Jump to content

reblw

Members
  • Posts

    9
  • Joined

  • Last visited

Everything posted by reblw

  1. Ok, malwarebytes runs fine. Thanks so much for your help/expertise. I have installed the full version of malwarebytes and told the kids to not stop it from running. It seems like this has been a more aggressive antivirus pro, do you think malwarebytes alone will prevent recurrence, or is there some other program that can run along side it? Antivir had too many spyware type properties to me, so I delted it.
  2. I then uninstalled the Spyzilla and Ask toolbar, then ran the combofix script, and here is the logfile that generated: ComboFix 09-09-01.08 - reblw 09/02/2009 16:55.3.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1078 [GMT -5:00] Running from: c:\documents and settings\reblw\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\reblw\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597} FILE :: "c:\documents and settings\All Users\Application Data\okivo.dat" "c:\documents and settings\reblw\Local Settings\Application Data\ogivaryh.dat" "c:\windows\fuqoduh.dat" "c:\windows\system32\AbwkK38u.exe" "c:\windows\system32\onhelp.htm" "c:\windows\Tasks\Scheduled Update for Ask Toolbar.job" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\okivo.dat c:\documents and settings\reblw\Local Settings\Application Data\ogivaryh.dat c:\program files\iTunes\bak c:\program files\iTunes\bak\iTunesHelper.exe c:\program files\QuickTime\bak c:\program files\QuickTime\bak\qttask.exe c:\windows\fuqoduh.dat c:\windows\system32\AbwkK38u.exe c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 ))))))))))))))))))))))))))))))) . 2009-08-31 21:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-08-26 20:15 . 2009-08-26 20:15 -------- d-----w- c:\program files\Trend Micro 2009-08-26 17:18 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-26 17:18 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-26 17:18 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-26 17:18 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\program files\Avira 2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-26 17:10 . 2009-08-26 17:10 190697 ----a-w- c:\windows\system32\wisdstr.VIR 2009-08-26 05:27 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-26 05:27 . 2009-08-26 17:02 -------- d-----w- c:\program files\22Malwarebytes' Anti-Malware 2009-08-26 05:27 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-26 04:56 . 2009-09-02 21:09 -------- d-----w- c:\program files\SpyZooka 2009-08-26 03:27 . 2009-08-26 03:27 -------- d-----w- c:\program files\MSSOAP 2009-08-26 03:26 . 2009-08-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot 2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\program files\Webroot 2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\documents and settings\reblw\Application Data\Webroot 2009-08-26 03:26 . 2009-05-13 20:39 1563008 ----a-w- c:\windows\WRSetup.dll 2009-08-26 03:22 . 2009-08-26 04:48 164 ----a-w- c:\windows\install.dat 2009-08-25 16:51 . 2009-08-26 17:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-25 03:55 . 2009-08-25 03:55 -------- d-----w- C:\_OTM 2009-08-25 03:29 . 2009-08-25 03:29 -------- d-----w- c:\documents and settings\reblw\Application Data\U3 2009-08-25 02:08 . 2002-08-29 11:00 4224 ------w- c:\windows\system32\drivers\beep.sys 2009-08-23 17:58 . 2009-08-23 17:58 135736 ---ha-w- c:\windows\system32\mlfcache.dat 2009-08-13 01:06 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-02 21:58 . 2007-12-25 18:18 -------- d-----w- c:\program files\QuickTime 2009-09-02 21:58 . 2004-12-17 21:52 -------- d-----w- c:\program files\iTunes 2009-08-30 18:53 . 2009-05-24 01:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-28 11:50 . 2009-05-24 01:16 -------- d-----w- c:\program files\Spyware Doctor 2009-08-26 03:02 . 2008-09-21 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-23 17:57 . 2004-12-17 21:53 -------- d-----w- c:\documents and settings\reblw\Application Data\Apple Computer 2009-08-16 17:46 . 2003-02-09 17:50 -------- d-----w- c:\program files\QUICKENW 2009-08-15 04:42 . 2009-07-28 16:40 -------- d-----w- c:\program files\Safari 2009-08-05 09:01 . 2004-03-28 03:05 204800 ------w- c:\windows\system32\mswebdvd.dll 2009-07-28 16:42 . 2008-05-20 21:23 -------- d-----w- c:\program files\Apple Software Update 2009-07-28 16:37 . 2009-07-28 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-07-28 16:37 . 2004-12-17 21:51 -------- d-----w- c:\program files\iPod 2009-07-28 16:37 . 2007-12-25 18:17 -------- d-----w- c:\program files\Common Files\Apple 2009-07-28 16:35 . 2009-07-28 16:35 -------- d-----w- c:\program files\Bonjour 2009-07-18 05:02 . 2003-02-09 22:51 -------- d-----w- c:\program files\Kazaa 2009-07-17 19:01 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 15:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-09 17:16 . 2009-07-28 16:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-09 17:16 . 2007-12-25 18:18 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-03 17:09 . 2004-08-24 01:32 915456 ------w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2002-08-29 11:00 81920 ------w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2002-08-29 11:00 119808 ------w- c:\windows\system32\t2embed.dll 2009-06-12 12:31 . 2002-08-29 11:00 80896 ------w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2002-08-29 11:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:19 . 2002-08-29 11:00 2066432 ------w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2002-08-29 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2002-08-29 11:00 132096 ------w- c:\windows\system32\wkssvc.dll 1999-11-13 00:32 . 1999-12-22 05:36 16873 ------w- c:\program files\WHATSNEW.TXT 1999-10-19 02:24 . 1999-12-22 05:36 2816 ------w- c:\program files\ORDER.TXT 1999-07-09 01:38 . 1999-07-09 01:38 8362 ------w- c:\program files\SETUP.LST 1999-07-09 01:38 . 1999-07-09 01:38 2164 ------w- c:\program files\Readme.txt 2005-07-16 10:41 . 2005-06-14 03:47 41573 ------w- c:\program files\mozilla firefox\components\jar50.dll 2005-07-16 10:41 . 2005-06-14 03:47 48223 ------w- c:\program files\mozilla firefox\components\jsd3250.dll 2005-07-16 10:41 . 2005-06-14 03:47 160871 ------w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-31_21.23.19 ))))))))))))))))))))))))))))))))))))))))) . + 2003-01-20 19:43 . 2000-05-11 07:00 90112 c:\windows\UpdReg.EXE + 2002-08-15 00:22 . 2002-08-15 00:22 28672 c:\windows\SYSTEM32\DSentry.exe + 2002-09-03 19:45 . 2009-08-31 21:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT - 2002-09-03 19:45 . 2009-08-30 23:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT + 2002-09-03 19:45 . 2009-08-31 21:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT - 2002-09-03 19:45 . 2009-08-30 23:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT + 2002-09-03 19:45 . 2009-08-31 21:21 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT - 2002-09-03 19:45 . 2009-08-30 23:55 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT + 2004-05-22 00:11 . 2004-05-22 00:11 221184 c:\windows\SYSTEM32\LVCOMSX.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2009-05-13 20:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-8-3 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-20 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2002-02-15 16:51 24638 ------w- c:\windows\SYSTEM32\PCANotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"= "c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"= "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\UT2004\\System\\UT2004.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [5/23/2009 8:16 PM 130936] R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [4/21/2009 6:27 PM 29808] R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [2/12/2003 8:08 PM 4064] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2009 12:18 PM 108289] R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 6:00 AM 14336] R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [8/25/2009 10:30 PM 1205760] R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\SYSTEM32\DRIVERS\hpusbfd.sys [2/8/2004 2:31 PM 7552] R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\netusbxp.sys [12/24/2007 12:58 PM 72576] S0 epstwnt;epstwnt;c:\windows\system32\Drivers\epstwnt.mpd --> c:\windows\system32\Drivers\epstwnt.mpd [?] S2 portD;ABS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [8/5/2004 11:57 PM 7296] S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\Drivers\sharshtl.sys --> c:\windows\system32\Drivers\sharshtl.sys [?] S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\SYSTEM32\DRIVERS\epstw2k.sys [2/16/2003 3:09 PM 114944] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/23/2009 8:16 PM 348752] S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [2/9/2003 1:45 PM 15576] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html IE: Translate Page - c:\program files\Google\googletoolbar.dll/cmtrans.html IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538} DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe FF - ProfilePath - c:\documents and settings\reblw\Application Data\Mozilla\Firefox\Profiles\p6fokhh9.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://mb26.scout.com/fmississippi74787frm14 ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-02 17:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt] "ImagePath"="System32\Drivers\epstwnt.mpd" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,29,b0,42,2b,97, 33,5e,f5,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,29,c7,2e,0c,45, 72,79,01,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,59,e5,8b,ca,2d, e4,05,8f,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f7,c8,95,0d,6b, 68,b7,64,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,8f,1d,91,38,67, 99,cd,52,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,8f,aa,a8,2e,19, 77,52,a3,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,de,4f,7c,89,1a, 17,f6,ca,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,52,4b,f4,3a,4e, 16,e7,ca,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d9,76,2a,8e,75, 17,0d,08,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,5f,ea,ff,30,bd, 1b,bd,04,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,86,0c,00,31,30, 59,cc,b9,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,df,d6,2a,38,ef, cb,92,0b,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(956) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(828) c:\windows\system32\WININET.dll c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\ati2evxx.exe c:\program files\Citrix\ICA Client\ssonsvr.exe c:\windows\SYSTEM32\ati2evxx.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\SYSTEM32\CTsvcCDA.EXE c:\windows\SYSTEM32\wdfmgr.exe c:\windows\SYSTEM32\MsPMSPSv.exe c:\windows\SYSTEM32\fxssvc.exe c:\windows\SYSTEM32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-09-02 17:10 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-02 22:10 ComboFix2.txt 2009-09-02 21:35 ComboFix3.txt 2009-08-31 21:34 Pre-Run: 36,165,726,208 bytes free Post-Run: 36,144,660,480 bytes free 379 --- E O F --- 2009-08-27 08:00
  3. OK, I reran ComboFix to see if it would install the recovery console-it did and this is the logfile it generated: ComboFix 09-09-01.07 - reblw 09/02/2009 16:23.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1100 [GMT -5:00] Running from: c:\documents and settings\reblw\Desktop\Combo-Fix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Shared c:\windows\system32\onhelp.htm . ((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 ))))))))))))))))))))))))))))))) . 2009-08-26 20:15 . 2009-08-26 20:15 -------- d-----w- c:\program files\Trend Micro 2009-08-26 17:18 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-26 17:18 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-26 17:18 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-26 17:18 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\program files\Avira 2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-26 17:10 . 2009-08-26 17:10 190697 ----a-w- c:\windows\system32\wisdstr.VIR 2009-08-26 05:27 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-26 05:27 . 2009-08-26 17:02 -------- d-----w- c:\program files\22Malwarebytes' Anti-Malware 2009-08-26 05:27 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-26 04:56 . 2009-09-02 21:09 -------- d-----w- c:\program files\SpyZooka 2009-08-26 03:27 . 2009-08-26 03:27 -------- d-----w- c:\program files\MSSOAP 2009-08-26 03:26 . 2009-08-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot 2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\program files\Webroot 2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\documents and settings\reblw\Application Data\Webroot 2009-08-26 03:26 . 2009-05-13 20:39 1563008 ----a-w- c:\windows\WRSetup.dll 2009-08-26 03:22 . 2009-08-26 04:48 164 ----a-w- c:\windows\install.dat 2009-08-25 16:51 . 2009-08-26 17:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-25 03:55 . 2009-08-25 03:55 -------- d-----w- C:\_OTM 2009-08-25 03:29 . 2009-08-25 03:29 -------- d-----w- c:\documents and settings\reblw\Application Data\U3 2009-08-25 03:10 . 2009-08-25 03:10 13633 ----a-w- c:\documents and settings\reblw\Local Settings\Application Data\ogivaryh.dat 2009-08-25 03:10 . 2009-08-25 03:10 13093 ----a-w- c:\windows\fuqoduh.dat 2009-08-25 02:08 . 2002-08-29 11:00 4224 ------w- c:\windows\system32\drivers\beep.sys 2009-08-23 17:58 . 2009-08-23 17:58 135736 ---ha-w- c:\windows\system32\mlfcache.dat 2009-08-13 01:06 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-30 18:53 . 2009-05-24 01:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-28 11:50 . 2009-05-24 01:16 -------- d-----w- c:\program files\Spyware Doctor 2009-08-26 03:02 . 2008-09-21 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-25 03:10 . 2009-08-25 03:10 11308 ----a-w- c:\documents and settings\All Users\Application Data\okivo.dat 2009-08-23 17:57 . 2004-12-17 21:53 -------- d-----w- c:\documents and settings\reblw\Application Data\Apple Computer 2009-08-16 17:46 . 2003-02-09 17:50 -------- d-----w- c:\program files\QUICKENW 2009-08-15 04:42 . 2009-07-28 16:40 -------- d-----w- c:\program files\Safari 2009-08-05 09:01 . 2004-03-28 03:05 204800 ------w- c:\windows\system32\mswebdvd.dll 2009-07-28 16:42 . 2008-05-20 21:23 -------- d-----w- c:\program files\Apple Software Update 2009-07-28 16:37 . 2009-07-28 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-07-28 16:37 . 2004-12-17 21:52 -------- d-----w- c:\program files\iTunes 2009-07-28 16:37 . 2004-12-17 21:51 -------- d-----w- c:\program files\iPod 2009-07-28 16:37 . 2007-12-25 18:17 -------- d-----w- c:\program files\Common Files\Apple 2009-07-28 16:35 . 2009-07-28 16:35 -------- d-----w- c:\program files\Bonjour 2009-07-28 16:35 . 2007-12-25 18:18 -------- d-----w- c:\program files\QuickTime 2009-07-18 05:02 . 2003-02-09 22:51 -------- d-----w- c:\program files\Kazaa 2009-07-17 19:01 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 15:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-09 17:16 . 2009-07-28 16:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-09 17:16 . 2007-12-25 18:18 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-03 17:09 . 2004-08-24 01:32 915456 ------w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2002-08-29 11:00 81920 ------w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2002-08-29 11:00 119808 ------w- c:\windows\system32\t2embed.dll 2009-06-12 12:31 . 2002-08-29 11:00 80896 ------w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2002-08-29 11:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:19 . 2002-08-29 11:00 2066432 ------w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2002-08-29 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2002-08-29 11:00 132096 ------w- c:\windows\system32\wkssvc.dll 1999-11-13 00:32 . 1999-12-22 05:36 16873 ------w- c:\program files\WHATSNEW.TXT 1999-10-19 02:24 . 1999-12-22 05:36 2816 ------w- c:\program files\ORDER.TXT 1999-07-09 01:38 . 1999-07-09 01:38 8362 ------w- c:\program files\SETUP.LST 1999-07-09 01:38 . 1999-07-09 01:38 2164 ------w- c:\program files\Readme.txt 2005-07-16 10:41 . 2005-06-14 03:47 41573 ------w- c:\program files\mozilla firefox\components\jar50.dll 2005-07-16 10:41 . 2005-06-14 03:47 48223 ------w- c:\program files\mozilla firefox\components\jsd3250.dll 2005-07-16 10:41 . 2005-06-14 03:47 160871 ------w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-31_21.23.19 ))))))))))))))))))))))))))))))))))))))))) . + 2002-09-03 19:45 . 2009-08-31 21:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT - 2002-09-03 19:45 . 2009-08-30 23:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT + 2002-09-03 19:45 . 2009-08-31 21:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT - 2002-09-03 19:45 . 2009-08-30 23:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT + 2002-09-03 19:45 . 2009-08-31 21:21 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT - 2002-09-03 19:45 . 2009-08-30 23:55 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2005-08-18 18:49 . 2005-08-18 18:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe 2003-01-20 19:39 . 2005-08-31 02:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe 2002-08-22 19:11 . 2004-05-28 01:05 323584 c:\program files\Common Files\Dell\EUSW\bak\Support.exe 2003-01-20 19:42 . 2002-04-03 07:01 135264 c:\program files\Creative\SBLive\Diagnostics\bak\diagent.exe 2003-02-16 20:52 . 1998-11-24 08:00 42496 c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\bak\HPLamp.exe 2007-12-11 18:10 . 2007-12-11 18:10 267048 c:\program files\iTunes\bak\iTunesHelper.exe 2009-07-13 19:03 . 2009-07-13 19:03 292128 c:\program files\iTunes\iTunesHelper.exe 2008-01-06 06:54 . 2007-09-25 07:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe 2003-01-20 19:39 . 2001-10-09 07:59 200704 c:\program files\Logitech\iTouch\bak\iTouch.exe 2004-06-01 16:09 . 2004-06-01 16:09 458752 c:\program files\Logitech\Video\bak\ISStart.exe 2004-06-01 16:09 . 2004-06-01 16:09 458752 c:\program files\Logitech\Video\ISStart.exe 2004-06-01 16:03 . 2004-06-01 16:03 217088 c:\program files\Logitech\Video\bak\LogiTray.exe 2004-06-01 16:03 . 2004-06-01 16:03 217088 c:\program files\Logitech\Video\LogiTray.exe 2004-09-03 03:34 . 2004-06-01 15:46 196608 c:\program files\Logitech\Video\bak\ManifestEngine.exe 2003-01-20 19:39 . 2001-10-09 15:41 35328 c:\program files\MouseWare\system\bak\EM_EXEC.EXE 2005-06-02 01:02 . 2005-05-10 21:04 11776 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe 2005-10-06 03:07 . 2005-06-13 07:30 192512 c:\program files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe 2007-12-11 16:56 . 2007-12-11 16:56 286720 c:\program files\QuickTime\bak\qttask.exe 2009-05-26 22:18 . 2009-05-26 22:18 413696 c:\program files\QuickTime\QTTask.exe 2002-04-10 22:44 . 2002-04-10 22:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe 2003-01-20 19:43 . 2000-05-11 07:00 90112 c:\windows\bak\UpdReg.EXE 2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe 2002-08-29 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe 2002-08-15 00:22 . 2002-08-15 00:22 28672 c:\windows\SYSTEM32\bak\DSentry.exe 2004-05-22 00:11 . 2004-05-22 00:11 221184 c:\windows\SYSTEM32\bak\LVCOMSX.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2009-05-13 20:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "RegistryMechanic"="" [N/A] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-8-3 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-20 24576] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= c:\windows\system32\onhelp.htm FriendlyName= tets [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2002-02-15 16:51 24638 ------w- c:\windows\SYSTEM32\PCANotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"= "c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"= "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\UT2004\\System\\UT2004.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [5/23/2009 8:16 PM 130936] R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [4/21/2009 6:27 PM 29808] R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [2/12/2003 8:08 PM 4064] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2009 12:18 PM 108289] R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 6:00 AM 14336] R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [8/25/2009 10:30 PM 1205760] R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\SYSTEM32\DRIVERS\hpusbfd.sys [2/8/2004 2:31 PM 7552] R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\netusbxp.sys [12/24/2007 12:58 PM 72576] S0 epstwnt;epstwnt;c:\windows\system32\Drivers\epstwnt.mpd --> c:\windows\system32\Drivers\epstwnt.mpd [?] S2 portD;ABS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [8/5/2004 11:57 PM 7296] S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\Drivers\sharshtl.sys --> c:\windows\system32\Drivers\sharshtl.sys [?] S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\SYSTEM32\DRIVERS\epstw2k.sys [2/16/2003 3:09 PM 114944] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/23/2009 8:16 PM 348752] S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [2/9/2003 1:45 PM 15576] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34] 2009-09-02 c:\windows\Tasks\At1.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At10.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At11.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At12.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At13.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At14.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At15.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At16.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At17.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-01 c:\windows\Tasks\At18.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-01 c:\windows\Tasks\At19.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At2.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At20.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At21.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At22.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At23.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At24.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At3.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At4.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At5.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At6.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At7.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At8.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-09-02 c:\windows\Tasks\At9.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html IE: Translate Page - c:\program files\Google\googletoolbar.dll/cmtrans.html IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538} Trusted Zone: aol.com\free Trusted Zone: musicmatch.com\online DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe FF - ProfilePath - c:\documents and settings\reblw\Application Data\Mozilla\Firefox\Profiles\p6fokhh9.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://mb26.scout.com/fmississippi74787frm14 ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-02 16:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt] "ImagePath"="System32\Drivers\epstwnt.mpd" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,29,b0,42,2b,97, 33,5e,f5,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,29,c7,2e,0c,45, 72,79,01,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,59,e5,8b,ca,2d, e4,05,8f,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f7,c8,95,0d,6b, 68,b7,64,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,8f,1d,91,38,67, 99,cd,52,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,8f,aa,a8,2e,19, 77,52,a3,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,de,4f,7c,89,1a, 17,f6,ca,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,52,4b,f4,3a,4e, 16,e7,ca,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d9,76,2a,8e,75, 17,0d,08,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,5f,ea,ff,30,bd, 1b,bd,04,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,86,0c,00,31,30, 59,cc,b9,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,df,d6,2a,38,ef, cb,92,0b,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(956) c:\windows\system32\Ati2evxx.dll c:\windows\System32\wbem\wbemcomn.dll . Completion time: 2009-09-02 16:35 ComboFix-quarantined-files.txt 2009-09-02 21:34 ComboFix2.txt 2009-08-31 21:34 Pre-Run: 36,191,248,384 bytes free Post-Run: 36,138,754,048 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 409 --- E O F --- 2009-08-27 08:00
  4. When I ran Combo-Fix I clicked yes to install the Recovery Console, but it self aborted and continued on, should I rerun it and see if it will install? I will try to unistall those programs, but last time I tried, the unistall programs would not run. I am not at that computer at present, but I will try again...or should I just go to add/remove in control panel? Thanks for your help, this cpu has been used by the kids so it is not well protected - yet.
  5. Ok, this may take 2 posts: ComboFix 09-08-31.03 - reblw 08/31/2009 16:07.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1051 [GMT -5:00] Running from: c:\documents and settings\reblw\Desktop\Combo-Fix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\reblw\LOCALS~1\Temp\csrss.exe c:\docume~1\reblw\LOCALS~1\Temp\lsass.exe c:\docume~1\reblw\LOCALS~1\Temp\services.exe c:\docume~1\reblw\LOCALS~1\Temp\svchost.exe c:\docume~1\reblw\LOCALS~1\Temp\taskmgr.exe c:\docume~1\reblw\LOCALS~1\Temp\winlogon.exe c:\documents and settings\All Users\Application Data\amydakaje.lib c:\documents and settings\All Users\Application Data\xutyzikocy.pif c:\documents and settings\All Users\Documents\atuhosa.exe c:\documents and settings\All Users\Documents\fyzun.inf c:\documents and settings\All Users\Documents\uwuza.bin c:\documents and settings\reblw\Application Data\fepat.dl c:\documents and settings\reblw\Application Data\ledinami.inf c:\documents and settings\reblw\Local Settings\Application Data\woxuq.com c:\documents and settings\reblw\Local Settings\Temporary Internet Files\cuhulovi.pif c:\documents and settings\reblw\Local Settings\Temporary Internet Files\homyg.com c:\documents and settings\reblw\Local Settings\Temporary Internet Files\ojipubah.vbs c:\documents and settings\reblw\Local Settings\Temporary Internet Files\orabitefuq.com c:\documents and settings\reblw\My Documents\ZbThumbnail.info c:\documents and settings\reblw\Start Menu\Programs\PC_Antispyware2010 c:\documents and settings\reblw\Start Menu\Programs\Windows Antivirus Pro c:\documents and settings\reblw\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk C:\kvhwftjn.exe C:\lcbckjms.exe C:\p2hhr.bat c:\program files\Common Files\etofaxu.dll c:\program files\Common Files\giqo.sys c:\program files\Common Files\okyneko.bin c:\program files\PC_Antispyware2010 c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest c:\program files\PC_Antispyware2010\Uninstall.exe c:\program files\Shared\_lib.sig c:\program files\Shared\lib.dll c:\program files\Shared\lib.sig c:\program files\Windows Antivirus Pro c:\program files\Windows Antivirus Pro\msvcm80.dll c:\program files\Windows Antivirus Pro\msvcp80.dll c:\program files\Windows Antivirus Pro\msvcr80.dll c:\program files\Windows Antivirus Pro\tmp\images\i1.gif c:\program files\Windows Antivirus Pro\tmp\images\i2.gif c:\program files\Windows Antivirus Pro\tmp\images\i3.gif c:\program files\Windows Antivirus Pro\tmp\images\j1.gif c:\program files\Windows Antivirus Pro\tmp\images\j2.gif c:\program files\Windows Antivirus Pro\tmp\images\j3.gif c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif c:\program files\Windows Antivirus Pro\tmp\images\l1.gif c:\program files\Windows Antivirus Pro\tmp\images\l2.gif c:\program files\Windows Antivirus Pro\tmp\images\l3.gif c:\program files\Windows Antivirus Pro\tmp\images\pix.gif c:\program files\Windows Antivirus Pro\tmp\images\t1.gif c:\program files\Windows Antivirus Pro\tmp\images\t2.gif c:\program files\Windows Antivirus Pro\tmp\images\up1.gif c:\program files\Windows Antivirus Pro\tmp\images\up2.gif c:\program files\Windows Antivirus Pro\tmp\images\w1.gif c:\program files\Windows Antivirus Pro\tmp\images\w11.gif c:\program files\Windows Antivirus Pro\tmp\images\w2.gif c:\program files\Windows Antivirus Pro\tmp\images\w3.gif c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif c:\program files\Windows Antivirus Pro\tmp\wispex.html c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe C:\sdlb.exe c:\windows\AUTOLNCH.REG c:\windows\braviax.exe c:\windows\command c:\windows\command\EXTRACT.PIF c:\windows\cru629.dat c:\windows\Downloaded Program Files\Temp c:\windows\ifoh._dl c:\windows\Installer\3f82c.msp c:\windows\kiqe.pif c:\windows\lakany.bin c:\windows\mixu.pif c:\windows\oguh.bin c:\windows\ppp3.dat c:\windows\ppp4.dat c:\windows\Readme.txt c:\windows\system32\_scui.cpl c:\windows\system32\bennuar.old c:\windows\system32\braviax.exe c:\windows\system32\cru629.dat c:\windows\system32\Data c:\windows\system32\dllcache\beep.sys c:\windows\system32\images c:\windows\system32\images\i1.gif c:\windows\system32\images\i2.gif c:\windows\system32\images\i3.gif c:\windows\system32\images\j1.gif c:\windows\system32\images\j2.gif c:\windows\system32\images\j3.gif c:\windows\system32\images\jj1.gif c:\windows\system32\images\jj2.gif c:\windows\system32\images\jj3.gif c:\windows\system32\images\l1.gif c:\windows\system32\images\l2.gif c:\windows\system32\images\l3.gif c:\windows\system32\images\pix.gif c:\windows\system32\images\t1.gif c:\windows\system32\images\t2.gif c:\windows\system32\images\up1.gif c:\windows\system32\images\up2.gif c:\windows\system32\images\w1.gif c:\windows\system32\images\w11.gif c:\windows\system32\images\w2.gif c:\windows\system32\images\w3.gif c:\windows\system32\images\w3.jpg c:\windows\system32\images\wt1.gif c:\windows\system32\images\wt2.gif c:\windows\system32\images\wt3.gif c:\windows\system32\pypaxaj.bin c:\windows\system32\sonhelp.htm c:\windows\system32\sysnet.dat c:\windows\system32\tajf83ikdmf.dll c:\windows\system32\tywerycul.sys c:\windows\system32\wisdstr.exe c:\windows\system32\wispex.html c:\windows\system32\xwreg32.dll c:\windows\Tasks\vopgcjeg.job c:\windows\uvokoruguh.bin c:\windows\yduno.sys C:\yihw.exe Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected Restored copy from - c:\i386\BEEP.SYS c:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ANTIPPRO2009_100 -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 ))))))))))))))))))))))))))))))) . 2009-08-31 21:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-08-26 20:15 . 2009-08-26 20:15 -------- d-----w- c:\program files\Trend Micro 2009-08-26 17:18 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-26 17:18 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-26 17:18 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-26 17:18 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\program files\Avira 2009-08-26 17:17 . 2009-08-26 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-26 17:10 . 2009-08-26 17:10 190697 ----a-w- c:\windows\system32\wisdstr.VIR 2009-08-26 05:27 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-26 05:27 . 2009-08-26 17:02 -------- d-----w- c:\program files\22Malwarebytes' Anti-Malware 2009-08-26 05:27 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-26 04:56 . 2009-08-26 05:00 -------- d-----w- c:\program files\SpyZooka 2009-08-26 03:28 . 2009-08-26 03:29 -------- d-----w- c:\program files\Ask.com 2009-08-26 03:27 . 2009-08-26 03:27 -------- d-----w- c:\program files\MSSOAP 2009-08-26 03:26 . 2009-08-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot 2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\program files\Webroot 2009-08-26 03:26 . 2009-08-26 03:26 -------- d-----w- c:\documents and settings\reblw\Application Data\Webroot 2009-08-26 03:26 . 2009-05-13 20:39 1563008 ----a-w- c:\windows\WRSetup.dll 2009-08-26 03:22 . 2009-08-26 04:48 164 ----a-w- c:\windows\install.dat 2009-08-25 16:51 . 2009-08-26 17:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-25 03:55 . 2009-08-25 03:55 -------- d-----w- C:\_OTM 2009-08-25 03:29 . 2009-08-25 03:29 -------- d-----w- c:\documents and settings\reblw\Application Data\U3 2009-08-25 03:10 . 2009-08-25 03:10 13633 ----a-w- c:\documents and settings\reblw\Local Settings\Application Data\ogivaryh.dat 2009-08-25 03:10 . 2009-08-25 03:10 13093 ----a-w- c:\windows\fuqoduh.dat 2009-08-25 02:08 . 2002-08-29 11:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys 2009-08-23 17:58 . 2009-08-23 17:58 135736 ---ha-w- c:\windows\system32\mlfcache.dat 2009-08-13 01:06 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll 2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-01 21:59 . 2009-08-01 21:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-08-01 21:53 . 2009-08-01 21:53 -------- d-sh--w- c:\documents and settings\reblw\PrivacIE 2009-08-01 21:52 . 2009-08-01 21:52 -------- d-sh--w- c:\documents and settings\reblw\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-31 21:18 . 2009-07-18 05:15 -------- d-----w- c:\program files\Shared 2009-08-30 18:53 . 2009-05-24 01:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-28 11:50 . 2009-05-24 01:16 -------- d-----w- c:\program files\Spyware Doctor 2009-08-26 03:02 . 2008-09-21 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-25 03:10 . 2009-08-25 03:10 11308 ----a-w- c:\documents and settings\All Users\Application Data\okivo.dat 2009-08-23 17:57 . 2004-12-17 21:53 -------- d-----w- c:\documents and settings\reblw\Application Data\Apple Computer 2009-08-16 17:46 . 2003-02-09 17:50 -------- d-----w- c:\program files\QUICKENW 2009-08-15 04:42 . 2009-07-28 16:40 -------- d-----w- c:\program files\Safari 2009-08-05 09:01 . 2004-03-28 03:05 204800 ------w- c:\windows\system32\mswebdvd.dll 2009-07-28 16:42 . 2008-05-20 21:23 -------- d-----w- c:\program files\Apple Software Update 2009-07-28 16:37 . 2009-07-28 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-07-28 16:37 . 2004-12-17 21:52 -------- d-----w- c:\program files\iTunes 2009-07-28 16:37 . 2004-12-17 21:51 -------- d-----w- c:\program files\iPod 2009-07-28 16:37 . 2007-12-25 18:17 -------- d-----w- c:\program files\Common Files\Apple 2009-07-28 16:35 . 2009-07-28 16:35 -------- d-----w- c:\program files\Bonjour 2009-07-28 16:35 . 2007-12-25 18:18 -------- d-----w- c:\program files\QuickTime 2009-07-28 16:29 . 2009-07-28 16:29 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe 2009-07-18 05:02 . 2003-02-09 22:51 -------- d-----w- c:\program files\Kazaa 2009-07-17 19:01 . 2002-08-29 11:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 15:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-09 17:16 . 2009-07-28 16:32 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-09 17:16 . 2007-12-25 18:18 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-03 17:09 . 2004-08-24 01:32 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-16 14:36 . 2002-08-29 11:00 81920 ------w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2002-08-29 11:00 119808 ------w- c:\windows\system32\t2embed.dll 2009-06-12 12:31 . 2002-08-29 11:00 80896 ------w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2002-08-29 11:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:19 . 2002-08-29 11:00 2066432 ------w- c:\windows\system32\mstscax.dll 2009-06-10 14:13 . 2002-08-29 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:14 . 2002-08-29 11:00 132096 ------w- c:\windows\system32\wkssvc.dll 2009-06-03 19:09 . 2004-03-28 03:05 1291264 ------w- c:\windows\system32\quartz.dll 1999-11-13 00:32 . 1999-12-22 05:36 16873 ------w- c:\program files\WHATSNEW.TXT 1999-10-19 02:24 . 1999-12-22 05:36 2816 ------w- c:\program files\ORDER.TXT 1999-07-09 01:38 . 1999-07-09 01:38 8362 ------w- c:\program files\SETUP.LST 1999-07-09 01:38 . 1999-07-09 01:38 2164 ------w- c:\program files\Readme.txt 2005-07-16 10:41 . 2005-06-14 03:47 41573 ------w- c:\program files\mozilla firefox\components\jar50.dll 2005-07-16 10:41 . 2005-06-14 03:47 48223 ------w- c:\program files\mozilla firefox\components\jsd3250.dll 2005-07-16 10:41 . 2005-06-14 03:47 160871 ------w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2005-08-18 18:49 . 2005-08-18 18:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe 2003-01-20 19:39 . 2005-08-31 02:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe 2002-08-22 19:11 . 2004-05-28 01:05 323584 c:\program files\Common Files\Dell\EUSW\bak\Support.exe 2003-01-20 19:42 . 2002-04-03 07:01 135264 c:\program files\Creative\SBLive\Diagnostics\bak\diagent.exe 2003-02-16 20:52 . 1998-11-24 08:00 42496 c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\bak\HPLamp.exe 2007-12-11 18:10 . 2007-12-11 18:10 267048 c:\program files\iTunes\bak\iTunesHelper.exe 2009-07-13 19:03 . 2009-07-13 19:03 292128 c:\program files\iTunes\iTunesHelper.exe 2008-01-06 06:54 . 2007-09-25 07:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe 2003-01-20 19:39 . 2001-10-09 07:59 200704 c:\program files\Logitech\iTouch\bak\iTouch.exe 2004-06-01 16:09 . 2004-06-01 16:09 458752 c:\program files\Logitech\Video\bak\ISStart.exe 2004-06-01 16:09 . 2004-06-01 16:09 458752 c:\program files\Logitech\Video\ISStart.exe 2004-06-01 16:03 . 2004-06-01 16:03 217088 c:\program files\Logitech\Video\bak\LogiTray.exe 2004-06-01 16:03 . 2004-06-01 16:03 217088 c:\program files\Logitech\Video\LogiTray.exe 2004-09-03 03:34 . 2004-06-01 15:46 196608 c:\program files\Logitech\Video\bak\ManifestEngine.exe 2003-01-20 19:39 . 2001-10-09 15:41 35328 c:\program files\MouseWare\system\bak\EM_EXEC.EXE 2005-06-02 01:02 . 2005-05-10 21:04 11776 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe 2005-10-06 03:07 . 2005-06-13 07:30 192512 c:\program files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe 2007-12-11 16:56 . 2007-12-11 16:56 286720 c:\program files\QuickTime\bak\qttask.exe 2009-05-26 22:18 . 2009-05-26 22:18 413696 c:\program files\QuickTime\QTTask.exe 2002-04-10 22:44 . 2002-04-10 22:44 679936 c:\program files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe 2003-01-20 19:43 . 2000-05-11 07:00 90112 c:\windows\bak\UpdReg.EXE 2002-08-29 11:00 . 2004-08-04 07:56 15360 c:\windows\SYSTEM32\bak\ctfmon.exe 2002-08-29 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe 2002-08-15 00:22 . 2002-08-15 00:22 28672 c:\windows\SYSTEM32\bak\DSentry.exe 2004-05-22 00:11 . 2004-05-22 00:11 221184 c:\windows\SYSTEM32\bak\LVCOMSX.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296] [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2009-05-13 20:34 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpyZooka"="c:\program files\SpyZooka\SpyZookaLdr.exe" [2009-08-09 60424] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "RegistryMechanic"="" [N/A] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-8-3 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-20 24576] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= c:\windows\system32\onhelp.htm FriendlyName= tets [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"= "c:\progra~1\SpyZooka\spyguard.dll" [2005-05-08 173568] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2002-02-15 16:51 24638 ------w- c:\windows\SYSTEM32\PCANotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"= "c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"= "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\UT2004\\System\\UT2004.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [5/23/2009 8:16 PM 130936] R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [4/21/2009 6:27 PM 29808] R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [2/12/2003 8:08 PM 4064] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/26/2009 12:18 PM 108289] R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [8/29/2002 6:00 AM 14336] R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [8/25/2009 10:30 PM 1205760] R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\SYSTEM32\DRIVERS\hpusbfd.sys [2/8/2004 2:31 PM 7552] R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\SYSTEM32\DRIVERS\netusbxp.sys [12/24/2007 12:58 PM 72576] S0 epstwnt;epstwnt;c:\windows\system32\Drivers\epstwnt.mpd --> c:\windows\system32\Drivers\epstwnt.mpd [?] S2 portD;ABS PortIO Service;c:\windows\SYSTEM32\DRIVERS\portd2k.sys [8/5/2004 11:57 PM 7296] S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\Drivers\sharshtl.sys --> c:\windows\system32\Drivers\sharshtl.sys [?] S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\SYSTEM32\DRIVERS\epstw2k.sys [2/16/2003 3:09 PM 114944] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/23/2009 8:16 PM 348752] S3 Wdm1;USB Bridge Cable Driver;c:\windows\SYSTEM32\DRIVERS\usbbc.sys [2/9/2003 1:45 PM 15576] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34] 2009-08-31 c:\windows\Tasks\At1.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At10.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At11.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At12.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At13.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At14.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At15.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At16.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At17.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-30 c:\windows\Tasks\At18.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-30 c:\windows\Tasks\At19.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At2.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At20.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At21.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At22.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At23.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At24.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At3.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At4.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At5.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At6.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At7.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At8.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\At9.job - c:\windows\system32\AbwkK38u.exe [2008-09-21 18:59] 2009-08-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2009-02-09 20:06] . - - - - ORPHANS REMOVED - - - - Notify-cbXqqQih - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html IE: Translate Page - c:\program files\Google\googletoolbar.dll/cmtrans.html IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538} Trusted Zone: aol.com\free Trusted Zone: musicmatch.com\online DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - hxxp://download.divx.com/player/DivXPlayerInstaller.exe FF - ProfilePath - c:\documents and settings\reblw\Application Data\Mozilla\Firefox\Profiles\p6fokhh9.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://mb26.scout.com/fmississippi74787frm14 ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub", c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-31 16:23 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt] "ImagePath"="System32\Drivers\epstwnt.mpd" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,29,b0,42,2b,97, 33,5e,f5,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,29,c7,2e,0c,45, 72,79,01,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,59,e5,8b,ca,2d, e4,05,8f,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,f7,c8,95,0d,6b, 68,b7,64,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,8f,1d,91,38,67, 99,cd,52,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,8f,aa,a8,2e,19, 77,52,a3,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,de,4f,7c,89,1a, 17,f6,ca,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,52,4b,f4,3a,4e, 16,e7,ca,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d9,76,2a,8e,75, 17,0d,08,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,5f,ea,ff,30,bd, 1b,bd,04,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,86,0c,00,31,30, 59,cc,b9,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,df,d6,2a,38,ef, cb,92,0b,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(956) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3256) c:\windows\system32\WININET.dll c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\ati2evxx.exe c:\program files\Citrix\ICA Client\ssonsvr.exe c:\windows\SYSTEM32\ati2evxx.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\SYSTEM32\CTsvcCDA.EXE c:\windows\SYSTEM32\wdfmgr.exe c:\windows\SYSTEM32\MsPMSPSv.exe c:\windows\SYSTEM32\fxssvc.exe c:\windows\SYSTEM32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-08-31 16:34 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-31 21:34 Pre-Run: 36,283,715,584 bytes free Post-Run: 36,520,198,144 bytes free 568 --- E O F --- 2009-08-27 08:00
  6. The run line finished but did not appear to save a logfile.
  7. Here is the avenger log: Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully. Completed script processing. ******************* Finished! Terminate. The run command "%userprofile%\desktop\win32kdiag.exe" -f -r is currently running, I will post that logfile if it saves a new on, thanks for your help.
  8. Ok. Thanks, that program actually ran. Here is log: Log file is located at: C:\Documents and Settings\reblw\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0\Adobe Reader 6.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Downloaded Program Files\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\SHARED\RES\RES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Internet Logs\Internet Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Lycos\Lycos Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe [1] 2004-08-04 02:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation) [1] 2008-04-13 19:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe () [1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation) Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$ Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4ee3fbebbfecab84fe3a0e44ae24966f\update\update Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\ba203fc55df79697d61ee240fe4d59fa\ba203fc55df79697d61ee240fe4d59fa Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\S-1-5-21-2804118902-3493737300-3796722626-1005\S-1-5-21-2804118902-3493737300-3796722626-1005 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52} Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\Credentials Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Cinemagic\Cinemagic Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\DVDBuilder\Projects\Projects Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Proxy\Proxy Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Templates\Templates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Dell Image Expert Images\Dell Image Expert Images Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Videos\My Videos Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Audio\Audio Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\DVDBuilder\Images\Images Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Libraries\Libraries Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Productions\Productions Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Video\Video Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\Data\Data Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll [1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 19:11:53 63488 C:\WINDOWS\SYSTEM32\eventlog.dll () [2] 2008-04-13 19:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation) [1] 2002-08-29 06:00:00 49152 C:\i386\EVENTLOG.DLL (Microsoft Corporation) Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\FxsTmp\FxsTmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\GroupPolicy\Machine\Machine Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\GroupPolicy\User\User Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\MpEngineStore\RebootActions\RebootActions Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\__SKIP_0290\__SKIP_0290 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\GOOD\GOOD Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\tmp3\tmp3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Web\Wallpaper\inc\inc Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Finished!
  9. Infected. Windows Antivirus Pro logo on desktop and initially a large warning on desktop photo (not in a window). The latter was somewhere taken off along the road of multiple antivirus products softwares. CPU has Malwarebytes already installed, but was disabled and not actively protecting. When red circle with X and desktop icon showed up, attempts to run Malwarebytes started, then 3 seconds into scan shut down. PC tools Spyware Doctor will scan and ID'd threats initially, including Antivirus Pro, but apparently it could not delete, because immediately upon restart and new scan, it finds "RogueAntispyware.HomeAntivirus2010", "RogueAntispyware.XPAntipyware", and "AdwareAgentZO". I have tried reinstalling Malwarebytes under a different name, and under Safe mode, but will not run or will get message beginning "Windows cannot access specified file....". I had earlier installed OldTimer program and followed instructions to remove and perform a regedit, but did not help. I have installed Avira Antivirus and it will scan to completion, and after finding multiple agents, it fails to delete them also. Now it comes up and won't perform scan, although it is actively working because occasional windows popup about a threat. I have installed and run Process Explorer, no Antivirus Pro or questionable icons show up. I have installed Rootkit, but it will not run. I have installed HijackThis, but it to will not run. I continue to have red circle with X in toolbar and a message intermittently pops up and disappears from it saying "Your computer is infected". I don't know how to get to or post a logfile. Thanks for any help before I get someone to reformat drive.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.