Jump to content

jen_drinjak

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Here's the MBAM log; it was able to remove several viruses & trojans. Malwarebytes' Anti-Malware 1.50 www.malwarebytes.org Database version: 5249 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 12/5/2010 1:44:24 PM mbam-log-2010-12-05 (13-44-24).txt Scan type: Full scan (C:\|) Objects scanned: 173173 Time elapsed: 14 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\program files\Java\jre6\bin\java.exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\system volume information\_restore{64534b76-601d-4598-8429-4df73c537af3}\RP1\A0000018.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully. c:\system volume information\_restore{64534b76-601d-4598-8429-4df73c537af3}\RP1\A0001105.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully. c:\system volume information\_restore{64534b76-601d-4598-8429-4df73c537af3}\RP1\A0001119.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully. c:\system volume information\_restore{64534b76-601d-4598-8429-4df73c537af3}\RP1\A0001306.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully. c:\WINDOWS\system32\java.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
  2. This machine appears to be malware free now! Can you point me in the right direction for how to improve my Internet Explorer performance? I'm seeing it jump from using 5% of my cpu to 75%. It's generally just slow and I'm thinking maybe there are some settings I can change to speed it up. Here's the MBAM log. Malwarebytes' Anti-Malware 1.50 www.malwarebytes.org Database version: 5248 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18975 12/5/2010 10:33:41 AM mbam-log-2010-12-05 (10-33-41).txt Scan type: Full scan (C:\|D:\|E:\|) Objects scanned: 337224 Time elapsed: 1 hour(s), 35 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  3. Hi here's the latest log. After running the combofix, I noticed that when it rebooted, I did not see any dll errors. So, hopefully, that is a good sign. Thanks again for working through this with me. ComboFix 10-12-04.01 - Jennifer Drinjak 12/05/2010 8:57.4.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.613 [GMT -6:00] Running from: c:\computer fixes\ComboFix.exe Command switches used :: c:\computer fixes\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\wvtstq.dll . ((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 ))))))))))))))))))))))))))))))) . 2010-12-03 22:24 . 2010-12-05 14:57 -------- d-----w- C:\Computer Fixes 2010-12-02 19:32 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-02 19:32 . 2010-12-02 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-02 19:32 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-02 18:19 . 2010-12-02 18:19 -------- d-----w- c:\documents and settings\Jennifer Drinjak\Application Data\AVP 2009 2010-11-24 04:55 . 2010-11-24 04:55 -------- d-----w- c:\documents and settings\Kat Drinjak\Local Settings\Application Data\Temp 2010-11-23 19:50 . 2010-11-23 19:50 0 ----a-w- c:\windows\system32\ConduitEngine.tmp 2010-11-14 20:33 . 2010-11-14 20:33 -------- d-----w- c:\program files\Common Files\Java 2010-11-14 20:31 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-11-14 19:42 . 2010-11-16 22:32 -------- d-----w- c:\documents and settings\Kat Drinjak\Application Data\AVP 2009 2010-11-14 03:38 . 2010-11-14 05:33 -------- d-----w- c:\program files\Windows Live Safety Center . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 17:23 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-04-25 20:33 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2008-04-25 20:33 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-15 08:29 . 2009-12-01 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-09 13:38 . 2008-04-25 20:33 832512 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:38 . 2008-04-25 20:33 1830912 ------w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:38 . 2008-04-25 20:33 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-09-09 13:38 . 2008-04-25 20:33 17408 ----a-w- c:\windows\system32\corpol.dll 2010-09-08 15:57 . 2008-04-25 20:33 389120 ----a-w- c:\windows\system32\html.iec . ((((((((((((((((((((((((((((( SnapShot@2010-12-03_23.06.53 ))))))))))))))))))))))))))))))))))))))))) . + 2010-12-05 15:02 . 2010-12-05 15:02 16384 c:\windows\temp\Perflib_Perfdata_29c.dat + 2010-12-05 15:03 . 2010-12-05 15:03 188416 c:\windows\ERDNT\AutoBackup\12-5-2010\Users\00000002\UsrClass.dat + 2010-12-05 15:03 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\12-5-2010\ERDNT.EXE + 2010-12-04 17:10 . 2010-12-04 17:10 188416 c:\windows\ERDNT\AutoBackup\12-4-2010\Users\00000002\UsrClass.dat + 2010-12-04 17:10 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\12-4-2010\ERDNT.EXE + 2010-12-05 15:03 . 2010-12-05 15:03 3002368 c:\windows\ERDNT\AutoBackup\12-5-2010\Users\00000001\NTUSER.DAT + 2010-12-04 17:10 . 2010-12-04 17:10 3002368 c:\windows\ERDNT\AutoBackup\12-4-2010\Users\00000001\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920] "RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752] "OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664] "WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080] "BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] c:\documents and settings\Jennifer Drinjak\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/1/2009 6:30 AM 14248] R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [12/1/2009 6:35 AM 143840] R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [12/1/2009 8:00 AM 134144] R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [12/1/2009 8:00 AM 133632] R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [12/1/2009 8:00 AM 272256] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/1/2009 7:59 AM 162816] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/1/2009 7:59 AM 1684736] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320] . Contents of the 'Scheduled Tasks' folder 2010-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-05 09:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(840) c:\windows\System32\BCMLogon.dll - - - - - - - > 'explorer.exe'(2492) c:\windows\system32\WININET.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\SearchIndexer.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxsrvc.exe . ************************************************************************** . Completion time: 2010-12-05 09:06:26 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-05 15:06 ComboFix2.txt 2010-12-04 17:31 ComboFix3.txt 2010-12-03 23:09 Pre-Run: 138,611,494,912 bytes free Post-Run: 138,569,445,376 bytes free - - End Of File - - 62010F887228B6C70738BB1A8DEAF2F1
  4. ComboFix 10-12-03.03 - Jennifer Drinjak 12/04/2010 11:20:15.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.574 [GMT -6:00] Running from: c:\computer fixes\ComboFix.exe Command switches used :: c:\computer fixes\CFScript.txt FILE :: "c:\windows\system32\wvtstq.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\wvtstq.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_xqkjxypi ((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 ))))))))))))))))))))))))))))))) . 2010-12-03 22:24 . 2010-12-04 17:20 -------- d-----w- C:\Computer Fixes 2010-12-02 19:32 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-02 19:32 . 2010-12-02 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-02 19:32 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-02 18:19 . 2010-12-02 18:19 -------- d-----w- c:\documents and settings\Jennifer Drinjak\Application Data\AVP 2009 2010-11-24 04:55 . 2010-11-24 04:55 -------- d-----w- c:\documents and settings\Kat Drinjak\Local Settings\Application Data\Temp 2010-11-23 19:50 . 2010-11-23 19:50 0 ----a-w- c:\windows\system32\ConduitEngine.tmp 2010-11-14 20:33 . 2010-11-14 20:33 -------- d-----w- c:\program files\Common Files\Java 2010-11-14 20:31 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-11-14 19:42 . 2010-11-16 22:32 -------- d-----w- c:\documents and settings\Kat Drinjak\Application Data\AVP 2009 2010-11-14 03:38 . 2010-11-14 05:33 -------- d-----w- c:\program files\Windows Live Safety Center . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 17:23 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-04-25 20:33 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2008-04-25 20:33 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-15 08:29 . 2009-12-01 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-09 13:38 . 2008-04-25 20:33 832512 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:38 . 2008-04-25 20:33 1830912 ------w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:38 . 2008-04-25 20:33 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-09-09 13:38 . 2008-04-25 20:33 17408 ----a-w- c:\windows\system32\corpol.dll 2010-09-08 15:57 . 2008-04-25 20:33 389120 ----a-w- c:\windows\system32\html.iec . ((((((((((((((((((((((((((((( SnapShot@2010-12-03_23.06.53 ))))))))))))))))))))))))))))))))))))))))) . + 2010-12-04 17:27 . 2010-12-04 17:27 16384 c:\windows\Temp\Perflib_Perfdata_2ac.dat + 2010-12-04 17:10 . 2010-12-04 17:10 188416 c:\windows\ERDNT\AutoBackup\12-4-2010\Users\00000002\UsrClass.dat + 2010-12-04 17:10 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\12-4-2010\ERDNT.EXE + 2010-12-04 17:10 . 2010-12-04 17:10 3002368 c:\windows\ERDNT\AutoBackup\12-4-2010\Users\00000001\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "ursqopaudio"="wvtstq.dll" [2010-12-04 0] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920] "RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752] "OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664] "WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080] "BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "pmkhgfaudio"="wvtstq.dll" [2010-12-04 0] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "awwwuuaudio"="wvtstq.dll" [2010-12-04 0] c:\documents and settings\Jennifer Drinjak\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/1/2009 6:30 AM 14248] R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [12/1/2009 6:35 AM 143840] R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [12/1/2009 8:00 AM 134144] R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [12/1/2009 8:00 AM 133632] R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [12/1/2009 8:00 AM 272256] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/1/2009 7:59 AM 162816] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/1/2009 7:59 AM 1684736] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320] . Contents of the 'Scheduled Tasks' folder 2010-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-04 11:28 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\JENNIF~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable scan completed successfully hidden files: 1 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(840) c:\windows\System32\BCMLogon.dll - - - - - - - > 'explorer.exe'(2676) c:\windows\system32\WININET.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\SearchIndexer.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxsrvc.exe . ************************************************************************** . Completion time: 2010-12-04 11:31:15 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-04 17:31 ComboFix2.txt 2010-12-03 23:09 Pre-Run: 138,640,867,328 bytes free Post-Run: 138,631,012,352 bytes free - - End Of File - - E32EFC2D0C80F613E7FBE0301A4F1F3E
  5. Ok, here's the log: This machine is also giving error messages when booting up. "Error loading vttqpm.dll not found" and another dll file that i wasn't able to write down. I can get it if you need the name. ComboFix 10-12-03.01 - Jennifer Drinjak 12/03/2010 16:58:01.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.656 [GMT -6:00] Running from: c:\computer fixes\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\wvtstq.dll . ---- Previous Run ------- . c:\documents and settings\Jennifer Drinjak\Application Data\Install.dat c:\documents and settings\Kat Drinjak\Application Data\FunWebProducts c:\documents and settings\Kat Drinjak\Application Data\FunWebProducts\Data\Kat Drinjak\avatar.dat c:\documents and settings\Kat Drinjak\Application Data\Install.dat c:\program files\FunWebProducts c:\program files\MyWebSearch c:\program files\MyWebSearch\bar\History\search3 c:\program files\MyWebSearch\bar\Settings\s_pid.dat c:\program files\MyWebSearch\bar\Settings\setting2.htm c:\program files\MyWebSearch\bar\Settings\setting2.htm.bak c:\program files\MyWebSearch\bar\Settings\settings.dat c:\program files\MyWebSearch\bar\Settings\settings.dat.bak c:\windows\system32\config\system~1\applic~1\install.dat c:\windows\system32\VolumeMSPrLam.dll c:\windows\system32\wvtstq.dll . ((((((((((((((((((((((((( Files Created from 2010-11-03 to 2010-12-03 ))))))))))))))))))))))))))))))) . 2010-12-03 22:24 . 2010-12-03 22:26 -------- d-----w- C:\Computer Fixes 2010-12-02 19:32 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-02 19:32 . 2010-12-02 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-02 19:32 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-02 18:19 . 2010-12-02 18:19 -------- d-----w- c:\documents and settings\Jennifer Drinjak\Application Data\AVP 2009 2010-11-24 04:55 . 2010-11-24 04:55 -------- d-----w- c:\documents and settings\Kat Drinjak\Local Settings\Application Data\Temp 2010-11-23 19:50 . 2010-11-23 19:50 0 ----a-w- c:\windows\system32\ConduitEngine.tmp 2010-11-14 20:33 . 2010-11-14 20:33 -------- d-----w- c:\program files\Common Files\Java 2010-11-14 20:31 . 2010-09-15 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-11-14 19:42 . 2010-11-16 22:32 -------- d-----w- c:\documents and settings\Kat Drinjak\Application Data\AVP 2009 2010-11-14 03:38 . 2010-11-14 05:33 -------- d-----w- c:\program files\Windows Live Safety Center . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-03 23:07 . 2010-10-27 01:25 98304 ---ha-w- c:\windows\system32\wvtstq.dll 2010-09-18 17:23 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-04-25 20:33 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-04-25 20:33 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2008-04-25 20:33 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-15 08:29 . 2009-12-01 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-09 13:38 . 2008-04-25 20:33 832512 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:38 . 2008-04-25 20:33 1830912 ------w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:38 . 2008-04-25 20:33 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-09-09 13:38 . 2008-04-25 20:33 17408 ----a-w- c:\windows\system32\corpol.dll 2010-09-08 15:57 . 2008-04-25 20:33 389120 ----a-w- c:\windows\system32\html.iec . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "nnopqpaudio"="wvtstq.dll" [2010-12-03 98304] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920] "RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752] "OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664] "WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080] "BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "khiihfaudio"="wvtstq.dll" [2010-12-03 98304] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "yabbyvaudio"="wvtstq.dll" [2010-12-03 98304] c:\documents and settings\Jennifer Drinjak\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/1/2009 6:30 AM 14248] R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [12/1/2009 6:35 AM 143840] R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [12/1/2009 8:00 AM 134144] R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [12/1/2009 8:00 AM 133632] R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [12/1/2009 8:00 AM 272256] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/1/2009 7:59 AM 162816] S1 xqkjxypi;xqkjxypi;\??\c:\windows\system32\drivers\xqkjxypi.sys --> c:\windows\system32\drivers\xqkjxypi.sys [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/1/2009 7:59 AM 1684736] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320] . Contents of the 'Scheduled Tasks' folder 2010-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . - - - - ORPHANS REMOVED - - - - HKCU-Run-rqpommaudio - vttqpm.dll HKLM-Run-qoppqnsys - iiighi.dll HKU-Default-Run-xxvsposys - iiighi.dll SafeBoot-mcmscsvc SafeBoot-MCODS ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-03 17:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(840) c:\windows\System32\BCMLogon.dll c:\windows\system32\wvtstq.dll - - - - - - - > 'explorer.exe'(860) c:\windows\system32\WININET.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\wvtstq.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\SearchIndexer.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\wscntfy.exe c:\windows\system32\SearchProtocolHost.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxsrvc.exe c:\windows\system32\rundll32.exe c:\windows\system32\SearchFilterHost.exe . ************************************************************************** . Completion time: 2010-12-03 17:09:25 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-03 23:09 Pre-Run: 138,775,158,784 bytes free Post-Run: 138,673,516,544 bytes free - - End Of File - - 790F839D9C96B6AE35FE2F3A51048B23
  6. ComboFix 10-12-02.06 - Jennifer 12/03/2010 14:02:18.1.2 - x86 Microsoft
  7. Thanks for your help. The main problem I'm having on this machine is just general slowdown. I want to make sure it is not infected. IE is expecially slow. Other various problems are programs that fail when I try to update (gsyncit - lets me sync google mail with MS Outlook) and some programs that won't uninstall (Linksys Wireless G Print Server). I would also love some info about how to clean out the start menu so the machine will boot up faster. The 3 logs were too big for a single post, so I've compressed the biggest one, the OTL log at 148kb and attached it. The extra.txt and rku logs are below. OTL Extras logfile created on: 12/3/2010 7:30:56 AM - Run 1 OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Jennifer\Desktop\Computer Fixes Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18975) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 36.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 63.00% Paging File free Paging file location(s): c:\pagefile.sys 0 0 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 69.33 Gb Total Space | 8.81 Gb Free Space | 12.71% Space Free | Partition Type: NTFS Drive D: | 10.00 Gb Total Space | 5.21 Gb Free Space | 52.12% Space Free | Partition Type: NTFS Drive E: | 32.41 Gb Total Space | 29.09 Gb Free Space | 89.77% Space Free | Partition Type: NTFS Computer Name: JENNIFER-PC | User Name: Jennifer | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- C:\Program Files\ParetoLogic\FileCure\FileCure_noapp.exe %1 (ParetoLogic) Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0D50F0E1-3E52-4B68-8BF5-964C72830CD7}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 | "{6068E289-38D6-4D3E-805E-DE8F36DFBB06}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface | "{74106038-D2D4-433C-A0B5-710268AEEC94}" = lport=62127 | protocol=6 | dir=in | name=akamai netsession interface | "{96FD165E-C58F-4250-95AE-256C35260232}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface | "{BD945054-E828-4834-AD62-00A0C93CDC1D}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe | "{C34803C6-1886-4304-B7EF-B869543434C9}" = lport=49161 | protocol=6 | dir=in | name=akamai netsession interface | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{08399561-A0F9-4EC5-A309-5A6416D304B2}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe | "{218C5D20-7310-4900-836D-64C84BC5BB20}" = protocol=6 | dir=in | app=c:\program files\common files\motive\mcciservicehost.exe | "{51AC3AFE-93F2-4A91-ACC8-F91EB9515C83}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe | "{5441776F-FE8B-4288-8A67-F015D9A12CEF}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{58377021-1720-48F8-9C2D-DC049A88240F}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe | "{6DC6BCE9-DE3A-4587-BFF4-0D4533A8C686}" = protocol=6 | dir=in | app=e:\program files\itunes\itunes.exe | "{8083C133-0651-4EB9-A6D9-FD701FFC78A6}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{82C0D621-642B-411D-B9A0-DC6058EC20A6}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-enus-downloader.exe | "{8DACF577-8952-4392-ABE4-D4B595F4B4F8}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe | "{91A27398-6355-4469-9F70-26CFE2C31AA0}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.1.9806-to-3.1.1.9835-enus-downloader.exe | "{93AB8DD4-C2AD-4C48-981A-292CD9895F94}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-enus-downloader.exe | "{A1492FDF-E0AD-41A8-AC7A-E915336E716E}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe | "{A473D673-A984-4CE7-9C91-27460B4FD682}" = protocol=17 | dir=in | app=c:\program files\common files\motive\mcciservicehost.exe | "{A62047AB-24E0-4322-99F0-EA5878747BF6}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{C70F86B5-941C-464F-A1BD-CE6404026FAB}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-enus-downloader.exe | "{CAF8F79E-6055-4DC1-A38E-30D768493D88}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{D3CF37DF-6222-4BC4-8E7C-54206A65C172}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.0.9767-to-3.1.1.9806-enus-downloader.exe | "{DE821A20-5813-4DFE-897F-7A5809668BE1}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.1.9806-to-3.1.1.9835-enus-downloader.exe | "{E37EB4C6-839F-4F21-BF09-F6BEA14523DB}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe | "{E7F71F4B-AA04-4FA8-9CB5-DB70EB857212}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.2.9901-to-3.1.3.9947-enus-downloader.exe | "{F993088E-70B8-40D7-9D57-7F11CA0458BC}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.2.9901-to-3.1.3.9947-enus-downloader.exe | "{FC924E10-A5E4-42FE-A7BB-4B1AB5510EB2}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.0.9767-to-3.1.1.9806-enus-downloader.exe | "{FFBD61D0-BBAD-4129-A4C4-CA8A73A8FBD3}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-enus-downloader.exe | "TCP Query User{D521B297-55FC-4D01-8B73-6F07DF3C4DA7}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "UDP Query User{DDE4EA20-203E-403F-B55E-4535C8DC79B5}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{02FB3E48-4459-4986-BBE5-945B063B1E58}" = Help 2.0 "{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools "{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant "{08DEC21F-F7E5-46F9-81D1-3ED30BD3AEC9}" = CASIO USB Driver V1.2.2474.0623 "{0D25F7CC-B99C-44ee-9945-B14532B2BB7B}" = Canon MP830 "{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement "{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up "{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}" = Dell System Customization Wizard "{1C643154-0ADF-4B4C-AF17-E315C946A54B}" = MotoConnect "{1EBEC42C-5E3F-4077-933B-411E33A0C3A4}" = Motorola Driver Installation 4.6.0 "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support "{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java SE Runtime Environment 6 "{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3E25E350-949F-4DB7-8288-2A60E018B4C1}" = Games, Music, & Photos Launcher "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR "{493BAF04-DA99-9257-B343-E17BB5E687A3}" = ATI Catalyst Control Center Ex "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies "{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English) "{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer "{5BCC634A-58AD-42F9-B3C6-2EA52F81CF85}" = Snagit 10 "{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides "{5D51C5DC-3604-4C3B-981B-309340755447}" = Pantech Handset Driver "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{6BB9C1F3-661C-4A19-7F48-2F9039CC3981}" = Jacquie Lawson Advent Calendar "{6EAB136E-DF07-4E58-BFB3-ECAF7E960762}" = gSyncit "{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1" = Auslogics BoostSpeed "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport "{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet "{801C2CA5-AE8E-4305-9273-6475795AFF1A}" = gSyncit "{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-0016-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007 "{90120000-0019-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_SMALLBUSINESSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}_SMALLBUSINESSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components "{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007 "{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{93A1B09E-BAFA-4628-A5B6-921CB026955A}" = Corel Paint Shop Pro Photo XI "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{99ED894F-60CF-4D71-A645-442CD041D595}" = Susteen Launcher "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components "{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.5 "{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8 "{B139DD51-C3F1-4583-98B4-D35F64EA847F}" = Windows Easy Transfer Companion (Beta) "{B2460671-BD25-4C1C-ACB7-FBD4967365FE}" = Samsung_I500 1.0 "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0 "{BB51F026-06AC-4F5D-B18C-4E99ED18E477}" = BlackBerry_9330 1.0 "{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client "{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5 "{C1C441C4-57FA-4950-BDBA-BABFBAA2AA39}" = ParetoLogic FileCure "{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update "{C61244F9-C335-4EE4-BF7B-5CAB855555E3}" = Linksys Wireless-G Print Server "{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE "{CCF6F57B-F6B4-4508-BF45-63AAC9DE416A}" = Quicken 2010 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe "{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime "{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center "{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime "{E7269FD6-34EA-4617-8752-6739AA384080}" = V CAST Media Manager "{E8C06CB3-5DB2-4689-B1DC-4A0220DEA96C}" = Consumer Complete Care Services Agreement "{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer "{E9ED0801-253D-4FE9-AB20-F63DEFE72547}" = SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6 "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support "{EF71A531-5B6C-4B20-8D1E-E6379C7FB6D3}" = Microsoft IntelliPoint 7.0 "{F1F1A2AD-A1CE-4D9D-B510-31F280B45E0B}" = Microsoft Expression Encoder 3 "{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool "{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.6 "{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes "{FB26A501-6BA6-459B-89AA-9736730752FB}" = VoiceOver Kit "{FDF64A37-4842-48CD-A424-2C38444D36FD}" = LG Android Drivers "{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner "{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "avast5" = avast! Free Antivirus "Be Rich!" = Be Rich! "Bejeweled Twist OTL.zip
  8. Hi, This is my second post regarding a household infection of antimalware pro. Unlike my laptop, this netbook is unable to run malwarebytes' anti-malware. It installs, but i think the infection is preventing it from running. I cannot even open the program, even after reinstalling. Please see my previous post for more details. I following the "I'm infected, what do I do now?" instructions and have the following logs for anyone who is kind enough to help me. Thanks again for the help, Jennifer DDS (Ver_10-11-27.01) - NTFSx86 Run by Jennifer Drinjak at 15:30:40.84 on Thu 12/02/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.624 [GMT -6:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\OA012Mon.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\WSED\WSED.exe C:\Program Files\Battery Meter\BTMeter.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Documents and Settings\Jennifer Drinjak\Local Settings\Temporary Internet Files\Content.IE5\FQTJU70A\dds[1].scr ============== Pseudo HJT Report =============== uSearch Page = hxxp://www.live.com BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [rqpommaudio] rundll32.exe "vttqpm.dll",s uRun: [nnopqpaudio] rundll32.exe "wvtstq.dll",s mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [OA012Mon] c:\windows\OA012Mon.exe mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [WSED] c:\program files\wsed\WSED.exe mRun: [<NO NAME>] mRun: [bTMeter] c:\program files\battery meter\BTMeter.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [khiihfaudio] rundll32.exe "wvtstq.dll",s mRun: [qoppqnsys] rundll32.exe "iiighi.dll",s dRun: [yabbyvaudio] rundll32.exe "wvtstq.dll",s dRun: [xxvsposys] rundll32.exe "iiighi.dll",s StartupFolder: c:\docume~1\jennif~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab Notify: igfxcui - igfxdev.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Authentication Packages = msv1_0 iiighi.dll ============= SERVICES / DRIVERS =============== R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-12-1 14248] R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-12-1 143840] R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-12-1 134144] R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-12-1 133632] R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-12-1 272256] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-12-1 162816] S1 xqkjxypi;xqkjxypi;\??\c:\windows\system32\drivers\xqkjxypi.sys --> c:\windows\system32\drivers\xqkjxypi.sys [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-1 1684736] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320] =============== Created Last 30 ================ 2010-12-02 19:32:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-02 19:32:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-02 19:32:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-02 18:19:35 -------- d-----w- c:\docume~1\jennif~1\applic~1\AVP 2009 2010-11-23 19:50:18 0 ----a-w- c:\windows\system32\ConduitEngine.tmp 2010-11-23 19:37:10 -------- d-----w- c:\program files\MyWebSearch 2010-11-23 19:36:56 -------- d-----w- c:\program files\FunWebProducts 2010-11-14 20:31:24 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-11-14 19:42:03 30 ----a-w- c:\windows\system32\VolumeMSPrLam.dll ==================== Find3M ==================== 2010-10-27 01:25:08 98304 ---ha-w- c:\windows\system32\wvtstq.dll 2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-15 08:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 1:51:16 PM, on 12/2/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.17091) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\OA012Mon.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\WSED\WSED.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Battery Meter\BTMeter.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Documents and Settings\Jennifer Drinjak\Local Settings\Temporary Internet Files\Content.IE5\HW8U5I08\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1 O1 - Hosts: ark.zip Attach.zip
  9. HI, I have 2 machines infected with Anti-malware pro. This post will be for my laptop, and I'll do a separate post for my daughter's netbook. This started with her getting infected with a browser hijacker, and then I thought a different antivirus would fix it. Well, I didn't do enough research and ended up paying for Anti-malware pro for 3 machines! (thankfully, I didn't install it on the third yet). I am able to run Malwarebytes' Anti-Malware and it comes up clean, however my hijack this log showed that I was still infected. I am out of my element here, but really don't want to pay $150 to geeksquad - that's almost as much as a new netbook! Thanks to anyone who can help me. Jennifer I followed the instruction from the "I'm infected, what do I do now? post" In addition to the malwarebytes, and dds logs, I'm also including a hijackthis log in my post. Plus the other two compressed logs. So here are my logs: Malwarebytes' Anti-Malware 1.50 Public Beta www.malwarebytes.org Database version: 5234 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18975 12/2/2010 3:06:47 PM mbam-log-2010-12-02 (15-06-47).txt Scan type: Full scan (C:\|D:\|E:\|) Objects scanned: 338012 Time elapsed: 1 hour(s), 19 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:51:01 PM, on 12/2/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18975) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Windows\sttray.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe E:\Program Files\iTunes\iTunesHelper.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\gSyncit\gsyncit.exe C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Adobe\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar.exe E:\Program Files\V CAST Music with Rhapsody\MEMonitor.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Jennifer\Desktop\Computer Fixes\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [updReg] C:\Windows\UpdReg.EXE O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto O4 - HKLM\..\Run: [PSDiagnosticM] "C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [gSyncit] C:\Program Files\gSyncit\gsyncit.exe O4 - Startup: Jacquie Lawson Advent Calendar.lnk = C:\Program Files\Adobe\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar.exe O4 - Startup: V CAST Media Monitor.lnk = E:\Program Files\V CAST Music with Rhapsody\MEMonitor.exe O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O13 - Gopher Prefix: O15 - Trusted Zone: *.toontown.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader57.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O20 - Winlogon Notify: GoToAssist - C:\Windows\ O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (file missing) O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: McciServiceHost - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciServiceHost.exe O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 7680 bytes Attach.zip ark.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.