Software > Computer viruses and spyware
Problem With Trojan-aax5
PixelOz:
I'll start with a small summary of what I been doing to fix this PC:
I'm cleaning the viruses from this computer that belongs to a friend of my sister and I have cleaned several infections completely with tools like Mbam and Superantispyware which I ran twice to be sure that the infections were removed but I still have a problem with one.
The computer was in pretty bad shape when it was given to me, it had quite a few viruses (including a couple of dowloaders uffff!) and I couldn't even boot it at first cause there was a virus that was causing the computer to restart automatically so I entered Safe mode and worked from there until I was able to start it in normal mode after removing most viruses from it. I have disabled System Restore and has not turned it on yet.
After starting in normal mode there were still a few viruses left (one virus that infected a Windows file and was attempting to send a whole bunch of e-mails) and after some more work I was able to remove those viruses too and replace the damaged Windows file (ndis.sys) from outside Windows and I was able to stabilize it and I continued to work from there in normal mode until I removed most viruses and malware.
Most good anti-virus and anti-spyware programs are giving me a zero result in their scans now and that includes several like Mbam antimalware, SuperAntispyware, EsetNod32 online scan, BitDefender online scan etc. The PC was running Norton System works 2003 and I told her that she should upgrade the antivirus to a newer tool so I removed Norton and at the moment it is running with Avast free until further notice and the Avast scan also came completely negative.
The problem that I still have is that I ran the online Spysweeper tool from Webroot and it is indicating to me that the PC is infected with trojan-aax5. It says that it found this key in the registry.
HKU\S-1-5-21-2410742245-3193691662-3526516414\software\Microsoft\active setup\installed components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612}\
With some previous viruses I had to delete some keys from the registry and some files manually to remove them and I was successful. As you can see most antivirus software is giving me zero results but this key that Spysweeper indicated doesn't appear in the registry when I look for it and I cannot remove this virus from Spysweeper cause the free version doesn't do that.
This HKey_Users area HKU\S-1-5-21-2410742245-3193691662-3526516414 is not in the registry what I have is something similar:
HKU\S-1-5-21-2410742245-3193691662-3526516414-1009 but that value {28abc5c0-4fcb-11cf-aax5-81cx1c635612} is not there.
Is there something running in memory blocking this key? How can I remove this nasty from the PC? In one place where I read about this trojan it said that it also can block Windows from reporting that there are upgrades available for Windows and that it can also block Windows from reporting if the antivirus is out of date. The place said that it can also replace Windows Explorer with a copy.
This makes me suspect even more that the PC is indeed infected with this nasty cause I used the link in Internet Explorer to go to the Windows Update page to see if there were updates pending and there were 33 pending (about 72 megabytes of download).
This PC has been connected to the Internet for several days now and I have not seen one single Windows update message and the automatic feature is turned on which is very odd.
I would appreciate any help with this.
This is a Hijack This log that I just did with a brand new download of the software:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:42:38 PM, on 8/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\DOCUME~1\Gladimir\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Gladimir\Desktop\HijackThis.exe
C:\Program Files\Alwil Software\Avast5\setup\avast.setup
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: facemoods Helper - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.3.61.8\facemoods.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.3.61.8\facemoodsTlbr.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [LaunchApp] "Alaunch"
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [M3000Mnt] "Rundll32.exe" M3000Rmv.dll ,WinMainRmv /StartStillMnt
O4 - HKLM\..\Run: [LManager] "C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\eRAgent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [WebrootTrayApp] "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\AURORITA\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235102563756
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...077/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
--
End of file - 10390 bytes
Any ideas on how to remove this little sucker from my sisters friend computer? ???
PC is Acer Aspire One ZG5 notebook with Atom n270 CPU Processor running Windows XP Home with SP3.
SuperDave:
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
You should never disable your System Restore. A bad restore point is better than none.
Please uninstall HJT. It's running from the incorrect location.
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1
Link 2
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************
Download ComboFix by sUBs from one of the below links.
Important! You MUST save ComboFix to your desktop
link # 1
Link # 2
Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
Double click on ComboFix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
PixelOz:
Oh it was a small mistake in the installation of HJT but I corrected it, thanks for the heads up, I'll be more careful next time.
As for the System Restore well I didn't know. I had seen several people recommend disabling while trying to get some nastys out of their PCs and then restoring it afterwards but you said it is better just to never turn it off, if that is so it's OK with me. Anyway I had re-enabled it and it has created an automatic restore point as usual.
I will create a manual restore point after I get this virus out of the PC as I usually do and I'll name it something SystemRestoreAfterVirusClean with the date or something like that. I usually do that cause it works for me.
I'll be doing the recommended steps shortly and I'll post the results.
PixelOz:
Here is the log of the first program. Notice that it indicates that the Acrobat Reader is out of date and that is because when I tried to update it the installer found a registry key that was blocked and this blocked key is one of several indicated in the ComboFix log and this prevented the installer from continuing:
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
I canceled the installation and the installer started to undo the changes and during that process it mentioned another problem with another locked registry key that is also mentioned in the ComboFix log as you will see later:
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Despite this the Acrobat installer was able to undo its changes and to finish.
Here is the first program log:
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Eusing Free Registry Cleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.0.45.2
Adobe Reader 9
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Webroot Security current plugins\antimalware\AEI.exe
Alwil Software Avast5 AvastSvc.exe
ALWILS~1 Avast5 avastUI.exe
Trend Micro HiJackThis HiJackThis.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
And here is the ComboFix log:
ComboFix 10-09-01.04 - Gladimir 09/03/2010 1:54.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.461 [GMT -3:00]
Running from: c:\documents and settings\Gladimir\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Gladimir\g2mdlhlpx.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok.A12.em.bin
c:\documents and settings\NetworkService\Local Settings\Application Data\Kosong.Bron.Tok.txt
c:\documents and settings\NetworkService\Local Settings\Application Data\ListHost12.txt
c:\program files\facemoods.com
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoods.crx
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoods.dll
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoods.png
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoodsEng.dll
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoodssafe.dll
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoodsTlbr.dll
c:\program files\facemoods.com\facemoods\1.3.61.8\uninstall.exe
c:\program files\Mozilla Firefox\extensions\[email protected]
c:\program files\Mozilla Firefox\extensions\[email protected]\chrome.manifest
c:\program files\Mozilla Firefox\extensions\[email protected]\components\FFHst.dll
c:\program files\Mozilla Firefox\extensions\[email protected]\components\FFHst.xpt
c:\program files\Mozilla Firefox\extensions\[email protected]\content\facemoods.css
c:\program files\Mozilla Firefox\extensions\[email protected]\content\facemoods.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\facemoods.xul
c:\program files\Mozilla Firefox\extensions\[email protected]\content\fcmdDef.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\facemoods.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\fb.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\help_16.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\home.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\logo.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\moodsIcon.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\pref.jpg
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\privecy_16_hot.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\stripicons.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\tellafriend.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\Thumbs.db
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\vssver.scc
c:\program files\Mozilla Firefox\extensions\[email protected]\content\instlgc.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\Loader.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\mtrprt.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\newTabLgc.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\preferences\preferences.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\preferences\preferences.xul
c:\program files\Mozilla Firefox\extensions\[email protected]\content\preferences\vssver.scc
c:\program files\Mozilla Firefox\extensions\[email protected]\content\prefman.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\script-compiler.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\Thumbs.db
c:\program files\Mozilla Firefox\extensions\[email protected]\content\utils.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\vssver.scc
c:\program files\Mozilla Firefox\extensions\[email protected]\content\xmlhttprequester.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\xpiInstallLgc.js
c:\program files\Mozilla Firefox\extensions\[email protected]\defaults\preferences\instlPref.js
c:\program files\Mozilla Firefox\extensions\[email protected]\defaults\preferences\vssver.scc
c:\program files\Mozilla Firefox\extensions\[email protected]\install.rdf
c:\program files\Mozilla Firefox\extensions\[email protected]\vssver.scc
c:\windows\regedit.com
c:\windows\system32\taskmgr.com
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.
2010-09-03 04:30 . 2009-12-19 16:26 57344 ----a-w- c:\documents and settings\All Users\Application Data\Artweaver\1.0\Updater\Artweaver.exe
2010-09-03 04:30 . 2009-12-19 16:26 408576 ----a-w- c:\documents and settings\All Users\Application Data\Artweaver\1.0\Updater\Update.dll
2010-09-03 04:28 . 2010-09-03 04:28 -------- d-----w- c:\documents and settings\Gladimir\Application Data\Artweaver
2010-09-03 04:28 . 2010-09-03 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Artweaver
2010-09-03 04:28 . 2010-09-03 04:28 -------- d-----w- c:\program files\Artweaver 1.0
2010-09-03 02:48 . 2010-09-03 02:48 -------- d-----w- c:\program files\Common Files\Java
2010-09-03 02:03 . 2010-09-03 02:03 388096 ----a-r- c:\documents and settings\Gladimir\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-03 02:02 . 2010-09-03 02:02 -------- d-----w- c:\program files\Trend Micro
2010-09-02 00:56 . 2010-09-02 00:56 -------- d---a-w- c:\windows\rundll16.exe
2010-09-02 00:56 . 2010-09-02 00:56 -------- d---a-w- c:\windows\logo1_.exe
2010-09-01 22:45 . 2010-09-03 03:18 -------- d-----w- c:\documents and settings\Gladimir\Local Settings\Application Data\Adobe
2010-09-01 20:47 . 2010-09-01 20:47 -------- d-----w- c:\documents and settings\Gladimir\Application Data\Malwarebytes
2010-09-01 17:42 . 2010-09-01 17:42 692224 ---ha-w- C:\SZKGFS.dat
2010-09-01 17:37 . 2010-09-01 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-09-01 17:35 . 2010-09-01 17:35 -------- d-----w- c:\program files\Common Files\iS3
2010-09-01 17:35 . 2010-09-03 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-01 00:43 . 2010-09-01 00:52 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-08-31 19:24 . 2010-08-31 19:26 5392374 ----a-w- c:\windows\REGBK00.ZIP
2010-08-31 19:15 . 2010-08-31 19:15 -------- d---a-w- c:\windows\VDLL.DLL
2010-08-31 19:15 . 2010-08-31 19:15 -------- d---a-w- c:\windows\system32\runouce.exe
2010-08-31 19:15 . 2010-08-31 19:15 -------- d---a-w- c:\windows\RUNDL132.EXE
2010-08-31 19:15 . 2010-08-31 19:15 -------- d---a-w- c:\windows\logo_1.exe
2010-08-31 19:10 . 2010-08-31 19:10 632064 ----a-w- c:\windows\system32\msvcr80.dll
2010-08-31 19:10 . 2010-08-31 19:10 554240 ----a-w- c:\windows\system32\msvcp80.dll
2010-08-31 19:10 . 2010-08-31 19:10 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-08-31 19:10 . 2008-04-15 03:00 135680 ----a-w- c:\windows\system32\T.COM
2010-08-31 19:10 . 2008-04-15 03:00 146432 ----a-w- c:\windows\R.COM
2010-08-31 19:10 . 2010-08-31 19:10 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-08-31 19:09 . 2010-08-31 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\MicroWorld
2010-08-31 18:59 . 2010-08-31 19:05 -------- d-----w- c:\documents and settings\Gladimir\Application Data\Download Manager
2010-08-31 05:26 . 2010-08-31 05:32 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-30 23:53 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-30 22:18 . 2010-06-17 17:49 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2010-08-30 22:18 . 2010-06-17 17:49 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2010-08-30 22:18 . 2010-06-17 17:49 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2010-08-30 22:12 . 2010-08-16 18:20 3199328 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\WRInstall.exe
2010-08-30 22:12 . 2010-08-30 22:12 -------- d-----w- c:\program files\Webroot
2010-08-30 22:11 . 2010-08-30 22:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}
2010-08-30 22:10 . 2010-08-16 18:07 121856 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\EA369C90\DE0A17F3\xmllite.dll
2010-08-30 22:10 . 2010-08-16 18:18 385928 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\54E229FA\DE0A17F3\WRInstallProgressHelper.dll
2010-08-30 22:10 . 2010-08-16 18:18 433072 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\FA6F4296\DE0A17F3\WRSvcAssist.exe
2010-08-30 22:10 . 2010-08-16 18:17 1266336 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\B2785152\DE0A17F3\WRTray.exe
2010-08-30 22:10 . 2010-08-16 18:15 50984 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\C3BEFA\DE0A17F3\WRConsumerServicePS.dll
2010-08-30 22:10 . 2009-07-02 01:51 101888 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\mIDEFunc.dll\mEXEFunc.dll
2010-08-30 22:10 . 2010-08-16 18:13 3035616 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\E3131F5C\DE0A17F3\WRConsumerService.exe
2010-08-30 20:31 . 2010-08-30 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-08-30 05:16 . 2010-09-02 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-08-30 05:13 . 2010-08-30 05:13 -------- d-----w- c:\documents and settings\Gladimir\Local Settings\Application Data\PackageAware
2010-08-30 05:00 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-30 05:00 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-30 05:00 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-30 05:00 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-30 05:00 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-30 05:00 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-30 05:00 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-30 04:59 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-30 04:59 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-30 04:58 . 2010-08-30 04:58 -------- d-----w- c:\program files\Alwil Software
2010-08-30 04:58 . 2010-08-30 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-29 05:02 . 2010-08-29 05:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-28 19:02 . 2010-08-30 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-28 07:28 . 2010-08-28 18:23 -------- d-----w- c:\documents and settings\Gladimir\DoctorWeb
2010-08-27 21:36 . 2010-08-27 21:36 -------- d-----w- c:\documents and settings\Gladimir\Local Settings\Application Data\Mozilla
2010-08-27 21:34 . 2010-08-27 21:34 -------- d-sh--w- c:\documents and settings\Gladimir\PrivacIE
2010-08-27 21:33 . 2010-08-27 21:33 -------- d-sh--w- c:\documents and settings\Gladimir\IECompatCache
2010-08-27 19:44 . 2010-08-27 19:44 503808 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcp71.dll
2010-08-27 19:44 . 2010-08-27 19:44 499712 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\jmc.dll
2010-08-27 19:44 . 2010-08-27 19:44 61440 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-sse.dll
2010-08-27 19:44 . 2010-08-27 19:44 348160 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcr71.dll
2010-08-27 19:44 . 2010-08-27 19:44 12800 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-d3d.dll
2010-08-27 19:36 . 2010-08-27 19:44 -------- d-----w- c:\documents and settings\Gladimir\Local Settings\Application Data\Google
2010-08-27 19:36 . 2010-08-27 19:38 65720 ----a-w- c:\documents and settings\Gladimir\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-27 19:35 . 2010-08-27 19:35 -------- d-sh--w- c:\documents and settings\Gladimir\IETldCache
2010-08-25 05:16 . 2008-04-14 00:50 182656 ------w- c:\windows\system32\dllcache\ndis.sys
2010-08-25 05:15 . 2008-04-14 00:50 182656 ------w- c:\windows\system32\drivers\ndis.sys
2010-08-22 00:28 . 2001-08-17 20:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-08-22 00:28 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-08-22 00:28 . 2008-04-15 03:00 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-08-22 00:28 . 2008-04-15 03:00 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-08-21 13:44 . 2010-08-21 13:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-08-21 13:43 . 2010-08-21 13:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-08-21 13:36 . 2010-09-01 05:24 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-21 10:35 . 2010-08-21 10:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-19 23:27 . 2010-08-20 04:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-19 19:52 . 2010-08-19 20:07 164 ----a-w- c:\windows\install.dat
2010-08-19 16:44 . 2010-08-20 04:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-19 16:44 . 2010-08-20 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-18 00:30 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-18 00:30 . 2010-08-18 00:30 -------- d-----w- c:\program files\Panda Security
2010-08-17 18:45 . 2010-08-17 18:45 -------- d-----w- c:\windows\McAfee.com
2010-08-17 13:09 . 2010-08-17 13:31 -------- d-----w- c:\windows\BDOSCAN8
2010-08-17 05:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 05:30 . 2010-08-17 05:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 05:30 . 2010-08-17 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 05:30 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 00:46 . 2010-08-17 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-17 00:46 . 2010-08-17 00:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-17 00:12 . 2010-08-17 00:12 90112 ----a-w- c:\windows\system32\YmsgCrypt.dll
2010-08-17 00:12 . 2010-08-17 00:12 139264 ----a-w- c:\windows\system32\DartCertificate.dll
2010-08-17 00:12 . 2010-08-17 00:12 147456 ----a-w- c:\windows\system32\DartSecure2.dll
2010-08-17 00:11 . 2010-08-17 00:12 212992 ----a-w- c:\windows\system32\DartSock.dll
2010-08-16 23:59 . 2010-08-16 23:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-09 00:14 . 2010-08-12 01:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Loc.Mail.Bron.Tok
2010-08-09 00:13 . 2010-08-09 00:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Ok-SendMail-Bron-tok
2010-08-09 00:08 . 2008-04-15 03:00 221184 ----a-w- c:\windows\system32\wmpns.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 04:18 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-03 02:47 . 2010-07-10 23:13 -------- d-----w- c:\program files\Java
2010-09-02 17:48 . 2010-09-02 17:48 344 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-01 02:21 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-30 23:25 . 2010-03-11 04:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-29 02:34 . 2010-03-11 04:45 -------- d-----w- c:\program files\Norton SystemWorks
2010-08-29 01:53 . 2010-03-11 04:45 -------- d-----w- c:\program files\Symantec
2010-08-29 01:53 . 2010-03-11 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-21 10:23 . 2010-08-27 19:33 38784 ----a-w- c:\documents and settings\Gladimir\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-19 22:32 . 2010-05-27 08:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-19 21:37 . 2010-03-10 23:13 -------- d-----w- c:\program files\Windows Media Connect 2
2010-07-17 08:00 . 2010-07-10 23:14 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-06 21:13 . 2010-05-22 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-06 21:13 . 2010-05-22 17:19 -------- d-----w- c:\program files\Common Files\Apple
2010-07-05 19:46 . 2010-03-01 01:16 -------- d-----w- c:\program files\PhotoScape
2010-06-30 12:31 . 2008-04-15 03:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2007-08-14 01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-15 03:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-15 03:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-15 03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-15 03:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-15 03:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-08-27 19:44 . 2010-08-27 19:44 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2010-08-16 1266336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDExplo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDWIZARD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowRedirect"= 1 (0x1)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/17/2010 9:30 PM 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/30/2010 2:00 AM 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 3:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 3:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/30/2010 2:00 AM 17744]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [8/30/2010 7:18 PM 45072]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/16/2010 3:13 PM 3035616]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 1:01 PM 254976]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 2:26 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/20/2009 3:30 PM 30192]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/20/2009 3:34 PM 96856]
.
Contents of the 'Scheduled Tasks' folder
2010-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]
2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]
2010-09-03 c:\windows\Tasks\User_Feed_Synchronization-{479C7E99-7F92-404A-A968-D4AB250DDB21}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Gladimir\Application Data\Mozilla\Firefox\Profiles\fedsd5fu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=wbst&q=
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
BHO-{64182481-4F71-486b-A045-B233BD0DA8FC} - c:\program files\facemoods.com\facemoods\1.3.61.8\facemoods.dll
Toolbar-Locked - (no file)
Toolbar-{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - c:\program files\facemoods.com\facemoods\1.3.61.8\facemoodsTlbr.dll
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.3.61.8\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 02:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2064)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\docume~1\Gladimir\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2010-09-03 02:28:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-03 05:28
Pre-Run: 135,969,505,280 bytes free
Post-Run: 136,327,921,664 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 8061CF69B3ECA7C8A1DBCCE9BFB07AE5
I don't know if this is related but I will mention it. When I was running one of the antispyware programs (I don't remember which one it was) one of them found a virus file that it said was a PDFexploit something.
I removed this and further scans did not reveal this particular virus anymore. I'm mentioning this to you cause I don't know if this particular virus could have blocked those keys that prevent Acrobat Reader from updating or if this is something else altogether.
It is not the first time that I ran across this blocked registry keys issue. In another computer that I handled once it was very severely infected in which case I was able to remove all viruses but one that was blocking a couple of registry keys also and with help from somebody from a forum similar to this by running a ComboFix script that he gave me a virus was removed and the keys were freed and I was able to delete them and the virus never came back. I guess that we could have a similar problem here.
Also I noticed that ComboFix removed all the parts of a program called Facemoods. I suspected this program as I suspect many addons and toolbars that you add to browsers. I personally don't like any kind of toolbars in my PCs and I don't install any cause they are mostly useless and a waste of browser window space without counting the problems that they sometimes create.
I had looked into the program on the web and I didn't find much of of a reference that indicated to me that it was a bad program and most antivirus programs don't say it is a bad program but if ComboFix removed it that is fine with me.
I don't like that smiley stuff in computers and I don't recommend them at all cause in my experience toolbars and smileys give a lot of problems so I don't install any unless they are separated graphic files such as .gif files but without any installer of any kind cause those smiley packages with installers are usually troublesome.
I know how bad those smileys from Smileys Central are for example but too many people install garbage like that and stuff like MyWebSearch in their PCs making just a mess.
Well anyway I put this here so if other people read this thread they learn more and become more careful with the stuff they put on their computers.
Oh I also want to mention that before all of this I had gone into the Control Panel and had changed the Windows Automatic Updates to notify me but download only with my permission. I do this in my computers to have the bandwith under my control but I always apply the updates very quickly when they are available, I'm always very responsible with this. For most other people I recommend that they leave this in automatic specially if they don't know much about PCs.
When I'm done with working with this PC I will change it back to fully automatic cause it is better for people that do not know too much about PCs like the owner of this mini laptop.
After doing that it seems to have reset the the Windows Update issue and I downloaded and updated Windows after the yellow shield appeared in the system tray. The computer asked for restart and the yellow shield appeared a couple times more with additional updates and after a couple of restarts Windows was done with all the updates so so far it seems to be working again as it should.
Keep in mind that this was after removing most viruses from the PC and there were plenty. I will keep an eye on this and also from my PCs to see if further update notices from Microsoft in my XP machines are reflected in this PC too as it should cause I also have an PC with XP Home in my house.
I also noticed that ComboFix detected the absence of the Recovery Console and it seems to have corrected this successfully. I will mention also that the sfc /scannow feature was not working when I started to fix this PC cause I tested that but after fixing many things and removing many viruses it has started to work again, I just can't use it normally as I do with other PCs cause this Acer laptop doesn't have a CD-ROM. This was all before starting this procedures from you.
I just wanted to give you as much info as possible to try to help you with this.
Anyway let's continue with the process. There you have the results so far.
PixelOz:
I also want to tell you that I don't run any antivirus or antispyware software without checking its background carefully like several reviews in places like PCMagazine online and other info in many web sites and also checking them against lists of rogue antispyware programs.
Over the years I have learned which ones are good and can be trusted overall.
Anyway I won't run anything while we are doing this. I'm following your directions by the book.
Navigation
[0] Message Index
[#] Next page
Go to full version