XP.
Please let me know if you are prepared to do so.
So, with that said, do you have your Windows XP CD?
Guides for format and reinstall: http://www.geekpolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115
http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143
-
I have reinstalled Windows. Thanks for the effort. This thread can be closed.