JFT Posted February 12, 2009 ID:55722 Share Posted February 12, 2009 as instructed, here is my hijack this log file. Since I can't get malwarebytes to work I cannot provide a logfile from that.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:05:05 PM, on 2/11/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SYSTEM32\PRISMSVR.EXEC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\Maxtor\Sync\SyncServices.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PRISMSVC.EXEC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exeC:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exeC:\WINDOWS\stsystra.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\PROGRA~1\Yahoo!\YOP\yop.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Digital Line Detect\DLG.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Kodak Picture CD\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\Program Files\Dell Wireless\PRISMCFG.exeC:\Program Files\iPod\bin\iPodService.exeC:\PROGRA~1\Yahoo!\YOP\SSDK02.exeC:\Program Files\Java\jre1.6.0_07\bin\jucheck.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-usR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localF2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe,C:\WINDOWS\system32\twex.exe,O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB003" /M "Stylus Photo R1800"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostartO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [EPSON Stylus Photo R1800 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S1F9.tmp" /EF "HKCU"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - S-1-5-18 Startup: PowerReg SchedulerV2.exe (User 'SYSTEM')O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user')O4 - Startup: PowerReg SchedulerV2.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Kodak EasyShare software.lnk = C:\Kodak Picture CD\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeO4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cabO16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://meijer.lifepics.com/net/Uploader/LPUploader41.cabO16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXEO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE--End of file - 15172 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 12, 2009 Root Admin ID:55809 Share Posted February 12, 2009 STEP 1With all other applications closed (Taskbar empty), open HijackThis againand run Do a system scan only and place a check mark on the following items.F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe,C:\WINDOWS\system32\twex.exe,O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostartO4 - HKCU\..\Run: [EPSON Stylus Photo R1800 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\WINDOWS\TEMP\E_S1F9.tmp" /EF "HKCU"O4 - S-1-5-18 Startup: PowerReg SchedulerV2.exe (User 'SYSTEM')O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user')O4 - Startup: PowerReg SchedulerV2.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllThen Quit All Browsers including the one you're reading this in now.Then click on Fix checked and then quit HJTSTEP 2Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
JFT Posted February 12, 2009 Author ID:55999 Share Posted February 12, 2009 Ok, I tried to install Combofix and got no where. All it tells me is "You cannot rename ComboFix as ComboFix[1]. Please use another name, preferbaly(sic) made up of alphanumeric characters."Now I have no idea what to do. Please help! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 13, 2009 Root Admin ID:56126 Share Posted February 13, 2009 Well you can attempt to run this then. If that does not work then you're going to need access to burn a CD.Download to the desktop: Dr.Web CureItDoubleclick the drweb-cureit.exe file and Allow to run the express scanThis will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, Click Options > Change settingsChoose the "Scan"-tab, remove the mark at "Heuristic analysis".Back at the main window, mark the drives that you want to scan.Select all drives. A red dot shows which drives have been chosen.Click the green arrow at the right, and the scan will start.Click 'Yes to all' if it asks if you want to cure/move the file.When the scan has finished, look if you can click next icon next to the files found:If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listSave the report to your desktop. The report will be called DrWeb.csvClose Dr.Web Cureit.Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log. Link to post Share on other sites More sharing options...
JFT Posted February 14, 2009 Author ID:56333 Share Posted February 14, 2009 Thanks for your help so far, but now my computer is nearly completely unusuable, at least for accessing the Internet. I cannot do what you want me to do above because it will not allow me to access Malwarebytes.org for me to download the program above. When I put www.malwarebytes.org in the brower it tells me I'm not connected to the Internet when I clearly am. A google search on Dr. Web Cureit just redirects me to various sites and I cannot get to where I need to go. So, I can burn a CD using my wife's computer, which I am using to post this. Just provide instructions please....and THANKS. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 14, 2009 Root Admin ID:56334 Share Posted February 14, 2009 Avira AntiVir Rescue SystemRequires access to a working computer with a CD/DVD burner to create a bootable CD.Download the Avira AntiVir Rescue System from herePlace a blank CD in your burner and double-click on the downloaded file.The program will automatically burn the CD for you.Place the burned CD into the affected computer and start the computer from this CD.On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.Click on the Configuration button.Select Scan all filesSelect Try to repair infected files and Rename files, if they cannot be removedSelect Scan for dialersSelect Scan for joke programs (Jokes)Select Scan for gamesSelect Scan for spyware (SPR)[*]Click on Virus scanner[*]Click on Start scanner at the bottom of the screen[*]Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and WarningsThe Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.Screen resolution problemsPlease see the post here if you're unable to view the entire screen of Avira. Link to post Share on other sites More sharing options...
JFT Posted February 14, 2009 Author ID:56477 Share Posted February 14, 2009 I know i'm not computer saavy. I have a stupid question: How do I "start the computer from the CD'? Right now my computer is on and i put in the CD with the above program and my computer says it can't write to the CD because it's not empty. Well, I don't want to write to the damn CD. I want it to run. But I select run and that's what it tells me. ARGH. I tried restarting the computer with the CD in but that didn't do anything.thanks. Link to post Share on other sites More sharing options...
JFT Posted February 14, 2009 Author ID:56480 Share Posted February 14, 2009 Oh, and another thing....I am now getting the BSOD telling me I have something wrong with a device driver. I haven't changed or added anything!! Link to post Share on other sites More sharing options...
JFT Posted February 14, 2009 Author ID:56514 Share Posted February 14, 2009 I know i'm not computer saavy. I have a stupid question: How do I "start the computer from the CD'? Right now my computer is on and i put in the CD with the above program and my computer says it can't write to the CD because it's not empty. Well, I don't want to write to the damn CD. I want it to run. But I select run and that's what it tells me. ARGH. I tried restarting the computer with the CD in but that didn't do anything.thanks.ok, I think I figured out how to boot the computer from the CD, via F12 when I restart it.....BUT the CD I burned of the Avira site does not work to boot the computer. My computer says it's not a bootable device or something to that effect. Am I doing something wrong or is my computer that messed up? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 15, 2009 Root Admin ID:56613 Share Posted February 15, 2009 How OLD is the computer? Maybe the CD you burned is not good. Did you burn it with software or double-click it and let Avira burn the CD for you?Try burning a NEW CD and see if the F12 boot to CD works again. Link to post Share on other sites More sharing options...
JFT Posted February 15, 2009 Author ID:56727 Share Posted February 15, 2009 How OLD is the computer? Maybe the CD you burned is not good. Did you burn it with software or double-click it and let Avira burn the CD for you?Try burning a NEW CD and see if the F12 boot to CD works again.The computer I'm using to burn the CD I'm guessing is probably 2 years old. I've tried burning three different CDs now and the file is on there but it won't work to boot the computer. Also, I don't understand when you say "double-click it and let Avira burn the CD for you". When I go to the Avira site and select "download" I get the same dialog box that you always get when downloading a file. Showing Run, Save, or Cancel. I save it to "CD burning" then when it's downloaded I burn the CD. I cannot see anything where I can "double click it and let Avira burn the CD" for me. What am I missing? The Avira site even says "double click on the rescue system package..." but there is just the "download" button that brings up the dialog box. I'm sorry if you need to spell it out for me, I am not computer saavy.If this doesn't end up working what are my options? Right now, smashing my computer to bits sounds good. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 15, 2009 Root Admin ID:56848 Share Posted February 15, 2009 No problem. You're just not used to this is all.Yes download the file by choosing SAVE and save it to your desktop or what ever directory you normally save to. Then close the Web browser and other programs if running. Open My Computer and browse to where you saved the file you just downloaded. Make sure you have a blank CD in the drive and this time Double-click on the file you just downloaded as though you were going to install it, but it will open a dialog box to burn the CD for you. You don't use your own software to burn the CD. Link to post Share on other sites More sharing options...
JFT Posted February 16, 2009 Author ID:56903 Share Posted February 16, 2009 No problem. You're just not used to this is all.Yes download the file by choosing SAVE and save it to your desktop or what ever directory you normally save to. Then close the Web browser and other programs if running. Open My Computer and browse to where you saved the file you just downloaded. Make sure you have a blank CD in the drive and this time Double-click on the file you just downloaded as though you were going to install it, but it will open a dialog box to burn the CD for you. You don't use your own software to burn the CD.Thanks. This worked!! I can now access this website on MY computer and can also run malwarebytes and I couldn't before. Here is the log file from it.Malwarebytes' Anti-Malware 1.34Database version: 1749Windows 5.1.2600 Service Pack 32/15/2009 7:59:58 PMmbam-log-2009-02-15 (19-59-58).txtScan type: Full Scan (C:\|I:\|)Objects scanned: 190905Time elapsed: 1 hour(s), 16 minute(s), 11 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\John\Local Settings\Temp\UAC38e2.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\UACetyxuwko.dat (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\UACmotobavn.log (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\UACtgplteyn.dll (Trojan.Agent) -> Quarantined and deleted successfully.and here is the hijack this log file I just ran. See any problems? THANKS again!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:20:54 PM, on 2/15/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SYSTEM32\PRISMSVR.EXEC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\Maxtor\Sync\SyncServices.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PRISMSVC.EXEC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\STOPzilla!\STOPzilla.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exeC:\WINDOWS\stsystra.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Kodak Picture CD\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\Program Files\Dell Wireless\PRISMCFG.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Yahoo!\YOP\yop.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\PROGRA~1\Yahoo!\YOP\SSDK02.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-usR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dllO2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB003" /M "Stylus Photo R1800"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Kodak EasyShare software.lnk = C:\Kodak Picture CD\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exeO4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dllO16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CABO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cabO16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://meijer.lifepics.com/net/Uploader/LPUploader41.cabO16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXEO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE--End of file - 14915 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 16, 2009 Root Admin ID:56942 Share Posted February 16, 2009 Overall look okay now. A LOT of stuff running over all when done here you might want to post in the PC Help forum for assistance with reducing the amount of non required startup items.ERUNT Registry Backup and Restore for WindowsPlease download ERUNT and backup your Registry before proceeding. ERUNTWell worth this running every bootup.Download to the desktop: Dr.Web CureItDoubleclick the drweb-cureit.exe file and Allow to run the express scanThis will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, Click Options > Change settingsChoose the "Scan"-tab, remove the mark at "Heuristic analysis".Back at the main window, mark the drives that you want to scan.Select all drives. A red dot shows which drives have been chosen.Click the green arrow at the right, and the scan will start.Click 'Yes to all' if it asks if you want to cure/move the file.When the scan has finished, look if you can click next icon next to the files found:If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listSave the report to your desktop. The report will be called DrWeb.csvClose Dr.Web Cureit.Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log. Link to post Share on other sites More sharing options...
JFT Posted February 18, 2009 Author ID:57643 Share Posted February 18, 2009 Overall look okay now. A LOT of stuff running over all when done here you might want to post in the PC Help forum for assistance with reducing the amount of non required startup items.ERUNT Registry Backup and Restore for WindowsPlease download ERUNT and backup your Registry before proceeding. ERUNTWell worth this running every bootup.Download to the desktop: Dr.Web CureItDoubleclick the drweb-cureit.exe file and Allow to run the express scanThis will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, Click Options > Change settingsChoose the "Scan"-tab, remove the mark at "Heuristic analysis".Back at the main window, mark the drives that you want to scan.Select all drives. A red dot shows which drives have been chosen.Click the green arrow at the right, and the scan will start.Click 'Yes to all' if it asks if you want to cure/move the file.When the scan has finished, look if you can click next icon next to the files found:If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listSave the report to your desktop. The report will be called DrWeb.csvClose Dr.Web Cureit.Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.Ok, I haven't done the above but I did manage to run ComboFix as instructed earlier. Here is the log for that:ComboFix 09-02-17.02 - John 2009-02-18 18:14:53.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1380 [GMT -5:00]Running from: c:\documents and settings\John\Desktop\ComboFix.exeAV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)AV: Norton Security Online *On-access scanning disabled* (Updated)FW: Norton Security Online *disabled* * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datc:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datc:\windows\IE4 Error Log.txtc:\windows\system32\twain32c:\windows\system32\twain32\local.dsc:\windows\system32\twain32\user.dsc:\windows\wiaserviv.logI:\Autorun.inf----- BITS: Possible infected sites -----hxxp://download.esd.intuit.com.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_UACd.sys((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 ))))))))))))))))))))))))))))))).2009-02-17 22:06 . 2009-02-17 22:06 <DIR> d-------- c:\documents and settings\John\DoctorWeb2009-02-17 18:32 . 2009-02-17 18:32 <DIR> d-------- c:\program files\Avira2009-02-17 18:32 . 2009-02-17 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira2009-02-15 18:39 . 2009-02-15 18:39 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes2009-02-14 23:34 . 2009-02-14 23:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard2009-02-14 23:33 . 2009-02-14 23:33 <DIR> d-------- c:\program files\Common Files\iS32009-02-14 23:33 . 2009-02-16 18:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!2009-02-14 12:24 . 2009-02-14 12:24 <DIR> d-------- c:\windows\system32\Dell2009-02-12 21:58 . 2009-02-12 22:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-02-12 21:58 . 2009-02-12 21:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-02-12 21:58 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-02-12 21:58 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-02-11 21:04 . 2009-02-11 21:04 <DIR> d-------- c:\program files\Trend Micro2009-02-11 20:44 . 2008-07-30 17:42 23,888 --a------ c:\windows\system32\drivers\COH_Mon.sys2009-02-11 20:44 . 2008-07-30 17:28 10,537 --a------ c:\windows\system32\drivers\COH_Mon.cat2009-02-11 20:44 . 2008-07-30 17:28 706 --a------ c:\windows\system32\drivers\COH_Mon.inf2009-01-25 11:40 . 2009-01-25 11:40 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-18 23:22 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-02-18 23:22 --------- d-----w c:\program files\Common Files\Symantec Shared2009-02-18 22:50 --------- d-----w c:\program files\Spyware Doctor2009-02-18 00:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater2009-02-17 22:48 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak2009-02-16 23:43 --------- d-----w c:\program files\Kodak2009-02-14 17:24 --------- d-----w c:\program files\Dell2009-02-12 01:44 --------- d-----w c:\program files\Symantec2009-02-12 01:44 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec2009-02-12 01:43 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF2009-02-12 01:43 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS2009-02-12 01:43 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT2009-01-30 02:45 --------- d--h--w c:\documents and settings\John\Application Data\Move Networks2009-01-25 16:38 --------- d-----w c:\program files\Common Files\Intuit2009-01-25 16:38 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit2009-01-25 16:35 --------- d-----w c:\program files\TurboTax2009-01-07 01:09 --------- d--h--w c:\program files\InstallShield Installation Information2008-12-23 15:12 --------- d-----w c:\program files\Bonjour2008-08-11 15:48 6,048 ----a-w c:\documents and settings\John\Application Data\wklnhst.dat2007-10-31 23:36 60,968 ----a-w c:\documents and settings\John\GoToAssistDownloadHelper.exe2006-11-11 17:43 251 ----a-w c:\program files\wt3d.ini2008-09-06 11:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-09-21 127036]"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]"EPSON Stylus Photo R1800"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE" [2007-01-12 177664]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-25 169984]"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]"osCheck"="c:\progra~1\Symantec\osCheck.exe" [2007-01-14 771704]"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-25 24576]NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-11-18 237568]Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-10-25 921704][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]2007-10-31 18:36 10792 c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]2005-12-22 20:08 450646 c:\windows\system32\PRISMAPI.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]--a------ 2005-09-29 14:01 67584 c:\windows\ehome\ehtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Yahoo!\\browser\\ycommon.exe"="c:\\Program Files\\Yahoo!\\YOP\\yop.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"=R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-10-25 61526]R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-25 356920]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-02 99376]S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-27 33752]--- Other Services/Drivers In Memory ---*NewlyCreated* - COMHOST*Deregistered* - mchInjDrv[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]\Shell\AutoRun\command - E:\setup.exe.Contents of the 'Scheduled Tasks' folder2009-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]2009-02-17 c:\windows\Tasks\Norton Security Online - Run Full System Scan - John.job- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 04:09].- - - - ORPHANS REMOVED - - - -Toolbar-SITEguard - (no file)HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe.------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uStart Page = hxxp://www.yahoo.comuInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-usuInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/search?q=%sDPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cabDPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-18 18:22:28Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-192812880-2319824721-1080938173-1006\Software\Microsoft\SystemCertificates\AddressBook*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode).--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(888)c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dllc:\windows\system32\PRISMAPI.DLL.------------------------ Other Running Processes ------------------------.c:\program files\Common Files\Symantec Shared\ccSvcHst.exec:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exec:\windows\system32\PRISMSVR.exec:\program files\Avira\AntiVir PersonalEdition Classic\sched.exec:\program files\Lavasoft\Ad-Aware 2007\aawservice.exec:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Common Files\Symantec Shared\ccSvcHst.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\program files\Google\Common\Google Updater\GoogleUpdaterService.exec:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exec:\program files\Maxtor\Sync\SyncServices.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Spyware Doctor\pctsSvc.exec:\windows\ehome\mcrdsvc.exec:\program files\Canon\CAL\CALMAIN.exec:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exec:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exec:\windows\system32\dllhost.exec:\program files\iPod\bin\iPodService.exec:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXEc:\program files\Symantec\LiveUpdate\AUPDATE.EXEc:\program files\Symantec\LiveUpdate\LuCallbackProxy.exec:\windows\system32\imapi.exe.**************************************************************************.Completion time: 2009-02-18 18:26:55 - machine was rebootedComboFix-quarantined-files.txt 2009-02-18 23:26:40Pre-Run: 152,711,184,384 bytes freePost-Run: 153,686,528,000 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect226 --- E O F --- 2009-02-11 03:30:13 ________________________________________________________________________and here is the Hijack this log after running ComboFix. What's next? AND THANKS AGAIN!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:32:02 PM, on 2/18/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\PRISMSVR.EXEC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\Maxtor\Sync\SyncServices.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\PRISMSVC.EXEC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exeC:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exeC:\WINDOWS\stsystra.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\Program Files\Dell Wireless\PRISMCFG.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-usR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB003" /M "Stylus Photo R1800"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CABO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cabO16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://meijer.lifepics.com/net/Uploader/LPUploader41.cabO16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXEO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE--End of file - 13423 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 19, 2009 Root Admin ID:57680 Share Posted February 19, 2009 That looks good overall.The logs show that you have AntiVir PersonalEdition running and Symantec AV running.You can only have one AV application at a time installed. They will conflict and cause issues with each other.Please review and remove ALL installed Anti-Virus programs except one. Keep which ever one you want and update it.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
JFT Posted February 20, 2009 Author ID:57977 Share Posted February 20, 2009 That looks good overall.The logs show that you have AntiVir PersonalEdition running and Symantec AV running.You can only have one AV application at a time installed. They will conflict and cause issues with each other.Please review and remove ALL installed Anti-Virus programs except one. Keep which ever one you want and update it.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please.mbam log:Malwarebytes' Anti-Malware 1.34Database version: 1780Windows 5.1.2600 Service Pack 32/19/2009 9:42:56 PMmbam-log-2009-02-19 (21-42-56).txtScan type: Quick ScanObjects scanned: 72277Time elapsed: 6 minute(s), 10 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
JFT Posted February 20, 2009 Author ID:57978 Share Posted February 20, 2009 Hijack this log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:49:20 PM, on 2/19/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\PRISMSVR.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\Maxtor\Sync\SyncServices.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PRISMSVC.EXEC:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exeC:\WINDOWS\stsystra.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exeC:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Nikon\NkView6\NkvMon.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Dell Wireless\PRISMCFG.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\System32\svchost.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-usR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O6 "USB003" /M "Stylus Photo R1800"O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exeO4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CABO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cabO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cabO16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://meijer.lifepics.com/net/Uploader/LPUploader41.cabO16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dllO23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXEO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE--End of file - 12833 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 20, 2009 Root Admin ID:58017 Share Posted February 20, 2009 How is the computer running now?Are there still any signs of an infection? Link to post Share on other sites More sharing options...
JFT Posted February 20, 2009 Author ID:58050 Share Posted February 20, 2009 How is the computer running now?Are there still any signs of an infection?It seems to be running well. I did a full scan with Spyware Doctor overnight and it found some minor items, tracking cookies but I assume those are common and will always turn up. I also still have to run ERUNT as you suggested before. After I do that should I post another log? I also have to address all my start up items as you suggested.Thanks! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 20, 2009 Root Admin ID:58175 Share Posted February 20, 2009 No need to post new logs. Erunt is for use in case of issues later on. It will allow you to restore the Registry from previous days if the need arises.If needed:Download and Update Java RuntimeThe most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.Go to http://java.sun.com/javase/downloads/index.jspGo to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.In Platform box choose Windows.Check the box to Accept License Agreement and click Continue.Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.Uncheck the Toolbar button (unless you want the toolbar)Reboot your computerGreat, all looks good now.I'll close your post soon so that other don't post into it and leave you with this information and suggestions.So how did I get infected in the first place?At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:Disable and Enable System Restore-WINDOWS XPThis is a good time to clear your existing system restore points and establish a new clean restore point:Turn off System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK. Reboot.Turn ON System RestoreOn the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.This will remove all restore points except the new one you just created.Here are some free programs I recommend that could help you improve your computer's security.Install SpyWare BlasterDownload it from hereFind here the tutorial on how to use Spyware Blaster here Install WinPatrolDownload it from hereHere you can find information about how WinPatrol works hereInstall FireTrust SiteHoundYou can find information and download it from hereInstall hpHosts Download it from herehpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. This prevents your computer from connecting to these untrusted sites by redirecting them to 127.0.0.1 which is your own local computer.hpHosts Support ForumUpdate your Antivirus programs and other security products regularly to avoid new threats that could infect your system.You can use one of these sites to check if any updates are needed for your pc.Secunia Software InspectorF-secure Health CheckVisit Microsoft often to get the latest updates for your computer.http://www.update.microsoft.comNote 1: If you are running Windows XP SP2, you should upgrade to SP3.Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.The security suite can then be reinstalled afterwards.The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor FreeA little outdated but good reading on how to prevent MalwareKeep safe online and happy surfing.Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org Link to post Share on other sites More sharing options...
Recommended Posts