Jump to content

Clark95

Members
  • Posts

    17
  • Joined

  • Last visited

Everything posted by Clark95

  1. Thanks again for your help. So when I deleted the exe. files that got rid of them? So I should be clean? Also upon deleting CF does that re-set the restore point? Sorry for all the questions.
  2. Dr. Web Cureit found infections in Norton (SAV10) and a file in system restore that was a remnant of the file I removed earlier. Results below. It would not let me attach the file. SAV10_SE.exe/data002\pskill.exe;C:\Documents and Settings\Van Halen\My Documents\SAV10_SE.exe/data002;Tool.Prockill;; data002;C:\Documents and Settings\Van Halen\My Documents;Archive contains infected objects;; SAV10_SE.exe/data003\pskill.exe;C:\Documents and Settings\Van Halen\My Documents\SAV10_SE.exe/data003;Tool.Prockill;; data003;C:\Documents and Settings\Van Halen\My Documents;Archive contains infected objects;; SAV10_SE.exe;C:\Documents and Settings\Van Halen\My Documents;Container contains infected objects;Moved.; SAV10_SE.exe/data002\pskill.exe;C:\Documents and Settings\Van Halen\My Documents\downloads\SAV10_SE.exe/data002;Tool.Prockill;; data002;C:\Documents and Settings\Van Halen\My Documents\downloads;Archive contains infected objects;; SAV10_SE.exe/data003\pskill.exe;C:\Documents and Settings\Van Halen\My Documents\downloads\SAV10_SE.exe/data003;Tool.Prockill;; data003;C:\Documents and Settings\Van Halen\My Documents\downloads;Archive contains infected objects;; SAV10_SE.exe;C:\Documents and Settings\Van Halen\My Documents\downloads;Container contains infected objects;Moved.; A0061832.exe;C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP478;Trojan.Virtumod.2111;Incurable.Moved.; Latest HJT file: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 2:27:45 AM, on 7/20/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.17055) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Tall Emu\Online Armor\oacat.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\PDF Complete\pdfsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\SMINST\Scheduler.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Van Halen\Start Menu\Programs\Startup\ehtray.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Tall Emu\Online Armor\OAhlp.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ O2 - BHO: KeyScramblerBHO Class - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Pthosttr] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Van Halen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user') O4 - Startup: ehtray.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204604116367 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1224913255875 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing) O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\APSHook.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: DeviceNP - DeviceNP.dll (file missing) O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oacat.exe O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe -- End of file - 11943 bytes
  3. Here's the Virustotal results. Downloading Dr. Web Cure-it now. VirusTotal.txt
  4. What are these files in quarantine? 2010-07-18 17:36:18 . 2010-07-18 17:36:18 800 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-LiveUpdate1.7.reg.dat 2010-07-18 17:36:17 . 2010-07-18 17:36:17 1,392 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-EZ Gig II.reg.dat 2010-07-18 17:35:44 . 2010-07-18 17:35:44 306 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-NavLogon.reg.dat 2010-07-18 17:10:48 . 2010-07-18 17:29:08 6,895 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2010-07-18 16:51:46 . 2010-07-18 17:23:11 153 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-03-27 03:31:24 . 2009-03-27 03:31:24 685,056 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\is-D0260.exe.vir 2009-02-12 02:50:00 . 2009-02-12 02:50:00 685,056 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\is-QCK87.exe.vir 2007-07-16 17:18:15 . 2007-07-16 17:18:27 1,394 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\xpsp1hfm.log.vir 1617-08-22 23:52:59 . 1617-08-22 23:52:59 3,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\6435MI93.ocx.vir The ones Combo Fix said it removed today (below) appear to have been already in quarantine according to the above log. c:\windows\6435MI93.ocx c:\windows\is-D0260.exe c:\windows\is-QCK87.exe c:\windows\xpsp1hfm.log ComboFix_quarantined_files.txt
  5. Ok I ran a fresh copy of Combo-Fix. My machine re-started and On-Line Armour came back on and halted the process. I allowed the 2 Combo Fix files it flagged and ran it again. The report of that scan is below: ComboFix 10-07-16.02 - Van Halen 07/18/2010 13:23:53.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2354 [GMT -4:00] Running from: c:\documents and settings\Van Halen\Desktop\ComboFix.exe AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\windows\6435MI93.ocx c:\windows\is-D0260.exe c:\windows\is-QCK87.exe c:\windows\xpsp1hfm.log . ((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 ))))))))))))))))))))))))))))))) . 2010-07-04 08:04 . 2010-07-04 08:04 -------- d-----w- c:\documents and settings\Van Halen\Application Data\OutWit 2010-06-29 06:54 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-09 00:50 . 2008-03-06 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-07-09 00:05 . 2010-07-09 00:05 388096 ----a-r- c:\documents and settings\Van Halen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-07-08 23:17 . 2008-03-06 03:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-07-08 23:17 . 2008-03-06 03:10 -------- d-----w- c:\program files\SpywareBlaster 2010-07-07 16:25 . 2009-02-03 03:36 22600 ----a-w- c:\windows\system32\drivers\OAmon.sys 2010-07-07 16:25 . 2009-02-03 03:36 28232 ----a-w- c:\windows\system32\drivers\OAnet.sys 2010-07-07 16:25 . 2009-02-03 03:36 236104 ----a-w- c:\windows\system32\drivers\OADriver.sys 2010-06-28 20:57 . 2010-01-27 23:43 165032 ----a-w- c:\windows\system32\aswBoot.exe 2010-06-28 20:37 . 2010-01-27 23:43 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-06-28 20:37 . 2010-01-27 23:43 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys 2010-06-28 20:33 . 2010-01-27 23:43 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-06-28 20:32 . 2010-01-27 23:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-06-28 20:32 . 2010-01-27 23:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-06-28 20:32 . 2010-01-27 23:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2010-06-28 20:32 . 2010-01-27 23:43 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-06-28 03:03 . 2009-01-17 00:35 -------- d-----w- c:\program files\CCleaner 2010-06-17 16:38 . 2010-06-19 16:18 89600 ----a-w- c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.dll 2010-06-17 16:38 . 2010-06-19 16:18 89088 ----a-w- c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit-3.6.dll 2010-06-17 16:38 . 2010-06-19 16:18 89088 ----a-w- c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit-3.5.dll 2010-06-14 14:30 . 2004-08-04 08:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-12 17:15 . 2010-06-12 17:15 -------- d-----w- c:\program files\WOT 2010-06-05 00:25 . 2010-05-27 03:05 -------- d-----w- c:\program files\QuickTime 2010-06-05 00:25 . 2008-03-15 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2010-06-03 23:34 . 2010-06-03 23:27 -------- d-----w- c:\program files\R-STUDIO 2010-05-28 23:05 . 2008-03-15 13:37 -------- d-----w- c:\documents and settings\Van Halen\Application Data\Apple Computer 2010-05-27 03:06 . 2010-05-27 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-05-15 21:34 . 2010-05-15 21:34 711168 ----a-w- c:\windows\is-P4K38.exe 2010-05-04 17:20 . 2004-08-04 08:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-05-04 17:20 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-05-04 17:20 . 2004-08-04 08:00 17408 ------w- c:\windows\system32\corpol.dll 2010-05-02 05:56 . 2004-08-04 08:00 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-29 16:19 . 2009-01-11 07:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 16:19 . 2009-01-11 07:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-20 05:51 . 2004-08-04 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll 2008-03-03 23:55 . 2008-03-03 23:55 56 --sha-w- c:\windows\SMINST\hpboot.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Van Halen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-28 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-25 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-25 81920] "nwiz"="nwiz.exe" [2007-05-25 1626112] "MsmqIntCert"="mqrt.dll" [2009-06-25 177152] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280] "Pthosttr"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120] "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\OAui.exe" [2010-07-07 6854984] "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X] c:\documents and settings\Van Halen\Start Menu\Programs\Startup\ ehtray.exe [2005-8-6 64512] SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-9 113664] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyDocs"= 01000000 "NoSMMyPictures"= 01000000 [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-07-07 924488] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-12-07 07:03 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP] 2007-04-30 15:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\APSHook.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ SbHpNp scecli [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] 2001-07-09 09:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\system32\drivers\ezgmntr.sys [3/21/2009 10:26 PM 170080] R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/15/2009 9:18 AM 64288] R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [4/26/2007 10:23 PM 100095] R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 4:31 PM 44720] R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 7:54 PM 13696] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/27/2010 7:43 PM 165456] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2/2/2009 11:36 PM 236104] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2/2/2009 11:36 PM 22600] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2/2/2009 11:36 PM 28232] R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [4/26/2007 10:23 PM 5808] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 12:06 PM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 74480] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/27/2010 7:43 PM 17744] R2 ezgfsfilt;EZ GIG II FS Filter;c:\windows\system32\drivers\ezgfsfilt.sys [3/21/2009 10:26 PM 26912] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 4:13 PM 36608] R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [1/19/2009 1:34 PM 115312] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/11/2009 3:57 AM 20952] R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [7/16/2007 12:32 PM 47616] S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 4:13 PM 30008] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Cognizance REG_MULTI_SZ ASBroker ASChannel getPlusHelper REG_MULTI_SZ getPlusHelper [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder 2010-07-18 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18] 2010-07-18 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18] 2010-07-18 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18] 2010-07-18 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18] 2010-07-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18] 2010-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139469626-2787614631-2259152266-1005Core.job - c:\documents and settings\Van Halen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-28 16:53] 2010-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139469626-2787614631-2259152266-1005UA.job - c:\documents and settings\Van Halen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-28 16:53] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/ IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM FF - ProfilePath - c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - component: c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit-3.5.dll FF - component: c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit-3.6.dll FF - component: c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.dll FF - component: c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll FF - plugin: c:\documents and settings\Van Halen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . - - - - ORPHANS REMOVED - - - - Notify-NavLogon - (no file) AddRemove-EZ Gig II - c:\program files\Apricorn\EZ Gig II\ezbld.exe AddRemove-LiveUpdate1.7 - c:\program files\Symantec\LiveUpdate\LSETUP.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-18 13:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher] "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(636) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\windows\SbHpNp.DLL c:\windows\system32\DeviceNP.dll - - - - - - - > 'lsass.exe'(692) c:\windows\SbHpNp.dll . Completion time: 2010-07-18 13:38:07 ComboFix-quarantined-files.txt 2010-07-18 17:37 Pre-Run: 15,332,753,408 bytes free Post-Run: 15,291,461,632 bytes free - - End Of File - - A73E1B53ED1745F0174D13F20332C07B
  6. I navigated to all 3 locations and deleted . Was able to delete the .exe and the other 2 Winrar folders. I will run the Kaspersky scan again soon.
  7. Avast 5 did not flag those files as trojans. Could these be FP's? Also can't I just go in delete these files as they are in Documents and settings. I can navigate to the one in Program file. Its an .exe. Please advise thanks AS!
  8. Here is results of the Kaspersky Scan. Says I have 3 Trojan.Win32.Monderb.amux. Report.html
  9. When someone forge's information can they make emails appear in your sent folder? Also the email was sent out using half the people in my address book. But if you think the threat is bogus I won't run the Combo-Fix. Thanks for your help AS.
  10. Ok I re-started the computer and found that even though I stopped the Online-Armour firewall it flagged the combo fix. So I when in and allowed it to run. Next I turned off Avast 5 on the toolbar but Combo-Fix says an Avast scanner is still running in the background. I did not continue because of the warnings of possible damage to my machine. Will I just have to uninstall Avast 5 to run this scan? Thanks!
  11. Hello and thank you for responding. I downloaded combo fix to desktop. I tried to run it but it said Windows could not access the specified device path or file. And that I may not have appropriate permissions to access the item. I am administrator. What do I do now? Thanks in advance.
  12. This was AOL webmail accessed through IE7. I had the password saved in the browser which I realize now was not a good idea. I have since changed the password. Please advise as to what I need to do at this point. Thanks!
  13. Just noticed a strange bookmark in my favorites for a URLOpener Productivity Tool. It says you can "Open a whole list of URLs at the same time!" with this tool.
  14. Looking back at the time the email was sent my laptop was started but not fully logged on. I had started it but it only got as far as the log on screen because I did not enter my password at that point. I got doing something else so it was about an hour or two before I logged on. My Avast anti-virus is set up to scan both outgoing and incoming email. But the laptop had not fully started when this email went out. The link in the email was for a pharmacutucal company and it appears to be a virus. Just trying to provide as much info as possible. Thanks again in advance for any help you can give me.
  15. Here is a copy of the mbam log. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4294 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.13 7/9/2010 12:55:12 AM mbam-log-2010-07-09 (00-55-12).txt Scan type: Quick scan Objects scanned: 144023 Time elapsed: 5 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  16. Here is a copy of my logfile... Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 8:14:42 PM, on 7/8/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.17055) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Tall Emu\Online Armor\oacat.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\logonui.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\PDF Complete\pdfsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\SMINST\Scheduler.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Tall Emu\Online Armor\OAui.exe C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Van Halen\Start Menu\Programs\Startup\ehtray.exe C:\Program Files\Tall Emu\Online Armor\OAhlp.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/ O2 - BHO: KeyScramblerBHO Class - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Pthosttr] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\OAui.exe" O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Van Halen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user') O4 - Startup: ehtray.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204604116367 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1224913255875 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing) O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll O20 - AppInit_DLLs: APSHook.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: DeviceNP - DeviceNP.dll (file missing) O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oacat.exe O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe -- End of file - 12130 bytes
  17. Hello- I got an email last night that said mailer-demeon but it said I sent it. I checked my sent emails and there it was. It had a hotlink in the email and that was all. It was also sent to me. This is the first time this has happened. I have a HP laptop running XP. I have the paid version of Malwarebytes as well as Avast Home 5 installed. I have run scans with both and neither have detected anything. I also ran Spybot as well and it was clean. But I obviously have something because the email was sent using my address book and I did not sent it. Please help! Thanks in advance.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.