Author Topic: I'm really, really lost.... (Read 37427 times)

SuperDave · « **Reply #15 on:** April 25, 2011, 05:32:07 PM »

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

:OTL
O2 - BHO: (AutoLogin) - {598B818E-71F1-486E-A0BE-9952B5851367} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (AutoLogin) - {598B818E-71F1-486E-A0BE-9952B5851367} - Reg Error: Value error. File not found
O4 - HKCU..\Run: [GM4IE]  File not found
O4 - HKCU..\Run: [Steam]  File not found
O9 - Extra Button: AutoLogin - {6CE08A84-B3F9-422a-B133-60275F605AF4} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : AutoLogin - {6CE08A84-B3F9-422a-B133-60275F605AF4} - Reg Error: Value error. File not found

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
***********************************************************
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\WINDOWS\jestertb.dll
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
*****************************************************

Quote

I'm confused-is CPU usage and RAM usage related?

You can find more info about CPU and RAM here.

I really can't find the cause as to why your computer is always at 100%. I'd like to run one more scan.

Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

trekkie · « **Reply #16 on:** April 28, 2011, 05:24:14 AM »

Remember, everything here was taken in SAFE MODE.

OTL Log:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{598B818E-71F1-486E-A0BE-9952B5851367}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{598B818E-71F1-486E-A0BE-9952B5851367}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{598B818E-71F1-486E-A0BE-9952B5851367} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{598B818E-71F1-486E-A0BE-9952B5851367}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\GM4IE deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Steam deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6CE08A84-B3F9-422a-B133-60275F605AF4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6CE08A84-B3F9-422a-B133-60275F605AF4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6CE08A84-B3F9-422a-B133-60275F605AF4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6CE08A84-B3F9-422a-B133-60275F605AF4}\ not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Anna McManus
->Temp folder emptied: 1558237 bytes
->Temporary Internet Files folder emptied: 15228232 bytes
->Java cache emptied: 42750257 bytes
->FireFox cache emptied: 77754192 bytes
->Google Chrome cache emptied: 6230746 bytes
->Apple Safari cache emptied: 5004288 bytes
->Flash cache emptied: 5985849 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2434942 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82403 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 142942 bytes

Total Files Cleaned = 150.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04282011_114553

Files\Folders moved on Reboot...
C:\Documents and Settings\Anna McManus\Local Settings\Temporary Internet Files\Content.IE5\E4O1JF08\topic,113324.msg786471[1].html moved successfully.
File move failed. C:\Documents and Settings\Anna McManus\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Anna McManus\Local Settings\Temporary Internet Files\SuggestedSites.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Jotti link: http://virusscan.jotti.org/en/scanresult/05654cf4bf54e3f0d69c9b5df2995a54a6fd0d85

Had some trouble with this site. Ctrl+V=FAIL.

But seriously, I had to browse my way to the file. Then, when I submitted the file, it said that the file had already been scanned. I hit the "Scan Again" button on the top anyways, so the link above is to the scan of MY file.

DDS.txt:

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Anna McManus at 12:01:16.93 on 28/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1022.751 [GMT 1:00]
.
AV: Outpost Security Suite Pro *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Outpost Security Suite Pro *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Anna McManus\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ie/webhp?rls=ig
uInternet Connection Wizard,ShellNext = hxxp://www.google.ie/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: TV Bar 1.1 Toolbar: {a386d4b0-fddb-4e1c-ae61-4f014013cd9b} - c:\program files\tv_bar_1.1\prxtbTV_2.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: TV Bar 1.1 Toolbar: {a386d4b0-fddb-4e1c-ae61-4f014013cd9b} - c:\program files\tv_bar_1.1\prxtbTV_2.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: TV Bar 1.1 Toolbar: {a386d4b0-fddb-4e1c-ae61-4f014013cd9b} - c:\program files\tv_bar_1.1\prxtbTV_2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Google Update] "c:\documents and settings\anna mcmanus\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [OutpostMonitor] "c:\progra~1\agnitum\outpos~1\op_mon.exe" /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost security suite free\feedback.exe" /dump:os_startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262022016343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.67.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {2094D3C8-9017-48C6-9813-BCFE09227041} = 89.101.160.4,89.101.160.5,208.67.222.222
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\annamc~1\applic~1\mozilla\firefox\profiles\wzlavwzf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=10588
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=10588&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: AlertStopper: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Check All: [email protected] - %profile%\extensions\[email protected]
FF - Ext: CheckFox: {BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87} - %profile%\extensions\{BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87}
FF - Ext: Copy Link Text: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Crash Report Helper: {078fac48-925f-4524-7cfe-85d44b8f4f98} - %profile%\extensions\{078fac48-925f-4524-7cfe-85d44b8f4f98}
FF - Ext: EAVE: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Expiry Canary: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Flash Killer: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Ghostery: [email protected] - %profile%\extensions\[email protected]
FF - Ext: GoogleEnhancer: {21e48e29-f574-4619-b65d-0f00eea92e5b} - %profile%\extensions\{21e48e29-f574-4619-b65d-0f00eea92e5b}
FF - Ext: Keyboard Shortcuts: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Kongregate Sidebar: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Link Alert: [email protected] - %profile%\extensions\[email protected]
FF - Ext: LinkAndForminfo: {B71ACFF2-E436-4cc7-B5E3-0C8E2CC981BA} - %profile%\extensions\{B71ACFF2-E436-4cc7-B5E3-0C8E2CC981BA}
FF - Ext: Override Mozilla Firefox Guidance: omfg@olive - %profile%\extensions\omfg@olive
FF - Ext: PingMe: pingme@arcticfire - %profile%\extensions\pingme@arcticfire
FF - Ext: Privacy Plus: [email protected] - %profile%\extensions\[email protected]
FF - Ext: RightToClick: {cd617375-6743-4ee8-bac4-fbf10f35729e} - %profile%\extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}
FF - Ext: SimilarWeb: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Simple Links Counter: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Site Information Tool: siteinfo@wmtips - %profile%\extensions\siteinfo@wmtips
FF - Ext: Tab Progress Bar: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Test Extension: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Trustpilot Guard: {736048c1-a1ec-4a70-b12b-1e399e79024e} - %profile%\extensions\{736048c1-a1ec-4a70-b12b-1e399e79024e}
FF - Ext: Verify Redirect: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Wappalyzer: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Personas Rotator: {6e73f6b7-b9ab-44b8-b744-6393e3c2e351} - %profile%\extensions\{6e73f6b7-b9ab-44b8-b744-6393e3c2e351}
FF - Ext: Sidebar Companion for Google Sidewiki: {62f82eb5-4d65-4224-983b-a09ff8b172a6} - %profile%\extensions\{62f82eb5-4d65-4224-983b-a09ff8b172a6}
FF - Ext: Google Redesigned: {cc85cd4e-5a5b-4eda-a25c-bdaffa93b406} - %profile%\extensions\{cc85cd4e-5a5b-4eda-a25c-bdaffa93b406}
FF - Ext: Google Minimalist: {64312dc5-3fc3-40d1-b183-0e4060fc52ac} - %profile%\extensions\{64312dc5-3fc3-40d1-b183-0e4060fc52ac}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-4-19 34280]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 341504]
S1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2011-4-19 708760]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2011-4-19 2072592]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
S2 gupdate1ca8fbae50c76ae;Google Update Service (gupdate1ca8fbae50c76ae);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 133104]
S3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-4-19 267624]
S3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2011-4-19 70160]
S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [2011-4-19 242040]
S3 VBFilt;VBFilt;c:\windows\system32\filt\VBFilt.dll [2011-4-19 34096]
.
=============== Created Last 30 ================
.
2011-04-28 10:45:53   --------   d-----w-   C:\_OTL
2011-04-22 16:52:13   --------   d-----w-   c:\program files\ESET
2011-04-22 14:41:37   --------   d-----w-   C:\RootRepeal
2011-04-21 16:58:03   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2011-04-21 16:58:03   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-04-21 16:57:35   --------   d-----w-   c:\docume~1\annamc~1\applic~1\PriceGong
2011-04-21 15:53:07   --------   d-----w-   c:\windows\pss
2011-04-21 08:48:31   --------   d-----w-   C:\commy
2011-04-19 19:49:33   242040   ----a-w-   c:\windows\system32\drivers\VBEngNT.sys
2011-04-19 19:49:32   708760   ----a-w-   c:\windows\system32\drivers\SandBox.sys
2011-04-19 19:49:14   267624   ----a-w-   c:\windows\system32\drivers\afwcore.sys
2011-04-19 19:48:20   34280   ----a-w-   c:\windows\system32\drivers\afw.sys
2011-04-19 19:48:01   --------   d-----w-   c:\windows\system32\Filt
2011-04-19 19:48:01   --------   d-----w-   c:\program files\Agnitum
2011-04-19 19:48:01   --------   d-----w-   c:\docume~1\annamc~1\applic~1\Agnitum
2011-04-16 19:21:54   --------   d-----w-   c:\docume~1\annamc~1\locals~1\applic~1\Opera
2011-04-15 15:52:13   --------   d-----w-   c:\docume~1\annamc~1\locals~1\applic~1\PCHealth
.
==================== Find3M ====================
.
2011-03-07 05:33:50   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06   420864   ----a-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21:11   1857920   ----a-w-   c:\windows\system32\win32k.sys
2011-02-22 23:06:29   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-02-22 23:06:29   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59   385024   ----a-w-   c:\windows\system32\html.iec
2011-02-17 12:32:12   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39   290432   ----a-w-   c:\windows\system32\atmfd.dll
2011-02-09 13:53:52   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53:52   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-08 13:33:55   978944   ----a-w-   c:\windows\system32\mfc42.dll
2011-02-08 13:33:55   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2011-02-02 21:40:23   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19:39   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2006-05-03 11:06:54   163328   --sha-r-   c:\windows\system32\flvDX.dll
2007-02-21 12:47:16   31232   --sha-r-   c:\windows\system32\msfDX.dll
2008-03-16 14:30:52   216064   --sha-r-   c:\windows\system32\nbDX.dll
.
============= FINISH: 12:02:17.04 ===============

Attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 15/12/2009 10:40:18
System Uptime: 28/04/2011 11:47:23 (1 hours ago)
.
Motherboard: Dell Inc. | | 0WG864
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 30 GiB total, 6.228 GiB free.
D: is FIXED (NTFS) - 107 GiB total, 90.447 GiB free.
E: is FIXED (NTFS) - 37 GiB total, 10.372 GiB free.
H: is FIXED (NTFS) - 6 GiB total, 1.546 GiB free.
R: is Removable
S: is Removable
T: is Removable
U: is Removable
V: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP242: 19/04/2011 19:36:51 - Agnitum Outpost Security Suite Free Restore Point: install
RP243: 19/04/2011 20:40:23 - Agnitum Outpost Security Suite Free Restore Point: uninstall
RP244: 19/04/2011 20:48:12 - Agnitum Outpost Security Suite Free Restore Point: install
RP245: 19/04/2011 21:09:17 - Software Distribution Service 3.0
RP246: 21/04/2011 17:57:21 - Restore Operation
.
==== Installed Programs ======================
.
.sol Editor 1.1.0.1
7-Zip 4.65
AbiWord 2.6.8
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
AiO_Scan_CDA
AiOSoftwareNPI
Akamai NetSession Interface
Apple Application Support
Apple Mobile Device Support
Apple Software Update
µTorrent
Bonjour
BufferChm
CCleaner
Cheat Engine 5.6.1
CmdHere Powertoy For Windows XP
Compatibility Pack for the 2007 Office system
Conduit Engine
Conexant D850 56K V.9x DFVc Modem
CutePDF Writer 2.7
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
e-Sword
ESET Online Scanner v3
F300
F300_Help
Fax_CDA
Foxit Reader
Free Realms Installer
GIMP 2.6.10
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Driver Diagnostics
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HPPhotoSmartExpress
ieSpell
Image Resizer Powertoy for Windows XP
ImageMixer VCD/DVD2 for OLYMPUS
ImgBurn
InfraRecorder
InstantShareDevicesMFC
Intel(R) PRO Network Connections Drivers
iTunes
Japanese Language Support
Java Auto Updater
Java(TM) 6 Update 24
JPEG Lossless Rotator 6.4
Junk Mail filter update
Malwarebytes' Anti-Malware
Media Player Classic - Home Cinema v. 1.3.1249.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MobileMe Control Panel
Mozilla Firefox 4.0 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NETGEAR WG111v3 wireless USB 2.0 adapter
NewCopy_CDA
NVIDIA Drivers
NVIDIA PhysX
OCR Software by I.R.I.S 7.0
OGA Notifier 2.0.0048.0
OLYMPUS Master
OpenAL
Outpost Security Suite 7.1.1
Pixillion Image Converter
ProductContextNPI
QuickTime
Readme
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Recuva
Revo Uninstaller 1.88
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SigmaTel Audio
Skype Toolbars
Skype™ 5.1
Status
Steam
SUPERAntiSpyware
Toolbox
Total Uninstall 5.6.1
TrayApp
TV Bar 1.1 Toolbar
Tweak UI
Unity Web Player
Universal Extractor 1.6
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
v2011.build.46
VirtualCloneDrive
VoiceOver Kit
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows PowerShell(TM) 1.0 MUI pack
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Search 4.0
Zune Desktop Theme
.
==== Event Viewer Messages From Past Week ========
.
25/04/2011 14:56:52, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service iPod Service with arguments "" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
25/04/2011 14:56:05, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\real\realplayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
24/04/2011 16:33:15, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
24/04/2011 16:33:15, error: SideBySide [59] - Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
24/04/2011 16:33:15, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
24/04/2011 15:30:43, error: Tcpip [4198] - The system detected an address conflict for IP address 192.168.1.4 with the system having network hardware address 7C:ED:8D:2C:15:CB. The local interface has been disabled.
23/04/2011 13:44:19, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
22/04/2011 21:53:15, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
22/04/2011 21:34:32, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
22/04/2011 15:38:35, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ElbyCDIO Fips intelppm prodrv06 SandBox SASDIFSV SASKUTIL
21/04/2011 20:17:28, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
21/04/2011 20:16:01, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb ElbyCDIO Fips intelppm prodrv06 SandBox SASDIFSV SASKUTIL ssmdrv
21/04/2011 19:39:36, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
21/04/2011 19:11:57, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
21/04/2011 18:59:13, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
.
==== End Of File ===========================

SuperDave · « **Reply #17 on:** April 28, 2011, 11:49:13 AM »

Quote

Remember, everything here was taken in SAFE MODE.

Are you still having problems running Normal Mode?

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
Once inside the interface, do not fix anything. Click on the Report tab.
Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Note: You may get this warning while running Rootkit Unhooker. It is OK so just ignore it:

Code: [Select]

"Rootkit Unhooker has detected a parasite inside itself!

Code: [Select]

It is recommended to remove parasite, okay?"

trekkie · « **Reply #18 on:** April 28, 2011, 02:28:59 PM »

Quote from: SuperDave on April 28, 2011, 11:49:13 AM

Are you still having problems running Normal Mode?

Yup, CPU usage still maxing itself out in Normal Mode.

Quote

Note: You may get this warning while running Rootkit Unhooker. It is OK so just ignore it:
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"

...Uh, what? Well, this is more important, you can explain that later:

While trying to run the randomly-named file, I got a "Error loading/opening driver" message. Any ideas?

SuperDave · « **Reply #19 on:** April 29, 2011, 12:59:31 PM »

Ok. Let's try this:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

trekkie · « **Reply #20 on:** April 29, 2011, 03:38:43 PM »

I assume you wanted me to post the log, but you just forgot to say. I also added some spacing for you in the log (curse text wrap!)

GMER Log:

GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-29 22:30:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014AS rev.8.12
Running: gmer.exe; Driver: C:\DOCUME~1\ANNAMC~1\LOCALS~1\Temp\awtyquoc.sys

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\ctfmon.exe[456] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\ctfmon.exe[456] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\ctfmon.exe[456] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\ctfmon.exe[456] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\DOCUME~1\ANNAMC~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[900] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\DOCUME~1\ANNAMC~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[900] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\DOCUME~1\ANNAMC~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[900] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\DOCUME~1\ANNAMC~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[900] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\Explorer.EXE[1264] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\Explorer.EXE[1264] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\Explorer.EXE[1264] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\Explorer.EXE[1264] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\winlogon.exe[1460] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\winlogon.exe[1460] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\winlogon.exe[1460] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\winlogon.exe[1460] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\services.exe[1504] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\services.exe[1504] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\services.exe[1504] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\services.exe[1504] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\lsass.exe[1516] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\lsass.exe[1516] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\lsass.exe[1516] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\lsass.exe[1516] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1676] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1728] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1728] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1728] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1728] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1908] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1908] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1908] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1908] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1920] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1920] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1920] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

.text C:\WINDOWS\system32\svchost.exe[1920] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

---- Devices - GMER 1.0.15 ----

Device \Driver\prohlp02 \Device\ProHlp02 E1525188

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

SuperDave · « **Reply #21 on:** April 29, 2011, 05:28:18 PM »

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

•Open the folder and run Dial-a-fix.exe
•2 windows will open. Close the one in the background labeled Restrictive Policies

•Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked

Fix SSL/HTTPS/Crypstvc:
Stop Services
Empty System32\Catroot2
Register DLLs
Start service

•Click Go

•OK any error messages if received, but write them down and post them here.

•Restart the computer when done.

trekkie · « **Reply #22 on:** April 30, 2011, 09:42:00 AM »

I only got one error message, at the beginning:
"Dial-a-fix was unable to determine your version of Internet Explorer. Certain DLL registrations will be skipped."
Version is IE 8.

It also didn't create a log-that's OK?

SuperDave · « **Reply #23 on:** April 30, 2011, 04:59:32 PM »

Please run another ComboFix scan to see if the service was repaired.

trekkie · « **Reply #24 on:** May 01, 2011, 10:03:26 AM »

By the way, why do we sometimes need to rename programs (e.g. ComboFix to commy)?

Anyways, ComboFix log:

ComboFix 11-04-30.06 - Anna McManus 01/05/2011 16:28:52.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1022.790 [GMT 1:00]
Running from: c:\documents and settings\Anna McManus\desktop\commy.exe
Command switches used :: /stepdel
AV: Outpost Security Suite Pro *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Outpost Security Suite Pro *Enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Anna McManus\Application Data\PriceGong
c:\rootrepeal\RootRepeal.exe
c:\documents and settings\Anna McManus\Start Menu\Programs\Uninstall.lnk
c:\windows\jestertb.dll
c:\windows\system32\arp.exe
c:\windows\system32\SCardSvr.exe
c:\windows\system32\setup.exe
.
---- Previous Run -------
.
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Anna McManus\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Anna McManus\Start Menu\Programs\Uninstall.lnk
c:\windows\jestertb.dll
c:\windows\system32\arp.exe
c:\windows\system32\SCardSvr.exe
c:\windows\system32\setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 )))))))))))))))))))))))))))))))
.
.
2011-04-19 20:05 . 2011-04-19 20:05   63115   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-04-19 20:05 . 2011-04-19 20:05   4599   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-04-19 20:05 . 2011-04-19 20:05   9310   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-04-19 20:05 . 2011-04-19 20:05   8646   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-04-19 20:05 . 2011-04-19 20:05   6429   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-04-19 20:05 . 2011-04-19 20:05   5927   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-04-19 20:05 . 2011-04-19 20:05   8613   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-04-19 20:05 . 2011-04-19 20:05   1651   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-04-19 20:04 . 2011-04-19 20:04   6910   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-04-19 20:04 . 2011-04-19 20:04   8288   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-04-19 20:04 . 2011-04-19 20:04   6208   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-04-19 20:04 . 2011-04-19 20:04   18541   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-04-19 20:04 . 2011-04-19 20:04   51852   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-04-19 20:04 . 2011-04-19 20:04   20719   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-04-19 20:04 . 2011-04-19 20:04   23327   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-04-19 20:04 . 2011-04-19 20:04   8782   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-04-19 20:04 . 2011-04-19 20:04   7271   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-04-19 19:49 . 2011-02-02 16:04   242040   ----a-w-   c:\windows\system32\drivers\VBEngNT.sys
2011-04-19 19:49 . 2011-03-21 15:27   708760   ----a-w-   c:\windows\system32\drivers\SandBox.sys
2011-04-19 19:49 . 2010-09-27 14:40   267624   ----a-w-   c:\windows\system32\drivers\afwcore.sys
2011-04-19 19:48 . 2010-04-20 15:05   34280   ----a-w-   c:\windows\system32\drivers\afw.sys
2011-04-19 19:48 . 2011-04-21 16:57   --------   d-----w-   c:\windows\system32\Filt
2011-04-19 19:48 . 2011-04-19 19:48   --------   d-----w-   c:\program files\Agnitum
2011-04-19 19:48 . 2011-04-19 19:48   --------   d-----w-   c:\documents and settings\Anna McManus\Application Data\Agnitum
2011-04-16 19:21 . 2011-04-16 19:21   --------   d-----w-   c:\documents and settings\Anna McManus\Local Settings\Application Data\Opera
2011-04-15 15:52 . 2011-04-15 15:52   --------   d-----w-   c:\documents and settings\Anna McManus\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-12-15 10:35   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 04:42   420864   ----a-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 00:00   1857920   ----a-w-   c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-14 04:42   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2008-04-14 04:42   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-14 04:41   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2008-04-13 23:07   385024   ----a-w-   c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-13 23:47   455936   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-13 23:45   357888   ----a-w-   c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-12-15 15:41   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-14 04:39   290432   ----a-w-   c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-14 04:42   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 04:41   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-14 04:41   978944   ----a-w-   c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2007-04-03 07:44   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2011-02-02 21:40 . 2010-04-23 14:45   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-04-09 15:30   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2009-12-15 10:33   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-03-18 17:57 . 2011-03-23 15:17   142296   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 11:06   163328   --sha-r-   c:\windows\system32\flvDX.dll
2007-02-21 12:47   31232   --sha-r-   c:\windows\system32\msfDX.dll
2008-03-16 14:30   216064   --sha-r-   c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{a386d4b0-fddb-4e1c-ae61-4f014013cd9b}"= "c:\program files\TV_Bar_1.1\prxtbTV_2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{a386d4b0-fddb-4e1c-ae61-4f014013cd9b}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54   175912   ----a-w-   c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a386d4b0-fddb-4e1c-ae61-4f014013cd9b}]
2011-01-17 14:54   175912   ----a-w-   c:\program files\TV_Bar_1.1\prxtbTV_2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{a386d4b0-fddb-4e1c-ae61-4f014013cd9b}"= "c:\program files\TV_Bar_1.1\prxtbTV_2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{a386d4b0-fddb-4e1c-ae61-4f014013cd9b}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A386D4B0-FDDB-4E1C-AE61-4F014013CD9B}"= "c:\program files\TV_Bar_1.1\prxtbTV_2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{a386d4b0-fddb-4e1c-ae61-4f014013cd9b}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
2011-03-30 18:01   468128   ----a-w-   c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2011-04-04 3107736]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Security Suite Free\feedback.exe" [2011-03-30 517056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-23 274608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2006-5-29 1527808]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v3 Smart Wizard.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^µTorrent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\µTorrent.lnk
backup=c:\windows\pss\µTorrent.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1054:TCP"= 1054:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [19/04/2011 20:48 34280]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [23/04/2007 15:11 341504]
S1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [19/04/2011 20:49 708760]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [19/04/2011 20:48 2072592]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 05:42 14336]
S2 gupdate1ca8fbae50c76ae;Google Update Service (gupdate1ca8fbae50c76ae);c:\program files\Google\Update\GoogleUpdate.exe [07/01/2010 18:00 133104]
S3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [19/04/2011 20:49 267624]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [19/04/2011 20:49 70160]
S3 Normandy;Normandy SR2;

S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [19/04/2011 20:49 242040]
S3 VBFilt;VBFilt;c:\windows\system32\Filt\VBFilt.dll [19/04/2011 20:49 34096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:00]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:00]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1177238915-1417001333-1003Core.job
- c:\documents and settings\Anna McManus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-18 20:23]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1177238915-1417001333-1003UA.job
- c:\documents and settings\Anna McManus\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-18 20:23]
.
2011-04-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
2010-08-31 c:\windows\Tasks\pixillionShakeIcon.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2010-08-23 18:34]
.
2011-04-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-796845957-1177238915-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
2011-04-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-796845957-1177238915-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
2011-04-20 c:\windows\Tasks\User_Feed_Synchronization-{9AEC4122-30F7-425A-AEE8-66CD5650F4FC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/webhp?rls=ig
uInternet Connection Wizard,ShellNext = hxxp://www.google.ie/
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
TCP: {2094D3C8-9017-48C6-9813-BCFE09227041} = 89.101.160.4,89.101.160.5,208.67.222.222
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
FF - ProfilePath - c:\documents and settings\Anna McManus\Application Data\Mozilla\Firefox\Profiles\wzlavwzf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=10588
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=10588&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: AlertStopper: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Check All: [email protected] - %profile%\extensions\[email protected]
FF - Ext: CheckFox: {BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87} - %profile%\extensions\{BAEC7B80-9A31-47b2-A68B-DCAC8DF48E87}
FF - Ext: Copy Link Text: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Crash Report Helper: {078fac48-925f-4524-7cfe-85d44b8f4f98} - %profile%\extensions\{078fac48-925f-4524-7cfe-85d44b8f4f98}
FF - Ext: EAVE: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Expiry Canary: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Flash Killer: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Ghostery: [email protected] - %profile%\extensions\[email protected]
FF - Ext: GoogleEnhancer: {21e48e29-f574-4619-b65d-0f00eea92e5b} - %profile%\extensions\{21e48e29-f574-4619-b65d-0f00eea92e5b}
FF - Ext: Keyboard Shortcuts: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Kongregate Sidebar: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Link Alert: [email protected] - %profile%\extensions\[email protected]
FF - Ext: LinkAndForminfo: {B71ACFF2-E436-4cc7-B5E3-0C8E2CC981BA} - %profile%\extensions\{B71ACFF2-E436-4cc7-B5E3-0C8E2CC981BA}
FF - Ext: Override Mozilla Firefox Guidance: omfg@olive - %profile%\extensions\omfg@olive
FF - Ext: PingMe: pingme@arcticfire - %profile%\extensions\pingme@arcticfire
FF - Ext: Privacy Plus: [email protected] - %profile%\extensions\[email protected]
FF - Ext: RightToClick: {cd617375-6743-4ee8-bac4-fbf10f35729e} - %profile%\extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}
FF - Ext: SimilarWeb: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Simple Links Counter: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Site Information Tool: siteinfo@wmtips - %profile%\extensions\siteinfo@wmtips
FF - Ext: Tab Progress Bar: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Test Extension: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Trustpilot Guard: {736048c1-a1ec-4a70-b12b-1e399e79024e} - %profile%\extensions\{736048c1-a1ec-4a70-b12b-1e399e79024e}
FF - Ext: Verify Redirect: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Wappalyzer: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Personas: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Personas Rotator: {6e73f6b7-b9ab-44b8-b744-6393e3c2e351} - %profile%\extensions\{6e73f6b7-b9ab-44b8-b744-6393e3c2e351}
FF - Ext: Sidebar Companion for Google Sidewiki: {62f82eb5-4d65-4224-983b-a09ff8b172a6} - %profile%\extensions\{62f82eb5-4d65-4224-983b-a09ff8b172a6}
FF - Ext: Google Redesigned: {cc85cd4e-5a5b-4eda-a25c-bdaffa93b406} - %profile%\extensions\{cc85cd4e-5a5b-4eda-a25c-bdaffa93b406}
FF - Ext: Google Minimalist: {64312dc5-3fc3-40d1-b183-0e4060fc52ac} - %profile%\extensions\{64312dc5-3fc3-40d1-b183-0e4060fc52ac}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-CTFMON - (no file)
AddRemove-.sol Editor - c:\documents and settings\Anna McManus\My Documents\Conor's Folder\Sol Edit\uninst.exe
AddRemove-Cheat Engine 5.6.1_is1 - c:\documents and settings\Anna McManus\My Documents\Conor's Folder\Pictures\Kongregate\Cheat Engine\unins000.exe
AddRemove-WinGimp-2.0_is1 - c:\documents and settings\Anna McManus\My Documents\Conor's Folder\GIMP-2.0\setup\unins000.exe
AddRemove-{B93DCF58-AA57-41EC-8D69-B05C66C6312D}_is1 - c:\documents and settings\Anna McManus\My Documents\Conor's Folder\Videos\SUPER\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-01 16:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-796845957-1177238915-1417001333-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1476)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1596)
c:\windows\system32\WININET.dll
c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-05-01 16:46:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-01 15:46
.
Pre-Run: 6,625,673,216 bytes free
Post-Run: 6,591,098,880 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Professional - New" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Windows XP Professional - Even Newer" /noexecute=optin /fastdetect
.
- - End Of File - - 7B5CDB8CA0541E44DF4A56B2A6608B96

SuperDave · « **Reply #25 on:** May 01, 2011, 12:47:23 PM »

Quote

By the way, why do we sometimes need to rename programs (e.g. ComboFix to commy)?

Sometime the infections are engineered to recognize and stop some of these tools. By renaming them, we are able to get them to run.

It looks like the Cryptography Services Error was repaired. That was the last thing that seemed to be amiss. I reached the bottom of my bag of tricks trying to resolve your problem. I can almost say with almost 100% certainty that it's not cause by any infections. The last thing we can do is do some cleanup and advise you to seek help in one of the software forums. Sorry.

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

Click the CleanUp button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
****************************************************
To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
**********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

trekkie · « **Reply #26 on:** May 01, 2011, 12:58:00 PM »

Quote from: SuperDave on May 01, 2011, 12:47:23 PM

To turn off Windows XP System Restore:

Whoa whoa whoa. Why on Earth would I want to turn off System Restore?

SuperDave · « **Reply #27 on:** May 01, 2011, 01:21:50 PM »

By turning off and then on the System Restore we will get a new Restore Point which should be clean. Keep in mind many infections hide in System Restore.

trekkie · « **Reply #28 on:** May 01, 2011, 02:14:59 PM »

Quote from: SuperDave on May 01, 2011, 12:47:23 PM

Sorry.

OY! Don't you go beating yourself up over my stubborn computer. It's not your fault my computer hates me.

But seriously, you did great, especially considering you're not getting paid for this (so you have got to find this rewarding in some way, otherwise no sane person would do this day in, day out).

Quote

To remove all of the tools we used and the files and folders they created

Will it remove everything? Just, I think I would find it difficult to find one tiny scrap of one program
. Oh, and as I think of it-are there any programs that we've used that you would keep if this was your computer?

Finally, any ideas as to where to go from here to fix this stupid computer (within ComputerHope, that is)?

Oh-finally finally, would you mind not locking the thread on me until I ask? You probably wouldn't have, but just in case.

SuperDave · « **Reply #29 on:** May 01, 2011, 05:10:06 PM »

Here's a list of tools it will remove. I used some other tools so those will have to be removed manually.
!Killbox
*.run
_backupD
_OTL
_OTListIt
_OTM
_OTMoveIt
_OTS
_OTScanIt
404fix.exe
Avenger
avenger.exe
avenger.txt
avenger.zip
AWF.txt
BFU
bfu.zip
catchme
catchme.exe
cleanup.txt
ComboFix
ComboFix*.txt
combofix.exe
combo-fix.exe
Combo-Fix.sys
dds.com
dds.pif
dds.scr
Deckard
delete.bat
deljob
deljob.exe
dss.exe
dumphive.exe
erdnt\subs
Extras.txt
fdsv.exe
FindAWF.exe
fixwareout
fixwareout.exe
fsbl*.log
fsbl.exe
gmer
gmer.dll
gmer.exe
gmer.ini
gmer.log
gmer.sys
gmer_uninstall.cmd
grep.exe
haxfix.exe
haxfix.txt
iedfix.exe
killbox.exe
logit.txt
Lop SD
lopR.txt
LopSD.exe
moveex.exe
nircmd.exe
NoLop.exe
NoLop.txt
NoLopOLD.txt
OTL.exe
OTL.txt
OTListIt.txt
OTListIt2.exe
OTM.exe
OTMoveIt.exe
OTMoveIt2.exe
OTMoveIt3.exe
OTS.exe
OTS.txt
OTScanIt
OTScanIt.exe
OTScanIt2
OTScanIt2.exe
OTViewIt.exe
OTViewIt.txt
QooBox
rapport.txt
Rooter$
Rooter.exe
Rooter.txt
RSIT
RSIT.exe
Runscanner
Runscanner.exe
Runscanner.net
Runscanner.zip
Rustbfix
rustbfix.exe
SDFix
sdfix.exe
sed.exe
Silent Runners.vbs
SmitfraudFix
SmitfraudFix.exe
swreg.exe
Swsc.exe
Swxcacls.exe
SysInsite
tmp.reg
vacfix.exe
vcclsid.exe
VFind.exe
VundoFix Backups
VundoFix.exe
vundofix.txt
vundofix.vft
win32delfkil.exe
windelf.txt
WinPfind
winpfind.exe
WinPFind35u
WinPFind35u.exe
WinPFind3u
WinPFind3u.exe
WS2Fix.exe
zip.exe
***************************************************

Quote

Oh, and as I think of it-are there any programs that we've used that you would keep if this was your computer?

The only two I would keep are SAS and MBAM. Update them and run them on a regular basis.
I will keep this open until you get back to me.
You should start a new thread in this forum.Don't forget to mention that you've spent some time in this forum.

Computer Hope Forum

News:

Author Topic: I'm really, really lost.... (Read 37427 times)

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....