Squirrel

Members

View Profile See their activity

Posts
15
Joined
December 13, 2010
Last visited
December 25, 2010

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by Squirrel

Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Dear Maniac, Yes, Page file is important--but I had turned it off so scanners would not waste time on it. Obviously once the system is back to normal it will turned back on. The puzzle is why it never went. I contacted F-Secure and was told to uninstall all nonF-Secure AV, then reinstall F-Secure and rely entirely upon F-Secure and not reinstall alternatives. Conflicts between AVs make sense for deep guard type active monitoring but the update concerned traces for scanning and this should not cause program conflicts--files would be just passively examined. I am awaiting a fuller response. My concern is that F-Secure might actively be stopping other AV and their updates. F-Secure should not as it would it be illegal in the US, for example, in regard to antitrust laws (customers must be able to evaluate competitor software unless there is good reason and then with notification). But then programmers at google foolishly in Street view softwared the picking up of Wi-Fi network data--something google lawyers should have warned them as illegal. Best John
- December 24, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Maniac Apologies I did not see your more recent post. In f-secure connections emsisoft is given "allow" both for both outbound and inbound. I do not see a way to give it an exception in the firewall other than this. The puzzle is that emsisoft (I have rechecked) will download updates through the f-secure firewall but only if the rest of f-secure is unloaded. John
- December 22, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Maniac Apologies for not reading and understanding your last instruction. I ran junction again it produced the following output: Junction v1.06 - Windows junction creator and reparse point viewer Copyright © 2000-2010 Mark Russinovich Sysinternals - www.sysinternals.com Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process. Failed to open \\?\c:\\System Volume Information: Access is denied. The existence of Pagefile.sys is a mystery since xp is set not to use it and it should have been deleted but a 2GB pagefile.sys file remains. John
- December 22, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Maniac, thanks for your help. Malwarebytes can now update. But Emsisoft Anti-Malware cannot. Or rather Emsisoft can update and connect to the internet provided f-secure is unloaded to only its firewall. Emsisoft has not had this problem before with f-secure. I ran both Malwarebytes and f-secure and they found nothing. Is it clean? Can I transfer files off the pc without transferring an infection? John
- December 21, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Thanks Maniac, Here is the cut and paste from junction. best John -- 19:14:30 3/10/10 - LocalSocketProtocol::readNextMessage (C:\Users\bitten\mendeley\manual\source\src\localSocket\LocalSocketProtocol.cpp:172) readNextMessage: unexpected end of the ioDevice -- 19:14:30 3/10/10 - LocalSocketProtocol::decodeMessage (C:\Users\bitten\mendeley\manual\source\src\localSocket\LocalSocketProtocol.cpp:122) LocalSocketProtocol: message malformed: empty
- December 21, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Maniac, Thanks for suggesting EsetOnlineScanne. It took sometime scanning but to nil result. Checked malwarebytes but it still will not update and indeed stopped firefox requiring a reboot. Best John ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6415 # api_version=3.0.2 # EOSSerial=9fde2087d1acce4f8ea1e5b4112ca3e0 # end=stopped # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-12-17 09:58:37 # local_time=2010-12-17 09:58:37 (+0000, GMT Standard Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=2304 16777191 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 3774 3774 0 0 # scanned=73832 # found=0 # cleaned=0 # scan_time=2964 ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6415 # api_version=3.0.2 # EOSSerial=9fde2087d1acce4f8ea1e5b4112ca3e0 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-12-18 06:19:40 # local_time=2010-12-18 06:19:40 (+0000, GMT Standard Time) # country="United Kingdom" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=2304 16777175 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 41668 41668 0 0 # scanned=338992 # found=0 # cleaned=0 # scan_time=38424
- December 18, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Dear Maniac, Thanks I followed your instructions and did a F-secure scan but this found nothing. I then retried malwarebytes. Unfortunately it still refused to connect as did other AV programs when tested even though firefox and Chrome have no problems accessing the internet. I then did combo-fix several times (1st time it needed windows console), next I added that and fully turned off f-secure [unplugging the PC from the router] and killed all background programs. This seemed to be positive. Ran f-secure again which found Malware!Gemini . Unfortunately, even though this was quarantined, the situation of not being able to update malwarebytes and other AV programs remains in spite of Firefox, chrome and f-secure being able to access the internet. malwarebytes gives the error PROGRAM_ERROR_UPDATING (12002, 0, WinHttpReceiveResponse] I cut and paste below the logs from f-secure and combo-fix. Best John This is the f-secure log -- note the file XXOLDTRASH.MBX dates back to 2003. 17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini BEGIN ; ;Log created by USS version 4.10.16410 ; 17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini file "C:\PROGRAM FILES\REGSEEKER\REGSEEKER.EXE" quarantined success 17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini file "C:\PROGRAM FILES\REGSEEKER\REGSEEKER.EXE" deleted success 17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini END 17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini BEGIN ; ;Log created by USS version 4.10.16410 ; 17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini file "F:\SYSTEM VOLUME INFORMATION\_RESTORE{C4365319-5737-4505-B996-8F6CA36D2EBD}\RP90\A0018870.EXE" quarantined success 17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini file "F:\SYSTEM VOLUME INFORMATION\_RESTORE{C4365319-5737-4505-B996-8F6CA36D2EBD}\RP90\A0018870.EXE" deleted success 17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini END 17.12.2010 05:36:08 Exploit.Iframe.Vulnerability BEGIN ; ;Log created by USS version 4.10.16410 ; 17.12.2010 05:36:08 Exploit.Iframe.Vulnerability file "J:\EMAIL BACKUP\__HOME_EMAIL\EUDORA6\XXOLDTRASH.MBX" quarantined failed 17.12.2010 05:36:08 Exploit.Iframe.Vulnerability file "J:\EMAIL BACKUP\__HOME_EMAIL\EUDORA6\XXOLDTRASH.MBX" deleted failed 17.12.2010 05:36:08 Exploit.Iframe.Vulnerability END 17.12.2010 05:40:01 Exploit.Iframe.Vulnerability BEGIN ; ;Log created by USS version 4.10.16410 ; 17.12.2010 05:40:01 Exploit.Iframe.Vulnerability file "J:\ARCHIVE\MY OTHER DOCUMENTS\EUDORA5\XXOLDTRASH.MBX" quarantined failed 17.12.2010 05:40:01 Exploit.Iframe.Vulnerability file "J:\ARCHIVE\MY OTHER DOCUMENTS\EUDORA5\XXOLDTRASH.MBX" deleted failed 17.12.2010 05:40:01 Exploit.Iframe.Vulnerability END ---------------------------------------------------------------------- Combo-fix log ComboFix 10-12-14.05 - Administrator 17/12/2010 3:44.6.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT 0:00] Running from: l:\d\Combo-Fix.exe Command switches used :: l:\d\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe AV: F-Secure Client Security 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: F-Secure Client Security 9.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4} . ((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 ))))))))))))))))))))))))))))))) . 2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository 2010-12-15 02:44 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys 2010-12-15 02:43 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe 2010-12-15 01:25 . 2010-12-17 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-14 13:09 . 2010-12-17 02:44 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620} 2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft 2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft 2010-12-13 05:54 . 2010-12-17 02:46 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData 2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX 2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler 2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc 2010-11-30 12:22 . 2010-12-17 03:38 -------- d-----w- c:\program files\Everything 2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128 2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA% 2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs 2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- f:\windows\system32\dllcache\isign32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-15 13:06 . 2009-08-30 10:06 42664 ----a-w- f:\windows\system32\drivers\fsbts.sys 2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys 2010-11-18 18:12 . 2003-02-07 18:15 81920 ----a-w- f:\windows\system32\isign32.dll 2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- f:\windows\system32\wininet.dll 2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- f:\windows\system32\licmgr10.dll 2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- f:\windows\system32\inetcpl.cpl 2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec 2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- f:\windows\system32\drivers\ndproxy.sys 2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd.dll 2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll 2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- f:\windows\system32\win32k.sys 2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe 2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe 2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys 2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys 2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys 2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll 2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe 2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe 2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe 2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe 2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe 2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe 2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe 2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((( SnapShot_2010-12-16_18.58.23 ))))))))))))))))))))))))))))))))))))))))) . + 2003-02-07 18:24 . 2010-12-17 02:38 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2003-02-07 18:24 . 2010-12-14 02:55 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2003-02-07 18:24 . 2010-12-17 02:38 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2003-02-07 18:24 . 2010-12-14 02:55 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-12-11 15:38 . 2010-12-17 02:38 16384 f:\windows\system32\config\systemprofile\IETldCache\index.dat - 2009-12-11 15:38 . 2010-12-14 02:55 16384 f:\windows\system32\config\systemprofile\IETldCache\index.dat + 2010-12-17 02:44 . 2010-12-17 02:44 1867776 f:\windows\Installer\7a5e0.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2] @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}" [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}] 2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3] @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}" [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}] 2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744] "F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424] "logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888] "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\ OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWinKeys"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 01000000 "NoRecentDocsNetHood"= 01000000 "NoSMMyDocs"= 01000000 "NoSMMyPictures"= 00000000 "NoNetworkConnections"= 01000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" "type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" "WService"=WService.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe "SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe "InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" "DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR "nwiz"=nwiz.exe /install "00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe" "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 42664] R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080] R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328] R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144] R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808] R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112] R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728] S0 Lbd;Lbd; [x] S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384] S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?] S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808] S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904] S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192] S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456] S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192] S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000] S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112] S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896] S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512] S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256] S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896] S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048] S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264] S4 NProtectService;Norton Unerase Protection; [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 WINRM REG_MULTI_SZ WINRM [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] 2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}] 2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}] 2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder 2010-12-17 f:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21] 2010-12-16 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job - f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48] 2010-12-17 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job - f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48] 2010-12-17 f:\windows\Tasks\WGASetup.job - f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000 IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105 IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL DPF: DirectAnimation Java Classes DPF: Microsoft XML Parser for Java FF - ProfilePath - . . ------- File Associations ------- . txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1" . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-17 03:49 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*] "Licence0"="04F0D21-79D8-7A25-D702-433F" [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf] @DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(756) f:\windows\system32\Ati2evxx.dll c:\program files\f-secure\hips\fshook32.dll - - - - - - - > 'lsass.exe'(812) c:\program files\f-secure\hips\fshook32.dll - - - - - - - > 'explorer.exe'(1728) f:\windows\system32\WININET.dll c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll c:\program files\MozyHome\mozyshell.dll c:\program files\MozyHome\LIBEAY32.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll f:\windows\system32\msi.dll f:\windows\system32\ieframe.dll f:\windows\system32\webcheck.dll f:\windows\system32\WPDShServiceObj.dll f:\windows\system32\PortableDeviceTypes.dll f:\windows\system32\PortableDeviceApi.dll f:\windows\System32\netshell.dll . Completion time: 2010-12-17 03:51:00 ComboFix-quarantined-files.txt 2010-12-17 03:50 ComboFix2.txt 2010-12-17 03:34 ComboFix3.txt 2010-12-17 03:24 ComboFix4.txt 2010-12-16 19:00 ComboFix5.txt 2010-12-17 03:41 Pre-Run: 55,017,357,312 bytes free Post-Run: 54,987,948,032 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /SOS - - End Of File - - 12F0778DACDA0CDA4AC1CD18015FE842
- December 17, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Maniac, I notice combofix also created ComboFix-quarantined-files.txt. Here it is in case it is of any use Best John 2010-12-15 11:57:52 . 2010-12-15 11:57:52 1,154 ----a-w- F:\Qoobox\Quarantine\Registry_backups\AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7}.reg.dat 2010-12-15 11:57:51 . 2010-12-15 11:57:51 494 ----a-w- F:\Qoobox\Quarantine\Registry_backups\AddRemove-SiS7018.reg.dat 2010-12-15 11:56:39 . 2010-12-15 11:56:39 853 ----a-w- F:\Qoobox\Quarantine\Registry_backups\WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98}.reg.dat 2010-12-15 11:56:37 . 2010-12-15 11:56:38 798 ----a-w- F:\Qoobox\Quarantine\Registry_backups\Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98}.reg.dat 2010-12-15 11:56:35 . 2010-12-15 11:56:35 571 ----a-w- F:\Qoobox\Quarantine\Registry_backups\BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed}.reg.dat 2010-12-15 11:53:52 . 2010-12-15 11:53:52 336 ----a-w- F:\Qoobox\Quarantine\G\av1.zip 2010-12-15 11:53:52 . 2004-05-01 02:01:00 53 ----a-w- F:\Qoobox\Quarantine\G\Autorun.inf.vir 2010-12-15 11:32:39 . 2010-12-16 18:56:28 9,080 ----a-w- F:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2010-12-15 11:27:31 . 2010-12-16 18:50:12 153 ----a-w- F:\Qoobox\Quarantine\catchme.log 2010-08-16 11:45:28 . 2007-12-15 08:07:52 90,112 ----a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\ccrpTmr6.dll.vir 2004-02-16 10:56:05 . 2007-06-27 07:13:31 0 -c--a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\WIN.INI.vir 2003-04-08 10:48:22 . 1999-08-16 18:20:56 715 -c--a-w- F:\Qoobox\Quarantine\F\WINDOWS\system\color\DivioCAM.icm.vir 2002-09-07 17:23:46 . 2002-09-07 17:23:46 28,672 ----a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\WService.exe.vir 1999-12-06 23:00:00 . 1999-12-06 23:00:00 24,956 -c--a-w- F:\Qoobox\Quarantine\F\WINDOWS\twain_16.dll.vir 1617-10-04 18:22:49 . 1617-10-04 18:22:49 3,120 ----a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\42KJE738.ocx.vir
- December 16, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Thanks Maniac, This is a bit of a learning curve for me so apologies for not realizing that WinPatrol should have been disabled. I installed Recovery Console. Here is the new combotix.txt Best John ComboFix 10-12-14.05 - Administrator 16/12/2010 18:53:44.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1447 [GMT 0:00] Running from: l:\d\Combo-Fix.exe Command switches used :: l:\d\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe AV: F-Secure Client Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: F-Secure Client Security 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4} . ((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 ))))))))))))))))))))))))))))))) . 2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository 2010-12-15 07:11 . 2010-12-15 07:11 709456 ----a-w- f:\windows\isRS-000.tmp 2010-12-15 02:44 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys 2010-12-15 02:43 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe 2010-12-15 01:25 . 2010-12-15 07:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-14 13:09 . 2010-12-15 02:39 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620} 2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft 2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft 2010-12-13 05:54 . 2010-12-15 01:25 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData 2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX 2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler 2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc 2010-11-30 12:22 . 2010-12-16 17:47 -------- d-----w- c:\program files\Everything 2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128 2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA% 2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs 2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- f:\windows\system32\dllcache\isign32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-15 13:06 . 2009-08-30 10:06 42664 ----a-w- f:\windows\system32\drivers\fsbts.sys 2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys 2010-11-18 18:12 . 2003-02-07 18:15 81920 ----a-w- f:\windows\system32\isign32.dll 2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- f:\windows\system32\wininet.dll 2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- f:\windows\system32\licmgr10.dll 2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- f:\windows\system32\inetcpl.cpl 2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec 2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- f:\windows\system32\drivers\ndproxy.sys 2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd.dll 2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll 2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- f:\windows\system32\win32k.sys 2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe 2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe 2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys 2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys 2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys 2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll 2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe 2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe 2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe 2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe 2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe 2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe 2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe 2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((( SnapShot@2010-12-15_11.54.38 ))))))))))))))))))))))))))))))))))))))))) . + 2008-07-11 16:04 . 2010-11-03 13:12 46080 f:\windows\system32\tzchange.exe - 2008-07-11 16:04 . 2010-06-21 14:46 46080 f:\windows\system32\tzchange.exe + 2009-09-21 14:25 . 2009-05-26 11:40 17272 f:\windows\system32\spmsg.dll - 2009-09-21 14:25 . 2007-11-30 05:39 17272 f:\windows\system32\spmsg.dll + 2006-02-28 12:00 . 2010-11-06 00:26 66560 f:\windows\system32\mshtmled.dll - 2006-02-28 12:00 . 2010-09-10 05:58 66560 f:\windows\system32\mshtmled.dll - 2009-03-08 03:31 . 2010-09-10 05:58 55296 f:\windows\system32\msfeedsbs.dll + 2009-03-08 03:31 . 2010-11-06 00:26 55296 f:\windows\system32\msfeedsbs.dll - 2006-02-28 12:00 . 2010-09-10 05:58 25600 f:\windows\system32\jsproxy.dll + 2006-02-28 12:00 . 2010-11-06 00:26 25600 f:\windows\system32\jsproxy.dll + 2009-09-14 17:31 . 2010-11-06 00:26 12800 f:\windows\system32\dllcache\xpshims.dll - 2009-09-14 17:31 . 2010-09-10 05:58 12800 f:\windows\system32\dllcache\xpshims.dll + 2009-03-08 03:31 . 2010-11-06 00:26 66560 f:\windows\system32\dllcache\mshtmled.dll - 2009-03-08 03:31 . 2010-09-10 05:58 66560 f:\windows\system32\dllcache\mshtmled.dll + 2009-09-14 17:31 . 2010-11-06 00:26 55296 f:\windows\system32\dllcache\msfeedsbs.dll - 2009-09-14 17:31 . 2010-09-10 05:58 55296 f:\windows\system32\dllcache\msfeedsbs.dll + 2009-03-08 03:34 . 2010-11-06 00:26 43520 f:\windows\system32\dllcache\licmgr10.dll - 2009-03-08 03:34 . 2010-09-10 05:58 43520 f:\windows\system32\dllcache\licmgr10.dll - 2009-03-08 03:33 . 2010-09-10 05:58 25600 f:\windows\system32\dllcache\jsproxy.dll + 2009-03-08 03:33 . 2010-11-06 00:26 25600 f:\windows\system32\dllcache\jsproxy.dll + 2010-11-16 12:36 . 2010-12-16 18:27 34144 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\oisicon.exe - 2010-11-16 12:36 . 2010-11-16 13:22 34144 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\oisicon.exe - 2010-11-16 12:36 . 2010-11-16 13:22 42848 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\msouc.exe + 2010-11-16 12:36 . 2010-12-16 18:27 42848 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\msouc.exe + 2010-11-16 12:36 . 2010-12-16 18:27 19296 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\cagicon.exe - 2010-11-16 12:36 . 2010-11-16 13:22 19296 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\cagicon.exe + 2010-02-28 02:22 . 2010-02-28 02:22 48504 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\PUBTRAP.DLL + 2010-12-16 18:27 . 2010-09-10 05:58 12800 f:\windows\ie8updates\KB2416400-IE8\xpshims.dll + 2010-12-16 18:27 . 2010-09-10 05:58 66560 f:\windows\ie8updates\KB2416400-IE8\mshtmled.dll + 2010-12-16 18:27 . 2010-09-10 05:58 55296 f:\windows\ie8updates\KB2416400-IE8\msfeedsbs.dll + 2010-12-16 18:27 . 2010-09-10 05:58 43520 f:\windows\ie8updates\KB2416400-IE8\licmgr10.dll + 2010-12-16 18:27 . 2010-09-10 05:58 25600 f:\windows\ie8updates\KB2416400-IE8\jsproxy.dll - 2006-02-28 12:00 . 2010-09-10 05:58 206848 f:\windows\system32\occache.dll + 2006-02-28 12:00 . 2010-11-06 00:26 206848 f:\windows\system32\occache.dll - 2006-02-28 12:00 . 2010-09-10 05:58 611840 f:\windows\system32\mstime.dll + 2006-02-28 12:00 . 2010-11-06 00:26 611840 f:\windows\system32\mstime.dll + 2009-03-08 03:32 . 2010-11-06 00:26 602112 f:\windows\system32\msfeeds.dll - 2009-03-08 03:32 . 2010-09-10 05:58 602112 f:\windows\system32\msfeeds.dll - 2006-02-28 12:00 . 2010-09-10 05:58 184320 f:\windows\system32\iepeers.dll + 2006-02-28 12:00 . 2010-11-06 00:26 184320 f:\windows\system32\iepeers.dll + 2006-02-28 12:00 . 2010-11-06 00:26 387584 f:\windows\system32\iedkcs32.dll - 2006-02-28 12:00 . 2010-09-10 05:58 387584 f:\windows\system32\iedkcs32.dll + 2006-02-28 12:00 . 2010-11-03 12:26 173568 f:\windows\system32\ie4uinit.exe + 2003-02-07 17:59 . 2010-12-16 18:38 396752 f:\windows\system32\FNTCACHE.DAT - 2003-02-07 17:59 . 2010-12-15 07:20 396752 f:\windows\system32\FNTCACHE.DAT - 2009-06-26 16:50 . 2010-09-10 05:58 916480 f:\windows\system32\dllcache\wininet.dll + 2009-06-26 16:50 . 2010-11-06 00:26 916480 f:\windows\system32\dllcache\wininet.dll - 2009-03-08 03:34 . 2010-09-10 05:58 206848 f:\windows\system32\dllcache\occache.dll + 2009-03-08 03:34 . 2010-11-06 00:26 206848 f:\windows\system32\dllcache\occache.dll + 2009-03-08 03:32 . 2010-11-06 00:26 611840 f:\windows\system32\dllcache\mstime.dll - 2009-03-08 03:32 . 2010-09-10 05:58 611840 f:\windows\system32\dllcache\mstime.dll - 2009-09-14 17:31 . 2010-09-10 05:58 602112 f:\windows\system32\dllcache\msfeeds.dll + 2009-09-14 17:31 . 2010-11-06 00:26 602112 f:\windows\system32\dllcache\msfeeds.dll + 2009-09-14 17:31 . 2010-11-06 00:26 247808 f:\windows\system32\dllcache\ieproxy.dll - 2009-09-14 17:31 . 2010-09-10 05:58 247808 f:\windows\system32\dllcache\ieproxy.dll - 2009-03-08 03:31 . 2010-09-10 05:58 184320 f:\windows\system32\dllcache\iepeers.dll + 2009-03-08 03:31 . 2010-11-06 00:26 184320 f:\windows\system32\dllcache\iepeers.dll - 2010-06-11 12:45 . 2010-09-10 05:58 743424 f:\windows\system32\dllcache\iedvtool.dll + 2010-06-11 12:45 . 2010-11-06 00:26 743424 f:\windows\system32\dllcache\iedvtool.dll - 2009-03-08 13:09 . 2010-09-10 05:58 387584 f:\windows\system32\dllcache\iedkcs32.dll + 2009-03-08 13:09 . 2010-11-06 00:26 387584 f:\windows\system32\dllcache\iedkcs32.dll + 2009-03-08 03:32 . 2010-11-03 12:26 173568 f:\windows\system32\dllcache\ie4uinit.exe + 2010-04-20 05:30 . 2010-10-28 13:13 290048 f:\windows\system32\dllcache\atmfd.dll + 2010-07-22 02:43 . 2010-07-22 02:43 257024 f:\windows\Installer\68d44b4.msp + 2010-12-09 11:39 . 2010-12-09 11:39 720896 f:\windows\Installer\68d4493.msp - 2010-11-16 12:36 . 2010-11-16 13:22 415584 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pubs.exe + 2010-11-16 12:36 . 2010-12-16 18:27 415584 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pubs.exe + 2010-11-16 12:36 . 2010-12-16 18:27 303456 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\outicon.exe - 2010-11-16 12:36 . 2010-11-16 13:22 303456 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\outicon.exe + 2010-11-16 12:36 . 2010-12-16 18:27 571232 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\misc.exe - 2010-11-16 12:36 . 2010-11-16 13:22 571232 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\misc.exe - 2010-11-16 12:36 . 2010-11-16 13:22 326496 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\joticon.exe + 2010-11-16 12:36 . 2010-12-16 18:27 326496 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\joticon.exe - 2010-11-16 12:36 . 2010-11-16 13:22 469856 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\inficon.exe + 2010-11-16 12:36 . 2010-12-16 18:27 469856 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\inficon.exe - 2010-11-16 12:36 . 2010-11-16 13:22 178528 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\grvicons.exe + 2010-11-16 12:36 . 2010-12-16 18:27 178528 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\grvicons.exe + 2010-03-01 04:56 . 2010-03-01 04:56 604024 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\PUBCONV.DLL + 2010-01-09 21:50 . 2010-01-09 21:50 119160 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MSCONV97.DLL + 2010-03-01 04:56 . 2010-03-01 04:56 457104 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MORPH9.DLL + 2010-12-16 18:27 . 2010-09-10 05:58 916480 f:\windows\ie8updates\KB2416400-IE8\wininet.dll + 2010-12-16 18:27 . 2010-07-05 13:16 382840 f:\windows\ie8updates\KB2416400-IE8\spuninst\updspapi.dll + 2010-12-16 18:27 . 2010-02-22 14:23 231288 f:\windows\ie8updates\KB2416400-IE8\spuninst\spuninst.exe + 2010-12-16 18:27 . 2010-09-10 05:58 206848 f:\windows\ie8updates\KB2416400-IE8\occache.dll + 2010-12-16 18:27 . 2010-09-10 05:58 611840 f:\windows\ie8updates\KB2416400-IE8\mstime.dll + 2010-12-16 18:27 . 2010-09-10 05:58 602112 f:\windows\ie8updates\KB2416400-IE8\msfeeds.dll + 2010-12-16 18:27 . 2010-09-10 05:58 247808 f:\windows\ie8updates\KB2416400-IE8\ieproxy.dll + 2010-12-16 18:27 . 2010-09-10 05:58 184320 f:\windows\ie8updates\KB2416400-IE8\iepeers.dll + 2010-12-16 18:27 . 2010-09-10 05:58 743424 f:\windows\ie8updates\KB2416400-IE8\iedvtool.dll + 2010-12-16 18:27 . 2010-09-10 05:58 387584 f:\windows\ie8updates\KB2416400-IE8\iedkcs32.dll + 2010-12-16 18:27 . 2010-08-26 12:22 173056 f:\windows\ie8updates\KB2416400-IE8\ie4uinit.exe + 2006-02-28 12:00 . 2010-11-06 00:26 1210880 f:\windows\system32\urlmon.dll - 2006-02-28 12:00 . 2010-09-10 05:58 1210880 f:\windows\system32\urlmon.dll + 2006-02-28 12:00 . 2010-11-06 00:26 5959168 f:\windows\system32\mshtml.dll + 2009-03-08 03:32 . 2010-11-06 00:26 1991680 f:\windows\system32\iertutil.dll + 2009-04-17 12:26 . 2010-10-26 13:25 1853312 f:\windows\system32\dllcache\win32k.sys + 2009-06-26 16:50 . 2010-11-06 00:26 1210880 f:\windows\system32\dllcache\urlmon.dll - 2009-06-26 16:50 . 2010-09-10 05:58 1210880 f:\windows\system32\dllcache\urlmon.dll + 2009-07-18 16:05 . 2010-11-06 00:26 5959168 f:\windows\system32\dllcache\mshtml.dll + 2009-09-14 17:31 . 2010-11-06 00:26 1991680 f:\windows\system32\dllcache\iertutil.dll + 2010-10-08 22:12 . 2010-10-08 22:12 8354304 f:\windows\Installer\68d445e.msp + 2010-11-19 13:34 . 2010-11-19 13:34 3459584 f:\windows\Installer\68d443c.msp + 2010-11-11 12:54 . 2010-11-11 12:54 1002496 f:\windows\Installer\68d441b.msp + 2010-11-11 12:54 . 2010-11-11 12:54 1121792 f:\windows\Installer\68d441a.msp + 2010-11-11 12:54 . 2010-11-11 12:54 1310720 f:\windows\Installer\68d4419.msp - 2010-11-16 12:36 . 2010-11-16 13:22 1479520 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\xlicons.exe + 2010-11-16 12:36 . 2010-12-16 18:27 1479520 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\xlicons.exe - 2010-11-16 12:36 . 2010-11-16 13:22 1858400 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\wordicon.exe + 2010-11-16 12:36 . 2010-12-16 18:27 1858400 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\wordicon.exe - 2010-11-16 12:36 . 2010-11-16 13:22 3792736 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pptico.exe + 2010-11-16 12:36 . 2010-12-16 18:27 3792736 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pptico.exe - 2010-11-16 12:36 . 2010-11-16 13:22 1449312 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\accicons.exe + 2010-11-16 12:36 . 2010-12-16 18:27 1449312 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\accicons.exe + 2010-03-01 05:20 . 2010-03-01 05:20 2323840 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKWORD.DLL + 2010-03-01 05:20 . 2010-03-01 05:20 2102656 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKPOWERPOINT.DLL + 2010-03-01 05:20 . 2010-03-01 05:20 3355008 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKEXCEL.DLL + 2010-12-16 18:27 . 2010-09-10 05:58 1210880 f:\windows\ie8updates\KB2416400-IE8\urlmon.dll + 2010-12-16 18:27 . 2010-09-10 05:58 5957120 f:\windows\ie8updates\KB2416400-IE8\mshtml.dll + 2010-12-16 18:27 . 2010-09-10 05:58 1986560 f:\windows\ie8updates\KB2416400-IE8\iertutil.dll + 2005-05-31 22:17 . 2010-12-16 18:23 37366216 f:\windows\system32\MRT.exe + 2009-03-08 03:39 . 2010-11-06 00:26 11080704 f:\windows\system32\ieframe.dll + 2009-07-19 17:48 . 2010-11-06 00:26 11080704 f:\windows\system32\dllcache\ieframe.dll + 2010-11-11 12:52 . 2010-11-11 12:52 13486592 f:\windows\Installer\68d4481.msp + 2010-03-01 04:56 . 2010-03-01 04:56 10272104 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MSPUB.EXE + 2010-12-16 18:27 . 2010-09-10 05:58 11080192 f:\windows\ie8updates\KB2416400-IE8\ieframe.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2] @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}" [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}] 2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3] @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}" [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}] 2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744] "F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424] "logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888] "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\ OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWinKeys"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 01000000 "NoRecentDocsNetHood"= 01000000 "NoSMMyDocs"= 01000000 "NoSMMyPictures"= 00000000 "NoNetworkConnections"= 01000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" "type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" "WService"=WService.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe "SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe "InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" "DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR "nwiz"=nwiz.exe /install "00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe" "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 42664] R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080] R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328] R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144] R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808] R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112] R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728] S0 Lbd;Lbd; [x] S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384] S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?] S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808] S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904] S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192] S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456] S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192] S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000] S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112] S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896] S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512] S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256] S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896] S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048] S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264] S4 NProtectService;Norton Unerase Protection; [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 WINRM REG_MULTI_SZ WINRM [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] 2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}] 2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}] 2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder 2010-12-16 f:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21] 2010-12-15 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job - f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48] 2010-12-16 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job - f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48] 2010-12-16 f:\windows\Tasks\WGASetup.job - f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000 IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105 IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL DPF: DirectAnimation Java Classes DPF: Microsoft XML Parser for Java FF - ProfilePath - . . ------- File Associations ------- . txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1" . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-16 18:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*] "Licence0"="04F0D21-79D8-7A25-D702-433F" [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf] @DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(752) f:\windows\system32\Ati2evxx.dll c:\program files\f-secure\hips\fshook32.dll - - - - - - - > 'lsass.exe'(808) c:\program files\f-secure\hips\fshook32.dll - - - - - - - > 'explorer.exe'(2076) f:\windows\system32\WININET.dll c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll c:\program files\MozyHome\mozyshell.dll c:\program files\MozyHome\LIBEAY32.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll f:\windows\system32\msi.dll f:\windows\system32\ieframe.dll f:\windows\system32\webcheck.dll f:\windows\system32\WPDShServiceObj.dll f:\windows\system32\PortableDeviceTypes.dll f:\windows\system32\PortableDeviceApi.dll f:\windows\System32\netshell.dll . Completion time: 2010-12-16 19:00:22 ComboFix-quarantined-files.txt 2010-12-16 19:00 ComboFix2.txt 2010-12-15 11:58 Pre-Run: 55,118,704,640 bytes free Post-Run: 55,101,149,184 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /SOS - - End Of File - - B80A44C72052C7E20FCEC3FBD1A36E21
- December 16, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Maniac After posting the above I went for lunch and found this that scotty the window watchdog popped up a message--jpeg in the attachment. I clicked no. Run a DLL as an App F:windows\system32\rundll32.exe f:\windows\system\ieframe.dll,OpenURL %| A change was made to use the following program for this file type Run a DLL as an App rundll32.exe ieframe.OpenURL ?%| While writing this the message has again appear and agained I clicked no. Also Scotty created another message after combo-fix rebooted [unfortunately I lacked the presence to grab a screen print and this comes from a quick notes-- ??? are where I cannot read my handwriting]. I clicked yes as this was immediately after the reboot. Change to the file type ObjectDelayLoad system32/stobject.dll 5.1.2600 5512 ??? ???? accept host Best John
- December 15, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Maniac Two issues: unloading f-secure gives two options either to leave the firewall on off or allow all traffic. I did the former. Related to this combo-fix noted the PC did not have RECOVERY CONSOLE INSTALLED. It was not able to install it. The log is below Best John ComboFix 10-12-14.05 - Administrator 15/12/2010 11:45:56.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1433 [GMT 0:00] Running from: l:\d\Combo-Fix.exe AV: F-Secure Client Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: F-Secure Client Security 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . f:\windows\system\Color f:\windows\system\Color\DivioCAM.icm f:\windows\system32\42KJE738.ocx f:\windows\system32\ccrpTmr6.dll f:\windows\system32\win.ini f:\windows\system32\wservice.exe f:\windows\twain_16.dll G:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 ))))))))))))))))))))))))))))))) . 2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository 2010-12-15 07:11 . 2010-12-15 07:11 709456 ----a-w- f:\windows\isRS-000.tmp 2010-12-15 01:25 . 2010-12-15 07:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-14 13:09 . 2010-12-15 02:39 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620} 2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft 2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft 2010-12-13 05:54 . 2010-12-15 01:25 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData 2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX 2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler 2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc 2010-11-30 12:22 . 2010-12-15 11:25 -------- d-----w- c:\program files\Everything 2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128 2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA% 2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs 2010-11-16 16:43 . 2010-11-16 16:43 -------- d-----w- c:\program files\Microsoft Synchronization Services 2010-11-16 16:43 . 2010-11-16 16:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition 2010-11-16 13:47 . 2010-11-16 16:44 -------- d-----w- c:\program files\Classic Menu for Office 2010 2010-11-16 13:19 . 2010-11-16 13:19 -------- d-----r- F:\MSOCache 2010-11-16 12:31 . 2010-11-16 12:31 -------- d-----w- f:\documents and settings\All Users\Microsoft 2010-11-16 12:31 . 2010-11-16 12:31 -------- d-----w- c:\program files\Microsoft Sync Framework 2010-11-16 12:30 . 2010-11-16 16:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8 2010-11-16 12:29 . 2010-11-16 12:29 -------- d-----w- c:\program files\Microsoft Analysis Services . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys 2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec 2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll 2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe 2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe 2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys 2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys 2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys 2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll 2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe 2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe 2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe 2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe 2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe 2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe 2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe 2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2] @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}" [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}] 2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3] @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}" [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}] 2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744] "F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424] "logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888] "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\ OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWinKeys"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 01000000 "NoRecentDocsNetHood"= 01000000 "NoSMMyDocs"= 01000000 "NoSMMyPictures"= 00000000 "NoNetworkConnections"= 01000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" "type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" "WService"=WService.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe "SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe "InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" "DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR "nwiz"=nwiz.exe /install "00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe" "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 41624] R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080] R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328] R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144] R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808] R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112] R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728] R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016] S0 Lbd;Lbd; [x] S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384] S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?] S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808] S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904] S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192] S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192] S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000] S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112] S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896] S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512] S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256] S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896] S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048] S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264] S4 NProtectService;Norton Unerase Protection; [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 WINRM REG_MULTI_SZ WINRM [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] 2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}] 2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}] 2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder 2010-12-15 f:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21] 2010-12-14 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job - f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48] 2010-12-15 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job - f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48] 2010-12-15 f:\windows\Tasks\WGASetup.job - f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000 IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105 IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL DPF: DirectAnimation Java Classes DPF: Microsoft XML Parser for Java FF - ProfilePath - . . ------- File Associations ------- . txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1" . - - - - ORPHANS REMOVED - - - - BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file) Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file) WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file) AddRemove-SiS7018 - c:\progra~1\SiS7018\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7018 AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-15 11:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\ "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*] "Licence0"="04F0D21-79D8-7A25-D702-433F" [HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf] @DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(756) f:\windows\system32\Ati2evxx.dll c:\program files\f-secure\hips\fshook32.dll - - - - - - - > 'lsass.exe'(812) c:\program files\f-secure\hips\fshook32.dll - - - - - - - > 'explorer.exe'(3992) f:\windows\system32\WININET.dll c:\program files\f-secure\hips\fshook32.dll c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll c:\program files\MozyHome\mozyshell.dll c:\program files\MozyHome\LIBEAY32.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll f:\windows\system32\msi.dll f:\windows\system32\ieframe.dll f:\windows\system32\webcheck.dll f:\windows\system32\WPDShServiceObj.dll f:\windows\system32\PortableDeviceTypes.dll f:\windows\system32\PortableDeviceApi.dll f:\windows\System32\netshell.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\svchost.exe c:\program files\F-Secure\Anti-Virus\fsgk32st.exe c:\program files\F-Secure\Common\FSMA32.EXE c:\program files\F-Secure\Anti-Virus\FSGK32.EXE c:\program files\F-Secure\Common\FSHDLL32.EXE c:\program files\Java\jre6\bin\jqs.exe f:\windows\system32\msiexec.exe f:\windows\system32\nvsvc32.exe f:\windows\system32\locator.exe c:\program files\F-Secure\Common\FNRB32.EXE c:\program files\F-Secure\Common\FIH32.EXE c:\program files\F-Secure\Anti-Virus\fssm32.exe c:\program files\F-Secure\FWES\Program\fsdfwd.exe c:\program files\F-Secure\Anti-Virus\fsav32.exe c:\windows\system32\wbem\wmiprvse.exe . ************************************************************************** . Completion time: 2010-12-15 11:58:41 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-15 11:58 Pre-Run: 55,366,643,712 bytes free Post-Run: 55,221,829,632 bytes free - - End Of File - - 63E3B06BB7CEEC8BABBBE6C0EE5CEE46
- December 15, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Thanks Maniac for your further assistance. I have problems now getting on to the internet. As soon as I attempt to update or install any AV, the internet connection gets barred not only for them but also for firefox/google chrome. Attempts to use restore to restore a previous state get error message terminated. However, I have found if I do a F-Secure scan it finds Malware!Gemini quarantines it [see log below]. Then this allows a restore to an earlier date and this allows access to the internet. As instructed I renamed mbam.exe into firefox.exe. On rebooting (I do think this was coincidental and unrelated but I mention it in case) but there was an installation of 15 Microsoft updates. Clicking the new file still did not work so unable to provide Malwarebytes' Anti-Malware log. However, there was an error message "PROGRAM_ERROR_UPDATING(12002,0,WinHttpReceiveResponse)" Thanks for the warning about
- December 15, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel replied to Squirrel's topic in Resolved Malware Removal Logs

Thanks Borislav, Apologies about the attachment not containing Attach.txt. The present attach.zip contains it. F-Secure does not provide in the program interface any information about the file except size 344 KB and Platform: W32. John attach.zip
- December 14, 2010
- 26 replies
Malwarebytes and other AV updates will not connect and blocked

Squirrel posted a topic in Resolved Malware Removal Logs

Malwarebytes will not download new updates. I have twice scanned with F-secure which on both occasions has detected and then quarantined the virus "Suspicious:W32/Malware!Gemini". I suspect the virus has crippled anti-virus programs. F-secure updates normally but malwarebytes nor other AV programs such as Emsisoft Anti-Malware cannot download updates. The internet connection is otherwise functional ie firefox, skype and downloading work. I have installed the updater mbam-rules.exe and also reinstalled malwarebytes. I have also turned off temporarily "f-secure deep guard". But to no avail. My system is xp pro and everything else is properly updated. The systemdrive is F. Since Malwarebytes cannot update it has not run and so there is no "Malwarebytes' Anti-Malware log file". I would appreciate advise and help John DDS (Ver_10-12-12.02) - NTFSx86 Run by Administrator at 3:38:39.87 on 14/12/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1334 [GMT 0:00] AV: F-Secure Client Security 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: F-Secure Client Security 9.01 *Enabled* ============== Running Processes =============== C:\Program Files\Emsisoft Anti-Malware\a2service.exe F:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe svchost.exe F:\WINDOWS\system32\spoolsv.exe svchost.exe F:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe -k netsvcs C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\F-Secure\Common\FSHDLL32.EXE F:\WINDOWS\system32\msiexec.exe F:\WINDOWS\System32\svchost.exe -k HPZ12 F:\WINDOWS\system32\nvsvc32.exe F:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Macrium\Reflect\ReflectService.exe F:\WINDOWS\system32\svchost.exe -k imgsvc F:\WINDOWS\System32\vssvc.exe C:\Program Files\F-Secure\Common\FSM32.EXE C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe F:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Everything\Everything.exe C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE C:\Program Files\F-Secure\Common\FNRB32.EXE C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\F-Secure\Common\FIH32.EXE C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe F:\Documents and Settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\F-Secure\Anti-Virus\fsav32.exe F:\Documents and Settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Chrome\Application\chrome.exe F:\Documents and Settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Chrome\Application\chrome.exe F:\Documents and Settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Chrome\Application\chrome.exe F:\WINDOWS\System32\svchost.exe -k netsvcs K:\My Documents\Downloads\mbam-setup-1.50.0.0.exe F:\DOCUME~1\ADMINI~1.JRS\LOCALS~1\Temp\is-B5QUR.tmp\mbam-setup-1.50.0.0.tmp C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe K:\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/keyword/%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - AskBar BHO BHO: {53707962-6f74-2d53-2644-206d7942484f} - BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\program files\f-secure\nrs\iescript\baselitmus.dll uRun: [Google Update] "f:\documents and settings\administrator.jrs-1gp3gjvwo3b\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash mRun: [F-Secure TNB] "c:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW mRun: [logo mouse] c:\program files\logitech\mouseware\system\EM_EXEC.EXE mRun: [Logitech Utility] Logi_MwX.Exe mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Everything] "c:\program files\everything\Everything.exe" -startup mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: f:\docume~1\admini~1.jrs\startm~1\programs\system~1\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE uPolicies-explorer: NoSMHelp = 01000000 uPolicies-explorer: NoRecentDocsNetHood = 01000000 uPolicies-explorer: NoSMMyDocs = 01000000 uPolicies-explorer: NoSMMyPictures = 00000000 uPolicies-explorer: NoNetworkConnections = 01000000 uPolicies-explorer: NoActiveDesktop = 01000000 mPolicies-explorer: NoWinKeys = 1 (0x1) IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html IE: Backward &Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000 IE: Read By Natural Voice Reader - c:\program files\naturalreaders\natural voice reader pro\read.html IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105 IE: Si&milar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html IE: {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - c:\program files\naturalreaders\natural voice reader pro\read.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} LSP: c:\program files\f-secure\fsps\program\fslsp.dll DPF: DirectAnimation Java Classes DPF: Microsoft XML Parser for Java DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37900.5179861111 DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Notify: AtiExtEvent - Ati2evxx.dll AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~2\GOEC62~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL LSA: Authentication Packages = msv1_0 nwprovau mASetup: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\msnetmtg.inf,NetMtg.Install.PerUser.NT mASetup: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\msmsgs.inf,BLC.QuietInstall.PerUser mASetup: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\fxsocm.inf,Fax.Install.PerUser ================= FIREFOX =================== FF - ProfilePath - ============= SERVICES / DRIVERS =============== R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [2009-8-30 41624] R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [2007-10-23 80080] R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [2010-9-28 15328] R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [2004-2-7 10240] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure\hips\drivers\fshs.sys [2009-9-8 68144] R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-8-6 2953808] R2 cpuz132;cpuz132;f:\windows\system32\drivers\cpuz132_x32.sys [2009-9-3 12672] R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure\anti-virus\fsgk32st.exe [2009-9-8 219824] R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [2004-2-6 10112] R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-9-28 220128] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2009-9-8 130728] R3 F-Secure Network Request Broker;F-Secure Network Request Broker;c:\program files\f-secure\common\FNRB32.exe [2009-9-8 166576] R3 FSORSPClient;F-Secure ORSP Client;c:\program files\f-secure\orsp client\fsorsp.exe [2009-9-8 64016] S0 Lbd;Lbd; [x] S1 GhPciScan;GhostPciScanner;\??\c:\program files\norton systemworks\norton ghost\ghpciscan.sys --> c:\program files\norton systemworks\norton ghost\ghpciscan.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 SVKP;SVKP;\??\c:\windows\system32\svkp.sys --> c:\windows\system32\SVKP.sys [?] S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-8-6 72808] S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [2003-4-8 265904] S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [2010-8-3 13192] S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [2010-8-3 8456] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-1-27 30192] S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [2008-7-24 366525] S3 MBAMSwissArmy;MBAMSwissArmy;f:\windows\system32\drivers\mbamswissarmy.sys [2010-12-13 38224] S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-9-8 90112] S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896] S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [2010-9-28 44512] S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [2010-9-28 12256] S3 Second Backup Service;Second Backup Service;c:\program files\second backup\SecondBackup.exe [2007-12-27 1744896] S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [2002-1-8 162048] S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2009-9-8 39856] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\fsrec.sys [2009-9-8 25264] S4 NProtectService;Norton Unerase Protection; [x] =============== File Associations =============== chm.file="c:\windows\hh.exe" %1 txtfile="c:\program files\jgsoft\editpadlite\EditPadLite.exe" "%1" =============== Created Last 30 ================ 2010-12-14 03:05:42 709456 ----a-w- f:\windows\is-EDTE4.exe 2010-12-13 14:43:00 -------- d-----r- c:\program files\Skype 2010-12-13 05:54:25 -------- d-----w- f:\docume~1\alluse~1\applic~1\MFAData 2010-12-13 05:43:57 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys 2010-12-13 05:43:52 20952 ----a-w- f:\windows\system32\drivers\mbam.sys 2010-12-13 05:43:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-12 07:42:03 -------- d-----w- f:\docume~1\alluse~1\applic~1\DivX 2010-12-11 20:35:40 -------- d-----w- f:\windows\system32\wbem\repository\FS 2010-12-11 20:35:40 -------- d-----w- f:\windows\system32\wbem\Repository 2010-12-05 13:57:10 -------- d-----w- c:\program files\Network Stumbler 2010-11-30 12:22:34 -------- d-----w- c:\program files\Everything 2010-11-28 13:59:26 -------- d-----w- f:\documents and settings\administrator.jrs-1gp3gjvwo3b\imap-mail101128 2010-11-28 11:45:40 -------- d-----w- f:\documents and settings\administrator.jrs-1gp3gjvwo3b\%LOCALAPPDATA% 2010-11-28 10:39:46 -------- d-----w- c:\program files\Microsoft Office Labs 2010-11-16 16:43:50 -------- d-----w- c:\program files\Microsoft Synchronization Services 2010-11-16 16:43:44 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition 2010-11-16 13:47:46 -------- d-----w- c:\program files\Classic Menu for Office 2010 2010-11-16 12:31:21 -------- d-----w- f:\documents and settings\all users\Microsoft 2010-11-16 12:30:01 -------- d-----w- c:\program files\Microsoft Visual Studio 8 2010-11-16 12:29:23 -------- d-----w- c:\program files\Microsoft Analysis Services 2010-11-15 07:10:33 56496 ----a-w- f:\windows\system32\wbhelp2.dll 2010-11-15 07:10:33 544768 ----a-w- f:\windows\system32\wbocx.ocx 2010-11-15 07:10:33 258352 ----a-w- f:\windows\system32\unicows.dll 2010-11-15 07:10:33 1706800 ----a-w- f:\windows\system32\gdiplus.dll 2010-11-15 07:10:32 33968 ----a-w- f:\windows\system32\anim.dll 2010-11-15 07:10:32 -------- d-----w- c:\program files\WinUtilities 2010-11-15 07:06:04 -------- d-----w- c:\program files\Wise Registry Cleaner ==================== Find3M ==================== 2010-10-13 10:55:02 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe 2010-10-10 05:19:16 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe 2010-09-18 11:23:26 974848 ----a-w- f:\windows\system32\mfc42u.dll 2010-09-18 06:53:25 974848 ----a-w- f:\windows\system32\mfc42.dll 2010-09-18 06:53:25 954368 ----a-w- f:\windows\system32\mfc40.dll 2010-09-18 06:53:25 953856 ----a-w- f:\windows\system32\mfc40u.dll 2010-09-15 04:50:37 472808 ----a-w- f:\windows\system32\deployJava1.dll 2010-08-13 21:28:40 1237504 ------w- c:\program files\TweakMe!.exe 2010-08-08 08:58:06 33280 ------w- c:\program files\shmnview.exe 2009-08-15 17:09:50 32256 ------w- c:\program files\OfficeIns.exe 2008-03-16 20:32:32 2507710 ----a-w- c:\program files\bomb-countdown.exe 2004-11-28 19:33:44 1208320 ------w- c:\program files\IfoEdit.exe 2002-11-24 20:53:56 507904 ------w- c:\program files\TheRenameProgram.exe 2000-10-16 12:30:56 217088 ------w- c:\program files\SpaceMonger.exe ============= FINISH: 3:40:09.79 =============== attach.zip
- December 14, 2010
- 26 replies
updates blocked

Squirrel posted a topic in General Windows PC Help

Malwarebytes will not download new updates. Last night I scanned with F-secure and this detected and then quarantined the virus "Suspicious:W32/Malware!Gemini". I suspect F-secure might have removed a virus but not all the changes that it had made to cripple anti-virus programs. F-secure updates normally but malwarebytes nor other AV programs such as Emsisoft Anti-Malware can download updates. I have installed the updater mbam-rules.exe and also completely reinstalled malwarebytes. I have also turned off temporarily "f-secure deep guard". But to no avail. My system is xp pro and everything else is properly updated (Malwarebytes was only two days out of date). I would appreciate advise and help John
- December 13, 2010
- 1 reply

Sign In

Squirrel

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by Squirrel

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

Malwarebytes and other AV updates will not connect and blocked

updates blocked

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information