YoKenny1 Posted February 6, 2009 ID:54100 Share Posted February 6, 2009 I just started to receive an error notification [shell_NotifyIcon] Failed to perform desired action. Error Code: 0 when MBAM resident protection is enabled and the system has been running for 10-15 minutes then the resident protection closes down. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:20:21 AM, on 2/6/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\USB Safely Remove\USBSRService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\BillP Studios\WinPatrol\winpatrol.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\Brother\Brmfcmon\BrMfcWnd.exeC:\Program Files\BellCanada\McciTrayApp.exeC:\Program Files\Brother\ControlCenter3\brccMCtl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Autorun Eater\oldmcdonald.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exeC:\Program Files\Creative\MediaSource\Go\CTCMSGo.exeC:\Program Files\HostsMan\hostssrv.exeC:\Program Files\HostsMan\hm.exeC:\Program Files\LClock\lclock.exeC:\Program Files\System Explorer\SystemExplorer.exeC:\Program Files\USB Safely Remove\USBSafelyRemove.exeC:\Program Files\MWSnap\MWSnap.exeC:\WINDOWS\system32\sistray.exeC:\Download\ClicKey.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\system32\imapi.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\Autorun Eater\billy.exeC:\Program Files\CDBurnerXP\NMSAccessU.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Windows Live\installer\WLSetupSvc.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /rO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressbootO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exeO4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exeO4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUNO4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exeO4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorunO4 - HKLM\..\Run: [bellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exeO4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayO4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgentO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /minO4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCBO4 - HKCU\..\Run: [HostsServer] "C:\Program Files\HostsMan\hostssrv.exe" --startO4 - HKCU\..\Run: [HostsMan] "C:\Program Files\HostsMan\hm.exe" -sO4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exeO4 - HKCU\..\Run: [filehippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /backgroundO4 - HKCU\..\Run: [systemExplorer] "C:\Program Files\System Explorer\SystemExplorer.exe" /TRAYO4 - HKCU\..\Run: [uSB Safely Remove] C:\Program Files\USB Safely Remove\USBSafelyRemove.exe /startupO4 - HKCU\..\Run: [MWSnap] "C:\Program Files\MWSnap\MWSnap.exe"O4 - Startup: ClicKey.exe.lnk = C:\Download\ClicKey.exeO4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dllO9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dllO9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dllO9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO15 - Trusted Zone: http://forum.piriform.comO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230849728890O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF32688-2D3D-4400-B4AE-A32BD466845B}: NameServer = 208.67.222.222,208.67.220.220O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO23 - Service: McAfee Application Installer Cleanup (0233191230841888) (0233191230841888mcinstcleanup) - - (no file)O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exeO23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exeO23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exeO23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXEO23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exeO23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exeO23 - Service: USB Safely Remove Assistant (USBSafelyRemoveService) - Unknown owner - C:\Program Files\USB Safely Remove\USBSRService.exe--End of file - 9007 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 7, 2009 Root Admin ID:54260 Share Posted February 7, 2009 Where is the MBAM log?Why do you show RESTRICTIONS present on your system?Have you looked at the EVENT LOGS to see what errors have been logged by Windows ? Link to post Share on other sites More sharing options...
YoKenny1 Posted February 7, 2009 Author ID:54292 Share Posted February 7, 2009 Here is the log:Malwarebytes' Anti-Malware 1.33Database version: 1733Windows 5.1.2600 Service Pack 32/6/2009 7:37:08 AMmbam-log-2009-02-06 (07-37-08).txtScan type: Quick ScanObjects scanned: 46554Time elapsed: 3 minute(s), 14 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)I don't know why the RESTRICTIONS are present.There are no errors in the Application log but the System log reports a few DCOM errors but I think that is normal as this is a slow system. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 7, 2009 Root Admin ID:54293 Share Posted February 7, 2009 Slow or not slow DCOM or any other errors are not normal. A normal system has NO errors.Please run the following. Make sure you close ALL applications and disable your Anti-Virus first. Disconnect from the Internet when you disable your AV.Please download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOGZip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.Click OK and quit the GMER program.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vista Link to post Share on other sites More sharing options...
YoKenny1 Posted February 7, 2009 Author ID:54380 Share Posted February 7, 2009 I do not know if I did this correctly? I Created a New Compressed folder on the Desktop then I disabled the anti virus, disconnected from the Internet, closed all applications, ran gmer.exe from the Desktop and did a Scan and saved the output to the Desktop then copied it into the New Compressed folder that I have attached. This system always had DCOM error ever since I got it way back in 2003 and if I remember I looked into it and as long as the DCOM service is active then it is OK. This is what I see in the System Event log:Type: ErrorDate: 2/7/2009Time: 6:00:09 AMEvent: 10005Source: DCOMCategory: NoneUser: KSP4HOME\YoKennyComputer: KSP4HOMEDescription:DCOM got error "%1055" attempting to start the service StiSvc with arguments ""in order to run the server:{A1F4E726-8CF1-11D1-BF92-0060081ED811}Type: ErrorDate: 2/7/2009Time: 6:00:09 AMEvent: 10005Source: DCOMCategory: NoneUser: \SYSTEMComputer: KSP4HOMEDescription:DCOM got error "%1055" attempting to start the service winmgmt with arguments ""in order to run the server:{8BC3F05E-D86B-11D0-A075-00C04FB68820} Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 7, 2009 Root Admin ID:54383 Share Posted February 7, 2009 No rootkit detected. We'll work on the DCOM later on.Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
YoKenny1 Posted February 8, 2009 Author ID:54565 Share Posted February 8, 2009 Here is ComboFix.txtComboFix 09-02-06.04 - YoKenny 2009-02-07 20:49:17.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.214 [GMT -5:00]Running from: c:\documents and settings\YoKenny\Desktop\ComboFix.exeAV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) * Created a new restore point.((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 ))))))))))))))))))))))))))))))).2009-02-07 11:04 . 2009-02-07 11:04 <DIR> d--hs---- c:\documents and settings\YoKenny\IECompatCache2009-02-07 11:03 . 2009-02-07 11:03 <DIR> d--hs---- c:\documents and settings\YoKenny\PrivacIE2009-02-07 11:02 . 2009-02-07 11:02 <DIR> d--hs---- c:\documents and settings\YoKenny\IETldCache2009-02-07 10:14 . 2009-02-07 10:14 <DIR> d-------- c:\windows\ie8updates2009-02-07 10:13 . 2009-02-07 10:13 1,355 --a------ c:\windows\imsins.BAK2009-02-07 10:11 . 2009-02-07 10:13 <DIR> d--h-c--- c:\windows\ie82009-02-07 10:08 . 2009-01-11 00:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll2009-02-07 07:01 . 2009-02-07 20:47 4,958,588 --a------ c:\windows\{00000000-00000000-0000000A-00001102-00000008-10011102}.BAK2009-02-07 05:46 . 2009-02-07 06:12 250 --a------ c:\windows\gmer.ini2009-02-06 10:41 . 2009-02-06 10:41 <DIR> dr------- c:\documents and settings\YoKenny\Application Data\Brother2009-02-05 21:23 . 2009-02-05 21:23 <DIR> d-------- c:\documents and settings\YoKenny\Application Data\Avira2009-02-05 15:34 . 2009-02-05 15:34 <DIR> d-------- c:\program files\Avira2009-02-05 15:34 . 2009-02-05 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira2009-02-05 13:27 . 2009-02-05 13:27 230,776 --a------ C:\aswclear.exe2009-02-04 09:57 . 2009-02-04 09:57 <DIR> d-------- c:\program files\FLVPlayer4Free2009-02-04 09:57 . 2009-02-04 09:58 <DIR> d-------- c:\documents and settings\YoKenny\Application Data\FLVPlayer4Free2009-02-03 17:33 . 2009-02-07 20:28 <DIR> d-------- c:\program files\Autorun Eater2009-02-03 08:28 . 2009-02-03 08:27 73,728 --a------ c:\windows\system32\javacpl.cpl2009-01-31 13:42 . 2009-01-31 13:40 93,362 --a------ c:\windows\VGAsetup.ini2009-01-31 13:41 . 2009-01-31 13:41 <DIR> d-------- c:\windows\SIS2009-01-31 13:41 . 2009-01-31 13:41 <DIR> d-------- c:\program files\sisagp2009-01-31 13:41 . 2009-01-31 13:42 <DIR> d-------- c:\program files\SiS VGA Utilities V3.852009-01-31 13:41 . 2008-06-27 14:54 262,144 --a------ c:\windows\system32\sistray.exe2009-01-31 13:41 . 2009-01-31 13:40 208,896 --a------ c:\windows\Progress.exe2009-01-31 13:41 . 2009-01-31 13:40 135,168 --------- c:\windows\system32\SiSApCom.dll2009-01-31 13:41 . 2009-01-31 13:40 110,592 --------- c:\windows\system32\TVMode.dll2009-01-31 13:41 . 2009-01-31 13:40 65,536 --------- c:\windows\system32\SiSHook.dll2009-01-31 13:41 . 2009-01-31 13:40 53,248 --a------ c:\windows\system32\SiSPower.dll2009-01-31 13:40 . 2009-01-31 13:42 79,872 --a------ c:\windows\system32\VGAunistlog.ini2009-01-29 17:46 . 2009-01-29 17:46 <DIR> d-------- c:\documents and settings\YoKenny\Application Data\Ashampoo2009-01-29 17:41 . 2009-01-29 17:41 <DIR> d-------- c:\program files\Ashampoo2009-01-29 11:11 . 2009-01-29 11:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\ashampoo2009-01-29 09:12 . 2009-01-29 09:12 <DIR> d-------- c:\program files\MWSnap2009-01-26 10:44 . 2009-01-26 10:44 <DIR> d-------- c:\program files\CDBurnerXP2009-01-26 10:44 . 2009-01-26 10:44 <DIR> d-------- c:\documents and settings\YoKenny\Application Data\Canneverbe_Limited2009-01-26 10:38 . 2009-01-26 11:10 <DIR> d-------- c:\program files\NCH Software2009-01-26 10:38 . 2009-01-26 10:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound2009-01-26 10:38 . 2009-01-26 10:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Software2009-01-24 02:03 . 2009-01-24 02:03 <DIR> d-------- c:\program files\USB Safely Remove2009-01-24 02:03 . 2009-01-24 02:03 <DIR> d-------- c:\documents and settings\YoKenny\Application Data\USBSafelyRemove2009-01-24 02:03 . 2009-01-24 02:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\USBSRService2009-01-22 04:18 . 2009-01-22 04:18 <DIR> d-------- c:\program files\Microsoft USB Flash Drive Manager2009-01-19 09:15 . 2009-01-19 09:15 <DIR> d-------- c:\program files\Windows Update Remover2009-01-19 09:15 . 2007-05-09 01:10 237,552 --a------ c:\windows\system32\tpuninst.exe2009-01-16 16:58 . 2009-01-16 16:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-01-16 16:58 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-01-16 16:58 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-01-15 02:22 . 2009-01-15 02:22 49,152 --------- c:\windows\system32\msrating.dll.mui2009-01-15 02:21 . 2009-01-15 02:21 2,560 --------- c:\windows\system32\mshta.exe.mui2009-01-15 02:19 . 2009-01-15 02:19 81,920 --------- c:\windows\system32\iedkcs32.dll.mui2009-01-15 02:19 . 2009-01-15 02:19 4,096 --------- c:\windows\system32\ie4uinit.exe.mui2009-01-13 04:43 . 2009-01-13 04:44 <DIR> d-------- c:\windows\system32\NtmsData2009-01-09 06:34 . 2009-01-31 13:15 <DIR> d-------- c:\documents and settings\YoKenny\Tracing2009-01-09 06:31 . 2009-01-09 08:59 <DIR> d-------- c:\windows\SxsCaPendDel2009-01-09 06:31 . 2009-01-09 06:31 <DIR> d-------- c:\program files\Microsoft2009-01-09 06:30 . 2009-01-09 06:30 <DIR> d-------- c:\program files\Windows Live SkyDrive2009-01-09 06:25 . 2009-01-09 06:25 <DIR> d-------- c:\program files\Common Files\Windows Live.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-07 16:11 --------- d-----w c:\program files\IEPro2009-02-06 12:30 --------- d-----w c:\documents and settings\NetworkService\Application Data\SACore2009-02-05 19:41 92,672 ----a-w c:\windows\system32\wlnotify.dll2009-02-05 11:51 --------- d-----w c:\program files\Defraggler2009-02-03 13:27 410,984 ----a-w c:\windows\system32\deploytk.dll2009-02-01 11:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-02-01 11:42 --------- d-----w c:\program files\SpywareBlaster2009-01-31 18:56 --------- d-----w c:\program files\SpeedFan2009-01-31 18:42 --------- d--h--w c:\program files\InstallShield Installation Information2009-01-21 15:49 --------- d-----w c:\program files\AutoMz2009-01-16 21:58 --------- d-----w c:\documents and settings\YoKenny\Application Data\Malwarebytes2009-01-16 21:58 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes2009-01-15 07:05 911,872 ----a-w c:\windows\system32\wininet.dll2009-01-15 07:05 43,008 ----a-w c:\windows\system32\licmgr10.dll2009-01-15 07:04 18,944 ----a-w c:\windows\system32\corpol.dll2009-01-15 07:03 72,704 ----a-w c:\windows\system32\admparse.dll2009-01-15 07:03 71,680 ----a-w c:\windows\system32\iesetup.dll2009-01-15 07:03 420,352 ----a-w c:\windows\system32\vbscript.dll2009-01-15 07:01 34,304 ----a-w c:\windows\system32\imgutil.dll2009-01-15 07:00 48,128 ----a-w c:\windows\system32\mshtmler.dll2009-01-15 07:00 45,568 ----a-w c:\windows\system32\mshta.exe2009-01-15 06:50 156,160 ----a-w c:\windows\system32\msls31.dll2009-01-14 11:51 --------- d-----w c:\program files\BellCanada2009-01-14 11:51 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller2009-01-13 10:31 25,992 ----a-w c:\windows\system32\pgdfgsvc.exe2009-01-13 09:49 --------- d-----w c:\program files\LClock2009-01-11 12:52 --------- d-----w c:\program files\Windows Desktop Search2009-01-09 14:01 --------- d-----w c:\program files\McAfee2009-01-09 13:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee2009-01-09 11:30 --------- d-----w c:\program files\Windows Live2009-01-07 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\Motive2009-01-07 03:22 --------- d-----w c:\program files\Resource Kit2009-01-07 00:31 --------- d-----w c:\documents and settings\YoKenny\Application Data\Motive2009-01-06 20:46 --------- d-----w c:\program files\Common Files\Motive2009-01-06 11:13 --------- d-----w c:\documents and settings\YoKenny\Application Data\Foxit2009-01-06 11:12 --------- d-----w c:\program files\Foxit Software2009-01-05 20:55 --------- d-----w c:\documents and settings\YoKenny\Application Data\ScanSoft2009-01-05 20:34 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore2009-01-05 12:35 --------- d-----w c:\program files\OE-QuoteFix2009-01-04 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\SystemExplorer2009-01-04 19:25 --------- d-----w c:\program files\System Explorer2009-01-04 18:45 --------- d-----w c:\program files\TweakNow WinSecret2009-01-04 18:45 --------- d-----w c:\documents and settings\YoKenny\Application Data\TweakNow WinSecret2009-01-04 18:37 --------- d-----w c:\program files\xp-AntiSpy2009-01-04 01:46 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller2009-01-04 01:42 --------- d-----w c:\program files\filehippo.com2009-01-04 01:30 --------- d-----w c:\program files\Java2009-01-03 19:27 --------- d-----w c:\documents and settings\YoKenny\Application Data\IEPro2009-01-03 17:21 --------- d-----w c:\program files\Common Files\InstallShield2009-01-03 17:21 --------- d-----w c:\program files\Brother2009-01-03 17:16 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield2009-01-03 17:15 --------- d-----w c:\program files\ScanSoft2009-01-03 17:15 --------- d-----w c:\program files\Common Files\ScanSoft Shared2009-01-03 17:15 --------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft2009-01-03 17:13 --------- d-----w c:\documents and settings\All Users\Application Data\Brother2009-01-03 14:15 --------- d-----w c:\program files\BillP Studios2009-01-03 14:15 --------- d-----w c:\documents and settings\YoKenny\Application Data\WinPatrol2009-01-02 10:58 --------- d-----w c:\program files\RogueRemover FREE2009-01-01 23:08 --------- d-----w c:\program files\Trend Micro2009-01-01 22:57 --------- d-----w c:\documents and settings\YoKenny\Application Data\Windows Search2009-01-01 22:55 --------- d-----w c:\program files\Microsoft Silverlight2009-01-01 22:53 --------- d-----w c:\program files\Windows Media Connect 22009-01-01 20:37 --------- d-----w c:\program files\Belarc2009-01-01 20:32 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor2009-01-01 20:31 --------- d-----w c:\program files\Common Files\McAfee2009-01-01 19:46 --------- d-----w c:\program files\CCleaner2009-01-01 19:00 --------- d-----w c:\program files\Event Log Explorer2009-01-01 18:44 --------- d-----w c:\program files\Windows Defender2009-01-01 18:39 --------- d-----w c:\program files\NT Registry Optimizer2009-01-01 18:05 --------- d-----w c:\documents and settings\YoKenny\Application Data\abelhadigital.com2009-01-01 18:03 --------- d-----w c:\program files\HostsMan2009-01-01 18:03 --------- d-----w c:\documents and settings\All Users\Application Data\abelhadigital.com2009-01-01 17:49 --------- d-----w c:\program files\UPHClean2009-01-01 16:49 --------- d-----w c:\documents and settings\YoKenny\Application Data\Creative2009-01-01 16:47 --------- d-----w c:\program files\Creative2009-01-01 16:02 --------- d-----w c:\program files\microsoft frontpage2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys2008-12-03 03:37 49,480 ----a-w c:\windows\system32\sirenacm.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Creative MediaSource Go"="c:\program files\Creative\MediaSource\Go\CTCMSGo.exe" [2003-08-12 131072]"HostsServer"="c:\program files\HostsMan\hostssrv.exe" [2008-10-28 1830400]"HostsMan"="c:\program files\HostsMan\hm.exe" [2008-10-28 2913280]"LClock"="c:\program files\LClock\lclock.exe" [2004-09-19 65536]"filehippo.com"="c:\program files\filehippo.com\UpdateChecker.exe" [2008-12-31 146432]"SystemExplorer"="c:\program files\System Explorer\SystemExplorer.exe" [2008-08-25 1833472]"USB Safely Remove"="c:\program files\USB Safely Remove\USBSafelyRemove.exe" [2008-12-15 1100048]"MWSnap"="c:\program files\MWSnap\MWSnap.exe" [2002-07-06 427008][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]"CTDVDDET"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-02-01 337216]"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2008-12-07 1471488]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-14 399504]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-03 148888]"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]"SiSPower"="SiSPower.dll" [2009-01-31 c:\windows\system32\SiSPower.dll]c:\documents and settings\YoKenny\Start Menu\Programs\Startup\ClicKey.exe.lnk - c:\download\ClicKey.exe [2009-01-02 42560]c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk - c:\windows\system32\sistray.exe [2009-01-31 262144][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoRecentDocsNetHood"= 01000000"MaxRecentDocs"= 7 (0x7)"NoTaskGrouping"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\IEPro\\MiniDM.exe"=R2 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2009-02-05 164097]R2 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe [2009-02-05 258305]R2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2009-02-05 41217]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-01-16 170640]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-01 206096]R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [2009-01-24 208144]R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-01-16 15504]S2 0233191230841888mcinstcleanup;McAfee Application Installer Cleanup (0233191230841888); [x]--- Other Services/Drivers In Memory ---*Deregistered* - uphcleanhlp[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd10cca3-eac3-11dd-b3ee-0013d4081b60}]\Shell\AutoRun\command - F:\winpatrolflash.exe[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-02-08 c:\windows\Tasks\MP Scheduled Scan.job- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.ca/IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dllLSP: avsda.dllTrusted Zone: piriform.com\forumTCP: {CFF32688-2D3D-4400-B4AE-A32BD466845B} = 208.67.222.222,208.67.220.220.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-07 20:50:32Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'lsass.exe'(584)c:\windows\system32\avsda.dll.Completion time: 2009-02-07 20:51:47ComboFix-quarantined-files.txt 2009-02-08 01:51:44Pre-Run: 73,312,907,264 bytes freePost-Run: 73,300,918,272 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect248 --- E O F --- 2009-02-03 13:24:26Here is HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:08:08 PM, on 2/7/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18372)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\USB Safely Remove\USBSRService.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\BillP Studios\WinPatrol\winpatrol.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\Brother\Brmfcmon\BrMfcWnd.exeC:\Program Files\BellCanada\McciTrayApp.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Brother\ControlCenter3\brccMCtl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Autorun Eater\oldmcdonald.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exeC:\Program Files\Creative\MediaSource\Go\CTCMSGo.exeC:\Program Files\HostsMan\hostssrv.exeC:\Program Files\HostsMan\hm.exeC:\Program Files\LClock\lclock.exeC:\Program Files\System Explorer\SystemExplorer.exeC:\Program Files\USB Safely Remove\USBSafelyRemove.exeC:\Program Files\MWSnap\MWSnap.exeC:\WINDOWS\system32\sistray.exeC:\Download\ClicKey.exeC:\Program Files\Brother\Brmfcmon\BrMfcmon.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\system32\imapi.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Autorun Eater\billy.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\CDBurnerXP\NMSAccessU.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Windows Live\installer\WLSetupSvc.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /rO4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressbootO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exeO4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exeO4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUNO4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exeO4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorunO4 - HKLM\..\Run: [bellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exeO4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayO4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgentO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /minO4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCBO4 - HKCU\..\Run: [HostsServer] "C:\Program Files\HostsMan\hostssrv.exe" --startO4 - HKCU\..\Run: [HostsMan] "C:\Program Files\HostsMan\hm.exe" -sO4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exeO4 - HKCU\..\Run: [filehippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /backgroundO4 - HKCU\..\Run: [systemExplorer] "C:\Program Files\System Explorer\SystemExplorer.exe" /TRAYO4 - HKCU\..\Run: [uSB Safely Remove] C:\Program Files\USB Safely Remove\USBSafelyRemove.exe /startupO4 - HKCU\..\Run: [MWSnap] "C:\Program Files\MWSnap\MWSnap.exe"O4 - Startup: ClicKey.exe.lnk = C:\Download\ClicKey.exeO4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dllO9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dllO9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dllO9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO15 - Trusted Zone: http://forum.piriform.comO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230849728890O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF32688-2D3D-4400-B4AE-A32BD466845B}: NameServer = 208.67.222.222,208.67.220.220O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO23 - Service: McAfee Application Installer Cleanup (0233191230841888) (0233191230841888mcinstcleanup) - - (no file)O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exeO23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exeO23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exeO23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXEO23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exeO23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exeO23 - Service: USB Safely Remove Assistant (USBSafelyRemoveService) - Unknown owner - C:\Program Files\USB Safely Remove\USBSRService.exe--End of file - 9368 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 8, 2009 Root Admin ID:54660 Share Posted February 8, 2009 Please download this, then disable your current AV and run it. You can disconnect from the Internet while it's running.Download to the desktop: Dr.Web CureItDoubleclick the drweb-cureit.exe file and Allow to run the express scanThis will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, Click Options > Change settingsChoose the "Scan"-tab, remove the mark at "Heuristic analysis".Back at the main window, mark the drives that you want to scan.Select all drives. A red dot shows which drives have been chosen.Click the green arrow at the right, and the scan will start.Click 'Yes to all' if it asks if you want to cure/move the file.When the scan has finished, look if you can click next icon next to the files found:If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listSave the report to your desktop. The report will be called DrWeb.csvClose Dr.Web Cureit.Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log. Link to post Share on other sites More sharing options...
YoKenny1 Posted February 8, 2009 Author ID:54685 Share Posted February 8, 2009 o After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listo Save the report to your desktop. The report will be called DrWeb.csv I do not get that option so it is stored in the default location so I went there and started to copy-n-paste the log but it caused IE to hang while replying here so I will do the logs in two posts.I don't know why I have to keep sending a HijackThis log as I do not change the applications loaded:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:34:51 AM, on 2/8/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18372)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\USB Safely Remove\USBSRService.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\BillP Studios\WinPatrol\winpatrol.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\Brother\Brmfcmon\BrMfcWnd.exeC:\Program Files\BellCanada\McciTrayApp.exeC:\Program Files\Brother\ControlCenter3\brccMCtl.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Autorun Eater\oldmcdonald.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exeC:\Program Files\Creative\MediaSource\Go\CTCMSGo.exeC:\Program Files\HostsMan\hostssrv.exeC:\Program Files\HostsMan\hm.exeC:\Program Files\LClock\lclock.exeC:\Program Files\System Explorer\SystemExplorer.exeC:\Program Files\USB Safely Remove\USBSafelyRemove.exeC:\Program Files\MWSnap\MWSnap.exeC:\WINDOWS\system32\sistray.exeC:\Download\ClicKey.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\system32\imapi.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\McAfee\SiteAdvisor\McSACore.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\Program Files\CDBurnerXP\NMSAccessU.exeC:\Program Files\Autorun Eater\billy.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Windows Live\installer\WLSetupSvc.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exeC:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXEC:\Program Files\Windows Defender\MsMpEng.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /rO4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressbootO4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -bootO4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exeO4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exeO4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUNO4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exeO4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorunO4 - HKLM\..\Run: [bellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exeO4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayO4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgentO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /minO4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCBO4 - HKCU\..\Run: [HostsServer] "C:\Program Files\HostsMan\hostssrv.exe" --startO4 - HKCU\..\Run: [HostsMan] "C:\Program Files\HostsMan\hm.exe" -sO4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exeO4 - HKCU\..\Run: [filehippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /backgroundO4 - HKCU\..\Run: [systemExplorer] "C:\Program Files\System Explorer\SystemExplorer.exe" /TRAYO4 - HKCU\..\Run: [uSB Safely Remove] C:\Program Files\USB Safely Remove\USBSafelyRemove.exe /startupO4 - HKCU\..\Run: [MWSnap] "C:\Program Files\MWSnap\MWSnap.exe"O4 - Startup: ClicKey.exe.lnk = C:\Download\ClicKey.exeO4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dllO9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dllO9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dllO9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO15 - Trusted Zone: http://forum.piriform.comO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1230849728890O17 - HKLM\System\CCS\Services\Tcpip\..\{CFF32688-2D3D-4400-B4AE-A32BD466845B}: NameServer = 208.67.222.222,208.67.220.220O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dllO23 - Service: McAfee Application Installer Cleanup (0233191230841888) (0233191230841888mcinstcleanup) - - (no file)O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exeO23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exeO23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exeO23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXEO23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exeO23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exeO23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exeO23 - Service: USB Safely Remove Assistant (USBSafelyRemoveService) - Unknown owner - C:\Program Files\USB Safely Remove\USBSRService.exe--End of file - 9197 bytes Link to post Share on other sites More sharing options...
YoKenny1 Posted February 8, 2009 Author ID:54686 Share Posted February 8, 2009 I can't post the DrWeb log as it says the post is too long so I'll post the last little bit that indicates that there was no detected problem:-----------------------------------------------------------------------------Scan statistics-----------------------------------------------------------------------------Scanned: 1257Infected: 0Modifications: 0Suspicious: 0Adware: 0Dialers: 0Jokes: 0Riskware: 0Hacktools: 0Cured: 0Deleted: 0Renamed: 0Moved: 0Ignored: 0Scan speed: 2378 Kb/sScan time: 00:01:36-----------------------------------------------------------------------------=============================================================================Total session statistics=============================================================================Scanned: 1257Infected: 0Modifications: 0Suspicious: 0Adware: 0Dialers: 0Jokes: 0Riskware: 0Hacktools: 0Cured: 0Deleted: 0Renamed: 0Moved: 0Ignored: 0Scan speed: 851 Kb/sScan time: 00:04:28============================================================================= Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 8, 2009 Root Admin ID:54778 Share Posted February 8, 2009 Okay, please uninstall MBAM and then run the Dial-a-fix program. Select all features and have it run.Please download and run this program: Dial-a-fixWhen that is done then download a new copy of MBAM and re-install it and put your code in if needed and try it out and let us know if you continue to have this problem or not.Thanks. Link to post Share on other sites More sharing options...
YoKenny1 Posted February 8, 2009 Author ID:54806 Share Posted February 8, 2009 I always download Dial-a-fix and run it right away and I have un-installed MBAM then re-installed it and it seems that the failure is unpredictable and sometimes won't happen all the time the system is booted up. I don't know if this has anything to do with what I am seeing but sometimes the Taskbar develops an unusual transparency and the Desktop can be seen around the right end of the active tasks and when I go to start then Turn Off Computer the window with the 3 choices does not show up so I have to Ctrl+Alt+Del to bring up Task Manager and chose Shut Down Restart. It is no big deal and I can live with it as I am going to replace it with a Vista system at the end of this month. Thanks for your time and patience. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 9, 2009 Root Admin ID:54903 Share Posted February 9, 2009 Yeah wish I had a better answer for you but everything looks okay based on logs alone. Link to post Share on other sites More sharing options...
Recommended Posts