Jump to content

recurring vundo.h rovoloboyu and 58720e79 trojans


Recommended Posts

I've run latest MB and AVG several times and rebooted several times but can't seem to get these last two little buggers. A little help? Here's the latest logs from both MB and Hijack this. THANKS!

Malwarebytes' Anti-Malware 1.34

Database version: 1825

Windows 5.1.2600 Service Pack 3

3/7/2009 8:58:02 AM

mbam-log-2009-03-07 (08-58-02).txt

Scan type: Quick Scan

Objects scanned: 79527

Time elapsed: 10 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58720e79 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rovoloboyu (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:05:06 AM, on 3/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {54da6589-0a8a-49dd-955a-e3c0e9288ced} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {958b496f-b2d6-4dd8-9a7c-bbfc1880049b} - (no file)

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

O4 - HKCU\..\Run: [uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [GBMHome8Agent] C:\Program Files\Genie-Soft\GBMHome8\GBMAgent.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [rovoloboyu] Rundll32.exe "C:\WINDOWS\system32\logokira.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [rovoloboyu] Rundll32.exe "C:\WINDOWS\system32\logokira.dll",s (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader2.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189465355415

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9359 bytes

Link to post
Share on other sites

  • Root Admin

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 03

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
Link to post
Share on other sites

Thanks for your assistance oh wizened one!

STEP 1 RESULTS:

COMBOFIX.TXT:

ComboFix 09-03-06.02 - Thomas 2009-03-07 18:38:47.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.479 [GMT -6:00]

Running from: c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Desktop\ComboFix.exe

AV: AVG Anti-Virus *On-access scanning disabled* (Updated)

AV: CA Anti-Virus *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\mejeweme.dll

c:\windows\system32\nuhopafe.dll

c:\windows\system32\pevoyuyu.dll

c:\windows\system32\sefesufa.dll

c:\windows\system32\vasezanu.dll

c:\windows\system32\wfyzgw.dll

.

((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))

.

2009-03-06 21:54 . 2009-03-07 18:17 <DIR> d--h----- C:\$AVG8.VAULT$

2009-03-06 21:35 . 2009-03-07 17:49 <DIR> d-------- c:\windows\system32\drivers\Avg

2009-03-06 21:35 . 2009-03-06 21:35 <DIR> d-------- c:\program files\AVG

2009-03-06 21:35 . 2009-03-06 21:35 <DIR> d-------- c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\AVGTOOLBAR

2009-03-06 21:35 . 2009-03-06 21:35 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\avg8

2009-03-06 21:35 . 2009-03-06 21:35 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys

2009-03-06 21:35 . 2009-03-06 21:35 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys

2009-03-06 21:35 . 2009-03-06 21:35 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys

2009-03-06 21:35 . 2009-03-06 21:35 10,520 --a------ c:\windows\system32\avgrsstx.dll

2009-03-06 19:17 . 2009-03-06 19:17 <DIR> d-------- C:\VundoFix Backups

2009-03-05 16:14 . 2008-04-13 19:11 1,888,992 --a--c--- c:\windows\system32\dllcache\ati3duag.dll

2009-03-05 16:14 . 2008-04-13 19:11 1,888,992 --a------ c:\windows\system32\ati3duag.dll

2009-03-05 16:14 . 2004-08-03 22:29 701,440 --a------ c:\windows\system32\drivers\ati2mtag.sys

2009-03-05 16:14 . 2004-08-03 22:29 701,440 --a--c--- c:\windows\system32\dllcache\ati2mtag.sys

2009-03-05 16:14 . 2008-04-13 19:11 516,768 --a--c--- c:\windows\system32\dllcache\ativvaxx.dll

2009-03-05 16:14 . 2008-04-13 19:11 516,768 --a------ c:\windows\system32\ativvaxx.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-07 20:33 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-03-07 20:30 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-07 04:47 --------- d-----w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\WeatherBug

2009-03-05 22:12 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2009-02-27 07:03 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-19 22:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-12 04:44 --------- d-----w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\Move Networks

2008-12-30 04:52 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll

2008-07-07 04:17 23 ------w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\jagex_runescape_preferences.dat

2008-02-18 16:17 1,110,016 ------w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\iTunesMobileDevice.dll

2008-08-10 21:47 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 1923352]

"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]

"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-04-02 1424648]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-09 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"GBMHome8Agent"="c:\program files\Genie-Soft\GBMHome8\GBMAgent.exe" [2008-09-11 189056]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-06 1932568]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-09-10 184320]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-03-06 21:35 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-03-06 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-06 325640]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-06 107912]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-06 298264]

R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2007-09-10 202280]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-27 24652]

R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2004-07-15 18432]

S3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys --> c:\windows\system32\drivers\caliaud.sys [?]

S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys --> c:\windows\system32\drivers\calihal.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2008-05-30 c:\windows\Tasks\Uniblue SpyEraser.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 08:50]

.

- - - - ORPHANS REMOVED - - - -

BHO-{54da6589-0a8a-49dd-955a-e3c0e9288ced} - (no file)

BHO-{958b496f-b2d6-4dd8-9a7c-bbfc1880049b} - (no file)

HKLM-Run-58720e79 - c:\windows\system32\dagamami.dll

HKLM-Run-rovoloboyu - c:\windows\system32\logokira.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.foxnews.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\VetRedir.dll

FF - ProfilePath - c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\Mozilla\Firefox\Profiles\bf0qm5dm.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

FF - plugin: c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\Mozilla\Firefox\Profiles\bf0qm5dm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-07 18:40:26

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]

"Name"="ActiveSync"

"DisplayName"="Microsoft ActiveSync"

"Param1"="ActiveSync"

"Type"="wellknown"

"Order"=dword:00000000

"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]

"Name"="IESettings"

"Type"="IESettings"

"Order"=dword:00000003

"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]

"Name"="MediaFiles"

"Type"="MediaFiles"

"Order"=dword:00000002

"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]

"Name"="NPW"

"Param1"="NPW"

"Type"="wellknown"

"Order"=dword:00000001

"State"=dword:0000000b

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(340)

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

.

Completion time: 2009-03-07 18:42:49

ComboFix-quarantined-files.txt 2009-03-08 00:42:35

Pre-Run: 93,626,974,208 bytes free

Post-Run: 93,621,608,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

198 --- E O F --- 2009-02-26 05:49:21

HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:12, on 3/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {54da6589-0a8a-49dd-955a-e3c0e9288ced} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {958b496f-b2d6-4dd8-9a7c-bbfc1880049b} - (no file)

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [58720e79] rundll32.exe "C:\WINDOWS\system32\dagamami.dll",b

O4 - HKLM\..\Run: [rovoloboyu] Rundll32.exe "C:\WINDOWS\system32\logokira.dll",s

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

O4 - HKCU\..\Run: [uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [GBMHome8Agent] C:\Program Files\Genie-Soft\GBMHome8\GBMAgent.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader2.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189465355415

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9502 bytes

STEP 2RESULTS: DDS.XTand Attach.txt

DDS (Ver_09-02-01.01) - NTFSx86

Run by Thomas at 18:55:21.69 on Sat 03/07/2009

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.312 [GMT -6:00]

AV: AVG Anti-Virus *On-access scanning disabled* (Updated)

AV: CA Anti-Virus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\SearchIndexer.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {54da6589-0a8a-49dd-955a-e3c0e9288ced} - No File

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: {958b496f-b2d6-4dd8-9a7c-bbfc1880049b} - No File

BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S

uRun: [uniblue SpeedUpMyPC] c:\program files\uniblue\speedupmypc 3\SpeedUpMyPC.exe -s

uRun: [uniblue SpyEraser] "c:\program files\uniblue\spyeraser\SpyEraser.exe" -m

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [GBMHome8Agent] c:\program files\genie-soft\gbmhome8\GBMAgent.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [58720e79] rundll32.exe "c:\windows\system32\dagamami.dll",b

mRun: [rovoloboyu] Rundll32.exe "c:\windows\system32\logokira.dll",s

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\VetRedir.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader2.cab

DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189465355415

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thomas~1.smc\applic~1\mozilla\firefox\profiles\bf0qm5dm.default\

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

FF - plugin: c:\documents and settings\thomas.smcompaqlaptop\application data\mozilla\firefox\profiles\bf0qm5dm.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\google\google updater\2.2.1273.1045\npCIDetect12.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-6 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-6 325640]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-6 27656]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-6 107912]

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2007-11-27 26376]

R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2007-11-27 21128]

R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-6-4 880560]

R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2007-11-27 21512]

R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2007-11-27 32264]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-6 298264]

R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2007-11-27 144960]

R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2007-9-10 202280]

R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2007-11-27 242952]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-27 24652]

R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2004-7-15 18432]

R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-6-4 108368]

S3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys --> c:\windows\system32\drivers\caliaud.sys [?]

S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys --> c:\windows\system32\drivers\calihal.sys [?]

=============== Created Last 30 ================

2009-03-07 18:38 <DIR> a-dshr-- C:\cmdcons

2009-03-07 18:36 161,792 a------- c:\windows\SWREG.exe

2009-03-07 18:36 98,816 a------- c:\windows\sed.exe

2009-03-06 21:54 <DIR> --d-h--- C:\$AVG8.VAULT$

2009-03-06 21:35 10,520 a------- c:\windows\system32\avgrsstx.dll

2009-03-06 21:35 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys

2009-03-06 21:35 107,912 a------- c:\windows\system32\drivers\avgtdix.sys

2009-03-06 21:35 325,640 a------- c:\windows\system32\drivers\avgldx86.sys

2009-03-06 21:35 <DIR> --d----- c:\windows\system32\drivers\Avg

2009-03-06 21:35 <DIR> --d----- c:\docume~1\thomas~1.smc\applic~1\AVGTOOLBAR

2009-03-06 21:35 <DIR> --d----- c:\program files\AVG

2009-03-06 21:35 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\avg8

2009-03-06 19:17 <DIR> --d----- C:\VundoFix Backups

2009-03-05 16:14 516,768 ac------ c:\windows\system32\dllcache\ativvaxx.dll

2009-03-05 16:14 516,768 a------- c:\windows\system32\ativvaxx.dll

2009-03-05 16:14 1,888,992 ac------ c:\windows\system32\dllcache\ati3duag.dll

2009-03-05 16:14 1,888,992 a------- c:\windows\system32\ati3duag.dll

2009-03-05 16:14 701,440 ac------ c:\windows\system32\dllcache\ati2mtag.sys

2009-03-05 16:14 701,440 a------- c:\windows\system32\drivers\ati2mtag.sys

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys

2008-12-29 22:52 410,984 a------- c:\windows\system32\deploytk.dll

2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll

2008-07-06 22:17 23 -------- c:\documents and settings\thomas.smcompaqlaptop\jagex_runescape_preferences.dat

2008-02-18 10:17 1,110,016 -------- c:\documents and settings\thomas.smcompaqlaptop\iTunesMobileDevice.dll

2008-08-10 15:47 32,768 ---sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081020080811\index.dat

============= FINISH: 18:55:45.31 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 9/10/2007 5:20:28 PM

System Uptime: 3/7/2009 2:29:52 PM (4 hours ago)

Motherboard: Hewlett-Packard | | 0024

Processor: mobile AMD Athlon XP2400+ | mPGA462B | 1788/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 87.217 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:

Description: Video Controller (VGA Compatible)

Device ID: PCI\VEN_1002&DEV_4336&SUBSYS_0024103C&REV_00\4&1764180E&0&2808

Manufacturer:

Name: Video Controller (VGA Compatible)

PNP Device ID: PCI\VEN_1002&DEV_4336&SUBSYS_0024103C&REV_00\4&1764180E&0&2808

Service:

Class GUID:

Description: PCI Modem

Device ID: PCI\VEN_10B9&DEV_5457&SUBSYS_0024103C&REV_00\3&61AAA01&0&40

Manufacturer:

Name: PCI Modem

PNP Device ID: PCI\VEN_10B9&DEV_5457&SUBSYS_0024103C&REV_00\3&61AAA01&0&40

Service:

==== System Restore Points ===================

RP359: 12/7/2008 11:39:27 PM - System Checkpoint

RP360: 12/9/2008 1:21:34 AM - System Checkpoint

RP361: 12/10/2008 5:44:25 AM - System Checkpoint

RP362: 12/10/2008 5:37:35 PM - Uniblue RegistryBooster

RP363: 12/10/2008 8:24:29 PM - Installed iTunes

RP364: 12/10/2008 9:16:31 PM - Software Distribution Service 3.0

RP365: 12/12/2008 4:59:34 PM - System Checkpoint

RP366: 12/12/2008 5:38:15 PM - Uniblue RegistryBooster

RP367: 12/12/2008 8:32:47 PM - Installed Ad-Aware

RP368: 12/12/2008 9:12:50 PM - Ad-Aware Restore Point 2008-12-12 21:12:41

RP369: 12/14/2008 4:15:03 AM - System Checkpoint

RP370: 12/18/2008 11:34:42 PM - System Checkpoint

RP371: 12/19/2008 3:00:23 AM - Software Distribution Service 3.0

RP372: 12/20/2008 3:28:34 PM - System Checkpoint

RP373: 12/29/2008 9:58:44 PM - System Checkpoint

RP374: 12/29/2008 10:51:53 PM - Installed Java 6 Update 11

RP375: 1/7/2009 12:02:35 AM - System Checkpoint

RP376: 1/8/2009 12:58:52 AM - System Checkpoint

RP377: 1/9/2009 3:11:38 PM - System Checkpoint

RP378: 1/10/2009 3:58:50 PM - System Checkpoint

RP379: 1/15/2009 11:31:40 PM - System Checkpoint

RP380: 1/16/2009 3:00:46 AM - Software Distribution Service 3.0

RP381: 1/17/2009 3:17:27 AM - System Checkpoint

RP382: 1/18/2009 3:38:47 AM - System Checkpoint

RP383: 1/19/2009 11:16:59 PM - System Checkpoint

RP384: 1/22/2009 10:36:32 PM - System Checkpoint

RP385: 1/23/2009 10:38:37 PM - System Checkpoint

RP386: 1/25/2009 6:07:15 PM - System Checkpoint

RP387: 1/27/2009 6:23:23 AM - System Checkpoint

RP388: 1/28/2009 6:32:53 AM - System Checkpoint

RP389: 1/29/2009 7:32:52 AM - System Checkpoint

RP390: 1/30/2009 8:32:53 AM - System Checkpoint

RP391: 1/31/2009 8:38:52 AM - System Checkpoint

RP392: 2/1/2009 8:46:26 AM - System Checkpoint

RP393: 2/2/2009 10:22:30 PM - System Checkpoint

RP394: 2/4/2009 10:52:35 PM - System Checkpoint

RP395: 2/9/2009 9:03:53 PM - System Checkpoint

RP396: 2/12/2009 11:48:05 PM - System Checkpoint

RP397: 2/13/2009 3:00:41 AM - Software Distribution Service 3.0

RP398: 2/14/2009 3:19:49 AM - System Checkpoint

RP399: 2/15/2009 4:19:50 AM - System Checkpoint

RP400: 2/16/2009 5:20:00 AM - System Checkpoint

RP401: 2/17/2009 6:20:06 AM - System Checkpoint

RP402: 2/19/2009 4:11:07 PM - System Checkpoint

RP403: 2/19/2009 4:20:16 PM - Uniblue RegistryBooster

RP404: 2/21/2009 1:48:16 PM - System Checkpoint

RP405: 2/22/2009 1:52:29 PM - System Checkpoint

RP406: 2/23/2009 8:48:45 PM - System Checkpoint

RP407: 2/24/2009 9:41:23 PM - System Checkpoint

RP408: 2/25/2009 10:26:40 AM - Software Distribution Service 3.0

RP409: 2/25/2009 11:49:02 PM - Software Distribution Service 3.0

RP410: 2/27/2009 1:40:14 AM - System Checkpoint

RP411: 2/28/2009 2:08:09 AM - System Checkpoint

RP412: 3/1/2009 3:08:10 AM - System Checkpoint

RP413: 3/2/2009 4:08:24 AM - System Checkpoint

RP414: 3/3/2009 5:08:30 AM - System Checkpoint

RP415: 3/4/2009 5:23:16 PM - System Checkpoint

RP416: 3/5/2009 4:11:46 PM - Removed Ad-Aware

RP417: 3/5/2009 4:12:50 PM - Removed Apple Software Update

RP418: 3/5/2009 4:18:34 PM - Removed Bonjour

RP419: 3/6/2009 4:20:25 PM - System Checkpoint

RP420: 3/6/2009 7:57:59 PM - Uniblue RegistryBooster

RP421: 3/6/2009 9:35:00 PM - Installed AVG 8.5

RP422: 3/7/2009 2:12:07 PM - Uniblue RegistryBooster

RP423: 3/7/2009 6:37:15 PM - ComboFix created restore point

==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

AIM 6

Apple Mobile Device Support

AVG 8.5

CA Anti-Virus

CA Internet Security Suite

Canon MX700 series

Canon My Printer

Genie Backup Manager Home 8.0

Google Earth

Google Updater

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.0 (KB932471)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB932716-v2)

Hotfix for Windows XP (KB952287)

HP Help and Support

HP Product Detection

HP Update

InterVideo DVD Check

InterVideo WinDVD

iTunes

Java 6 Update 11

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Magic DVD Ripper V5.2

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft .NET Framework 3.0 Service Pack 1

Microsoft ActiveSync 4.0

Microsoft Application Error Reporting

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft National Language Support Downlevel APIs

Microsoft Office Small Business Edition 2003

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Move Networks Media Player for Internet Explorer

Mozilla Firefox (3.0.7)

MSXML 6.0 Parser (KB933579)

QuickTime

Road Runner Medic 6.1

Security Update for CAPICOM (KB931906)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB960715)

Spybot - Search & Destroy

Synaptics Pointing Device Driver

Uniblue RegistryBooster 2

Uniblue SpeedUpMyPC 3

Uniblue SpyEraser

Update for Windows XP (KB943729)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951618-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

URGE

Viewpoint Media Player

WeatherBug

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 11

Windows Presentation Foundation

Windows Search 4.0

Windows XP Service Pack 3

XML Paper Specification Shared Components Pack 1.0

Zune

Zune Language Pack (ES)

Zune Language Pack (FR)

==== Event Viewer Messages From Past Week ========

3/4/2009 2:27:09 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

3/4/2009 2:27:07 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Genie-Soft\GBMHome8\Microsoft.VC80.MFC\MFC80U.DLL. Reference error message: The operation completed successfully. .

3/4/2009 2:27:07 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .

3/4/2009 2:26:17 PM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/4/2009 2:26:17 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.

3/3/2009 5:45:07 PM, error: Service Control Manager [7000] - The CaCCProvSP service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/3/2009 5:45:06 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the CaCCProvSP service to connect.

3/3/2009 5:44:44 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}

3/3/2009 5:36:33 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/3/2009 5:36:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

3/2/2009 4:42:44 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

3/1/2009 2:22:40 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the wscsvc service.

3/5/2009 10:02:43 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

3/6/2009 9:43:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

3/6/2009 9:43:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/6/2009 9:44:00 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

3/6/2009 9:44:00 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/6/2009 9:44:00 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

3/6/2009 9:44:00 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/6/2009 9:44:00 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

3/6/2009 9:44:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip VET-FILT VET-REC VETEFILE VETMONNT

3/7/2009 9:30:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.

3/7/2009 9:30:27 AM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

3/7/2009 9:30:45 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

3/5/2009 4:14:10 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ati2mtag.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.6462.

3/5/2009 4:14:10 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ati3duag.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.10.231.

3/5/2009 4:14:10 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ativvaxx.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.14.1.9.

==== End Of File ===========================

STEP 3 RESULTS: ntbtlog.txt

Iam attaching this file as the forum server is rejecting pasted version as too long.

THANKS AGAIN For your help B)

ntbtlog.txt

ntbtlog.txt

Link to post
Share on other sites

  • Root Admin

You appear to have had the BOOTLOG running for a while. Please delete the file C:\Windows\ntbtlog.txt , reboot the computer again and attach the newly created file.

You also show that you're running more than 1 Anti-Virus application. You can only run 1 as they conflict with each other.

You have these 2 main ones. You need to choose which one you want and FULLY remove the other one.

AVG 8.5

CA Anti-Virus

Then you have at least portions of an Anti-Virus application named: VET Anti-Virus which should be removed if you can or we may need to manually remove it if you don't use or want it.

Please choose 1 Anti-Virus and remove the others.

While on the cleanup before re-posting the BOOTLOG please remove ALL Java.

Java

Link to post
Share on other sites

Hello again and Thanks. I have selected to keep CA antivirus over AVG for now and uninstalled AVG. I have no idea what the "Vet"antivirus is, could you help remove it? Below is the new boot log, thanks for the help. Paul

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Service Pack 3 3 8 2009 15:13:33.500

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS

Loaded driver compbatt.sys

Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS

Loaded driver aliide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver pcmcia.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver ACPIEC.sys

Loaded driver \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver WudfPf.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\amdk7.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys

Loaded driver \SystemRoot\system32\drivers\ac97ali.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\parport.sys

Loaded driver \SystemRoot\system32\DRIVERS\serial.sys

Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\bcmwl5.sys

Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys

Loaded driver \SystemRoot\system32\DRIVERS\DP83815.SYS

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

Loaded driver \SystemRoot\system32\DRIVERS\serscan.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\system32\DRIVERS\Wdf01000.sys

Loaded driver \SystemRoot\system32\DRIVERS\zumbus.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\VETFDDNT.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\VETEFILE.SYS

Loaded driver \SystemRoot\System32\Drivers\VET-REC.SYS

Loaded driver \SystemRoot\System32\Drivers\VET-FILT.SYS

Did not load driver \SystemRoot\System32\Drivers\VET-FILT.SYS

Loaded driver \SystemRoot\System32\Drivers\VETEBOOT.SYS

Did not load driver \SystemRoot\System32\Drivers\VETEFILE.SYS

Loaded driver \SystemRoot\System32\Drivers\VETMONNT.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Did not load driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Link to post
Share on other sites

Thanks for the reply. I need some help uninstalling Combofix. It doesn't show up in "add or remove programs" or in the "Start/programs" menu. Is the the uninstall part of the recovery console or do I need to manually delete some files? Sorry to slow things down. Paul

Link to post
Share on other sites

I was able to manually delete and reinstall ComboFix. Here is the new log:

ComboFix 09-03-06.02 - Thomas 2009-03-10 12:16:15.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.561 [GMT -5:00]

Running from: c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Desktop\ComboFix.exe

AV: CA Anti-Virus *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))

.

2009-03-10 11:47 . 2009-03-10 11:47 <DIR> d-------- c:\program files\VS Revo Group

2009-03-09 21:13 . 2009-03-09 21:13 <DIR> d-------- c:\program files\CONEXANT

2009-03-09 21:13 . 2001-08-17 13:57 16,128 --a------ c:\windows\system32\drivers\MODEMCSA.sys

2009-03-09 21:13 . 2001-08-17 13:57 16,128 --a--c--- c:\windows\system32\dllcache\modemcsa.sys

2009-03-06 22:35 . 2009-03-06 22:35 <DIR> d-------- c:\program files\AVG

2009-03-06 20:17 . 2009-03-06 20:17 <DIR> d-------- C:\VundoFix Backups

2009-03-05 17:14 . 2008-04-13 20:11 1,888,992 --a--c--- c:\windows\system32\dllcache\ati3duag.dll

2009-03-05 17:14 . 2008-04-13 20:11 1,888,992 --a------ c:\windows\system32\ati3duag.dll

2009-03-05 17:14 . 2004-08-03 23:29 701,440 --a------ c:\windows\system32\drivers\ati2mtag.sys

2009-03-05 17:14 . 2004-08-03 23:29 701,440 --a--c--- c:\windows\system32\dllcache\ati2mtag.sys

2009-03-05 17:14 . 2008-04-13 20:11 516,768 --a--c--- c:\windows\system32\dllcache\ativvaxx.dll

2009-03-05 17:14 . 2008-04-13 20:11 516,768 --a------ c:\windows\system32\ativvaxx.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-08 20:09 --------- d-----w c:\program files\Java

2009-03-07 20:33 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-03-07 20:30 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-07 04:47 --------- d-----w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\WeatherBug

2009-03-05 22:12 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2009-02-27 07:03 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-19 22:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-12 04:44 --------- d-----w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\Move Networks

2008-12-30 04:52 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll

2008-07-07 04:17 23 ------w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\jagex_runescape_preferences.dat

2008-02-18 16:17 1,110,016 ------w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\iTunesMobileDevice.dll

2008-08-10 21:47 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 1923352]

"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]

"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-04-02 1424648]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"58720e79"="c:\windows\system32\dagamami.dll" [bU]

"rovoloboyu"="c:\windows\system32\logokira.dll" [bU]

"CARPService"="carpserv.exe" [2003-05-21 c:\windows\system32\carpserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-09-10 184320]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMHome8Agent]

--------- 2008-09-11 06:28 189056 c:\program files\Genie-Soft\GBMHome8\GBMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--------- 2008-07-09 12:30 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2007-09-10 202280]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-27 24652]

R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2004-07-15 18432]

S3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys --> c:\windows\system32\drivers\caliaud.sys [?]

S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys --> c:\windows\system32\drivers\calihal.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2008-05-30 c:\windows\Tasks\Uniblue SpyEraser.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 09:50]

.

- - - - ORPHANS REMOVED - - - -

BHO-{54da6589-0a8a-49dd-955a-e3c0e9288ced} - (no file)

BHO-{958b496f-b2d6-4dd8-9a7c-bbfc1880049b} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.foxnews.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\VetRedir.dll

FF - ProfilePath - c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\Mozilla\Firefox\Profiles\bf0qm5dm.default\

FF - plugin: c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\Mozilla\Firefox\Profiles\bf0qm5dm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-10 12:17:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]

"Name"="ActiveSync"

"DisplayName"="Microsoft ActiveSync"

"Param1"="ActiveSync"

"Type"="wellknown"

"Order"=dword:00000000

"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]

"Name"="IESettings"

"Type"="IESettings"

"Order"=dword:00000003

"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]

"Name"="MediaFiles"

"Type"="MediaFiles"

"Order"=dword:00000002

"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]

"Name"="NPW"

"Param1"="NPW"

"Type"="wellknown"

"Order"=dword:00000001

"State"=dword:0000000b

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1892)

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

.

Completion time: 2009-03-10 12:19:55

ComboFix-quarantined-files.txt 2009-03-10 17:19:48

Pre-Run: 94,179,397,632 bytes free

Post-Run: 94,164,500,480 bytes free

168 --- E O F --- 2009-03-10 02:14:08

Link to post
Share on other sites

  • Root Admin

Let's see if this works or not. If it does not then we'll need to do some deeper RootKit scanning.

STEP 01

Well first off you need to Disable Spybot TEA TIMER - DO NOT proceed until you've disabled Tea Timer

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

STEP 02

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"58720e79"=-
"rovoloboyu"=-

File::
c:\windows\system32\dagamami.dll
c:\windows\system32\logokira.dll


RegNull::
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
RegLock::
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
RegNull::
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
RegLock::
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

Update MBAM and do another Quick Scan and post back the log and a NEW HJT log.

Link to post
Share on other sites

Here is the combofix log:

ComboFix 09-03-10.03 - Thomas 2009-03-11 12:03:18.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.630 [GMT -5:00]

Running from: c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Desktop\CFscript.txt

AV: CA Anti-Virus *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

c:\windows\system32\dagamami.dll

c:\windows\system32\logokira.dll

.

((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))

.

2009-03-10 11:47 . 2009-03-10 11:47 <DIR> d-------- c:\program files\VS Revo Group

2009-03-09 21:13 . 2009-03-09 21:13 <DIR> d-------- c:\program files\CONEXANT

2009-03-09 21:13 . 2001-08-17 13:57 16,128 --a------ c:\windows\system32\drivers\MODEMCSA.sys

2009-03-09 21:13 . 2001-08-17 13:57 16,128 --a--c--- c:\windows\system32\dllcache\modemcsa.sys

2009-03-06 22:35 . 2009-03-06 22:35 <DIR> d-------- c:\program files\AVG

2009-03-06 20:17 . 2009-03-06 20:17 <DIR> d-------- C:\VundoFix Backups

2009-03-05 17:14 . 2008-04-13 20:11 1,888,992 --a--c--- c:\windows\system32\dllcache\ati3duag.dll

2009-03-05 17:14 . 2008-04-13 20:11 1,888,992 --a------ c:\windows\system32\ati3duag.dll

2009-03-05 17:14 . 2004-08-03 23:29 701,440 --a------ c:\windows\system32\drivers\ati2mtag.sys

2009-03-05 17:14 . 2004-08-03 23:29 701,440 --a--c--- c:\windows\system32\dllcache\ati2mtag.sys

2009-03-05 17:14 . 2008-04-13 20:11 516,768 --a--c--- c:\windows\system32\dllcache\ativvaxx.dll

2009-03-05 17:14 . 2008-04-13 20:11 516,768 --a------ c:\windows\system32\ativvaxx.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-08 20:09 --------- d-----w c:\program files\Java

2009-03-07 20:33 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

2009-03-07 20:30 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-07 04:47 --------- d-----w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\WeatherBug

2009-03-05 22:12 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2009-02-27 07:03 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-19 22:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-12 04:44 --------- d-----w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\Move Networks

2008-07-07 04:17 23 ------w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\jagex_runescape_preferences.dat

2008-02-18 16:17 1,110,016 ------w c:\documents and settings\Thomas.SMCOMPAQLAPTOP\iTunesMobileDevice.dll

2008-08-10 21:47 32,768 --sh--w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081020080811\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-03-10_12.18.17.06 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-13 09:05:20 12,288 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2009-03-11 16:48:35 12,288 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2009-02-13 09:05:20 135,168 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2009-03-11 16:48:35 135,168 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2009-02-13 09:05:20 11,264 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2009-03-11 16:48:35 11,264 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2009-02-13 09:05:21 27,136 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2009-03-11 16:48:35 27,136 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2009-02-13 09:05:21 4,096 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2009-03-11 16:48:35 4,096 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2009-02-13 09:05:21 794,624 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2009-03-11 16:48:35 794,624 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2009-02-13 09:05:20 249,856 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2009-03-11 16:48:35 249,856 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2009-02-13 09:05:20 61,440 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe

+ 2009-03-11 16:48:35 61,440 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2009-02-13 09:05:21 23,040 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2009-03-11 16:48:35 23,040 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2009-02-13 09:05:19 286,720 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2009-03-11 16:48:35 286,720 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2009-02-13 09:05:19 409,600 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-03-11 16:48:35 409,600 ----a-r c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2009-03-11 16:48:47 6,168 ----a-w c:\windows\SoftwareDistribution\EventCache\{15BE350B-51EE-4FB4-A433-B69E8385BDBA}.bin

+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll

- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys

+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys

- 2007-06-12 04:51:12 10,834,944 -c----w c:\windows\system32\dllcache\wmp.dll

+ 2008-11-11 23:34:42 10,838,016 -c----w c:\windows\system32\dllcache\wmp.dll

- 2008-10-15 08:17:35 307,600 ------w c:\windows\system32\FNTCACHE.DAT

+ 2009-03-11 16:52:26 307,600 ----a-w c:\windows\system32\FNTCACHE.DAT

- 2009-03-10 03:51:53 79,608 ----a-w c:\windows\system32\perfc009.dat

+ 2009-03-11 15:40:17 79,608 ----a-w c:\windows\system32\perfc009.dat

- 2009-03-10 03:51:54 466,140 ----a-w c:\windows\system32\perfh009.dat

+ 2009-03-11 15:40:17 466,140 ----a-w c:\windows\system32\perfh009.dat

- 2008-04-14 00:12:05 144,384 ------w c:\windows\system32\schannel.dll

+ 2008-12-05 06:54:55 144,896 ------w c:\windows\system32\schannel.dll

- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll

+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll

- 2007-08-11 01:46:18 26,488 ------w c:\windows\system32\spupdsvc.exe

+ 2007-07-27 14:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe

- 2008-09-15 12:12:56 1,846,400 ------w c:\windows\system32\win32k.sys

+ 2009-02-09 11:13:27 1,846,784 ------w c:\windows\system32\win32k.sys

- 2007-06-12 04:51:12 10,834,944 ------w c:\windows\system32\wmp.dll

+ 2008-11-11 23:34:42 10,838,016 ------w c:\windows\system32\wmp.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 1923352]

"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]

"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-04-02 1424648]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"CARPService"="carpserv.exe" [2003-05-21 c:\windows\system32\carpserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-09-10 184320]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMHome8Agent]

--------- 2008-09-11 06:28 189056 c:\program files\Genie-Soft\GBMHome8\GBMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--------- 2008-07-09 12:30 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2007-09-10 202280]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-27 24652]

R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2004-07-15 18432]

S3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys --> c:\windows\system32\drivers\caliaud.sys [?]

S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys --> c:\windows\system32\drivers\calihal.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2008-05-30 c:\windows\Tasks\Uniblue SpyEraser.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 09:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.foxnews.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\VetRedir.dll

FF - ProfilePath - c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\Mozilla\Firefox\Profiles\bf0qm5dm.default\

FF - plugin: c:\documents and settings\Thomas.SMCOMPAQLAPTOP\Application Data\Mozilla\Firefox\Profiles\bf0qm5dm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-11 13:28:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]

"Name"="ActiveSync"

"DisplayName"="Microsoft ActiveSync"

"Param1"="ActiveSync"

"Type"="wellknown"

"Order"=dword:00000000

"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]

"Name"="IESettings"

"Type"="IESettings"

"Order"=dword:00000003

"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]

"Name"="MediaFiles"

"Type"="MediaFiles"

"Order"=dword:00000002

"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1409082233-1935655697-854245398-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]

"Name"="NPW"

"Param1"="NPW"

"Type"="wellknown"

"Order"=dword:00000001

"State"=dword:0000000b

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(912)

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe

c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\ZuneBusEnum.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\MICROS~3\rapimgr.exe

.

**************************************************************************

.

Completion time: 2009-03-11 13:33:02 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-11 18:32:54

Pre-Run: 94,816,284,672 bytes free

Post-Run: 95,088,177,152 bytes free

226 --- E O F --- 2009-03-11 16:48:39

Here is theMBAM Log:

Malwarebytes' Anti-Malware 1.34

Database version: 1836

Windows 5.1.2600 Service Pack 3

3/11/2009 2:11:16 PM

mbam-log-2009-03-11 (14-11-16).txt

Scan type: Quick Scan

Objects scanned: 80272

Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And Finally the HiJackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:55, on 3/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\SearchIndexer.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\carpserv.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

O4 - HKCU\..\Run: [uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader2.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189465355415

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8029 bytes

What do you think? The only problem I noticed was with the Windows shut down menu. The option to"stand by" will no longer lightup as an option. Only shut down and restart. Thanks, Paul

Link to post
Share on other sites

  • Root Admin

Please run the following which hopefully should finish it up.

STEP 01

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup217.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 02

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
    Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip
    Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

STEP 03

PANDA ONLINE SCAN

Please go >here< to run Panda's ActiveScan

  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...click the Scan Now button
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • In Notepad, click Edit > Select all, then Edit > Copy
  • Reply to this thread and click Ctrl+V to paste the log in your reply

PANDA ONLINE SCAN

Link to post
Share on other sites

This doesn't look good I'mguessing. Theyseem to be back.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2009-03-12 14:54:45

PROTECTIONS: 1

MALWARE: 5

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

CA Anti-Virus 8.4.0.28 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_22_11_2008_23_36_27.asq26500

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_24_08_2008_00_04_10.asq18467

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_16_09_2008_22_54_42.asq41

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_25_08_2008_18_18_31.asq18467

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_22_11_2008_23_36_27.asq6334

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_12_12_2008_20_29_30.asq18467

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_24_08_2008_00_04_10.asq41

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_10_12_2008_17_29_37.asq18467

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_25_08_2008_18_18_31.asq41

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_25_08_2008_18_18_31.asq6334

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Thomas.SMCOMPAQLAPTOP\Application Data\Uniblue\SpyEraser\Quarantine\Cookie.Tracking-Cookie_22_11_2008_23_36_27.asq19169

01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{71350142-CF84-4AAC-BCEE-D7173F7D9EAC}\RP432\A0069110.EXE

01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{71350142-CF84-4AAC-BCEE-D7173F7D9EAC}\RP434\A0069363.EXE

02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{71350142-CF84-4AAC-BCEE-D7173F7D9EAC}\RP434\A0069342.sys

02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{71350142-CF84-4AAC-BCEE-D7173F7D9EAC}\RP432\A0069076.sys

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location Q<

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description Q<

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.