Jump to content

Infected, cannot run Malwarebytes or Hijack


Recommended Posts

I need help please. My family computer is infected and won't let me run any antivirus or malware programs. When I down load Mal and Hyjack to descktop in safe mode with networking they will not run. However under task manager they show up in the processes. I can supply a Hijack log from about 5 days ago but not a current one.

DDS (Ver_09-05-14.01) - NTFSx86

Run by Laurier Martin at 20:29:16.93 on 14/05/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.852 [GMT -7:00]

AV: VIRUSfighter ver. 5.99 *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

AV: Shaw Secure 8.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: Shaw Secure 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\VIRUSfighter\Npm\Bin\Zanda.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\Shaw Secure\Common\FSMA32.EXE

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Shaw Secure\Common\FSMB32.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Shaw Secure\Common\FCH32.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe

C:\Program Files\Shaw Secure\Common\FAMEH32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\VIRUSfighter\Npm\bin\ZLH.EXE

C:\Program Files\Belkin\F5D8053\Belkinwcui.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\VIRUSfighter\Npm\bin\NJEEVES.EXE

C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe

C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe

C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe

C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE

C:\VIRUSfighter\Nvc\BIN\NIP.EXE

C:\VIRUSfighter\Nvc\bin\NVCOA.EXE

C:\VIRUSfighter\Nvc\bin\cclaw.exe

C:\Documents and Settings\Laurier Martin\Desktop\Copy of dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = proxy:8080

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: AutorunsDisabled - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Norman ZANDA] "c:\virusfighter\npm\bin\ZLH.EXE" /LOAD /SPLASH

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin f5d8053 n wireless usb adapter utility.lnk - c:\program files\belkin\f5d8053\Belkinwcui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logitech setpoint.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autorunsdisabled\-\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

LSP: c:\program files\shaw secure\fsps\program\fslsp.dll

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://sympatico.zone.msn.com/bingame/amad/default/atomaders.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://photoshare.shaw.ca/files/ImageUploader4.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5342/mcfscan.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2008-11-13 33408]

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-5-4 79904]

R1 F-Secure HIPS;F-Secure HIPS;c:\program files\shaw secure\hips\drivers\fshs.sys [2008-11-13 66720]

R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\shaw secure\anti-virus\fsgk32st.exe [2008-5-4 215648]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-2-17 10384]

R2 Ndiskio;Ndiskio;c:\virusfighter\nse\bin\Ndiskio.sys [2009-5-14 20448]

R2 Norman ZANDA;Norman ZANDA;c:\virusfighter\npm\bin\Zanda.exe [2009-5-14 408696]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2008-5-4 84608]

R3 FSORSPClient;F-Secure ORSP Client;c:\program files\shaw secure\orsp client\fsorsp.exe [2008-11-13 55904]

R3 nsesvc;Norman Scanner Engine Service;c:\virusfighter\nse\bin\Nsesvc.exe [2009-5-14 322616]

R3 NVCScheduler;Norman Virus Control Scheduler;c:\virusfighter\nvc\bin\Nvcsched.exe [2009-5-14 146488]

R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]

S1 SuperMounter;SuperMounter; [x]

S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\system32\drivers\CtUsbMs.sys [2006-10-8 14720]

S3 nvcoas;Norman Virus Control on-access component;c:\virusfighter\nvc\bin\Nvcoas.exe [2009-5-14 183352]

S3 PCNat;PC-Nat Miniport;c:\windows\system32\drivers\pcnat.sys [2004-3-9 30336]

S3 ZD1211U(Blitzz Technology Inc.);ZyDAS ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(Blitzz Technology Inc.);c:\windows\system32\drivers\ZD1211U.sys [2009-3-30 209408]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2008-5-4 39776]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2008-5-4 25184]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-05-14 17:33 <DIR> --d----- c:\program files\Safer Networking

2009-05-08 19:12 13,601,528 a------- C:\virusfighter_en.exe

2009-05-06 17:54 28,672 a------- c:\windows\ieocx.dll

==================== Find3M ====================

2009-04-10 14:12 21,419 a------- c:\windows\system32\drivers\AegisP.sys

2009-03-31 18:29 33,408 a------- c:\windows\system32\drivers\fsbts.sys

2009-03-21 07:06 989,696 a------- c:\windows\system32\dllcache\kernel32.dll

2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll

2009-03-06 07:22 284,160 a------- c:\windows\system32\dllcache\pdh.dll

2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll

2009-03-02 17:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll

2009-02-27 21:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe

2009-02-20 03:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe

2009-02-20 03:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

2009-02-19 22:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll

2008-11-02 11:07 22,328 a------- c:\docume~1\laurie~1\applic~1\PnkBstrK.sys

2008-07-19 10:58 61,224 a------- c:\documents and settings\laurier martin\GoToAssistDownloadHelper.exe

2002-08-29 03:00 94,784 -c-sh--- c:\windows\TWAIN.DLL

2008-04-13 17:12 50,688 ---sh--- c:\windows\twain_32.dll

2008-04-13 17:12 57,344 a--sh--- c:\windows\system32\msvcirt.dll

2008-04-13 17:12 11,776 a--sh--- c:\windows\system32\regsvr32.exe

2008-07-28 21:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072820080729\index.dat

============= FINISH: 20:30:39.25 ===============

Any help on this would be greatly appreciated. Thank You in Advance

Link to post
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Please take a look at the following posts and see if they help you to resolve this or not.

Potential Malware infection issues to review to get MBAM running

If so then please update and run MBAM and do a Quick Scan.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Then run DDS

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Hi, Thank you for the reply and help. I was able to get the malwarebytes to run by killing off the processes. How ever I can't get the DDS to run. I just get the splash screen and then nothing to click to start. I also have this VirusFighter program on the machine that I cannot get rid of, I think maybe this might be part of the problem?

Malwarebytes' Anti-Malware 1.36

Database version: 2166

Windows 5.1.2600 Service Pack 3

22/05/2009 8:59:32 AM

mbam-log-2009-05-22 (08-59-32).txt

Scan type: Quick Scan

Objects scanned: 94534

Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\ieocx.0ll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACeufhxgftutaqlno.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACksxpnehmtpfpxlc.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACltkjcxfhunusami.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACoihbpuquxfcnmfq.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\UACprsiajxgjxdptav.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\uacprsiajxgjxdptav.dll.uss_dis (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\UACjlcqkoxqklowmey.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:08:11 AM, on 22/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE

C:\VIRUSfighter\Npm\Bin\Zanda.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\Shaw Secure\Common\FSMA32.EXE

C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Shaw Secure\Common\FSMB32.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Shaw Secure\Common\FCH32.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Shaw Secure\Common\FAMEH32.EXE

C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe

C:\WINDOWS\Explorer.EXE

C:\VIRUSfighter\Npm\bin\NJEEVES.EXE

C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe

C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe

C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe

C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe

C:\WINDOWS\System32\alg.exe

C:\VIRUSfighter\nse\bin\NSESVC.EXE

C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe

C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE

C:\VIRUSfighter\Npm\bin\ZLH.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\F5D8053\Belkinwcui.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\VIRUSfighter\Nvc\BIN\NIP.EXE

C:\VIRUSfighter\Nvc\bin\NVCOA.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

O4 - HKLM\..\Run: [Norman ZANDA] "C:\VIRUSfighter\Npm\bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: AutorunsDisabled

O4 - Global Startup: Belkin F5D8053 N Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F5D8053\Belkinwcui.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://sympatico.zone.msn.com/bingame/amad...t/atomaders.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoshare.shaw.ca/files/ImageUploader4.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...342/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe

O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE

O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\VIRUSfighter\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\VIRUSfighter\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\VIRUSfighter\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\VIRUSfighter\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O24 - Desktop Component 0: (no name) - http://www.mytelus.com/news_images/cp_hockey/h122264.jpg

Again Thanks for your help.

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Hello, and again thx for your help. here are the to logs.

ComboFix 09-05-22.05 - Laurier Martin 22/05/2009 18:08.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1029 [GMT -7:00]

Running from: c:\documents and settings\Laurier Martin\Desktop\ComboFix.exe

AV: Shaw Secure 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

AV: VIRUSfighter ver. 5.99 *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

FW: Shaw Secure 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\box boat blue.ico

c:\windows\IE4 Error Log.txt

c:\windows\patch.exe

c:\windows\system32\tmp.reg

c:\windows\system32\UACbsurvoyepykixmi.dat

c:\windows\system32\UACdajxpnbrowivuqj.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))

.

2009-05-23 01:13 . 2009-05-23 01:13 -------- d-----w c:\windows\LastGood

2009-05-22 16:07 . 2009-05-22 16:07 -------- d-----w c:\program files\Trend Micro

2009-05-22 15:48 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-22 15:48 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-22 15:48 . 2009-05-22 15:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-20 04:45 . 2009-05-20 04:45 6623568 ----a-w C:\fseasyclean.exe

2009-05-20 02:55 . 2009-05-20 02:55 -------- d-----w c:\program files\Fighters

2009-05-20 02:55 . 2009-05-20 02:55 -------- d-----w c:\documents and settings\All Users\Application Data\Fighters

2009-05-20 01:35 . 2009-05-20 01:35 -------- d-----w c:\program files\NVT Malware Remover Tool

2009-05-15 00:33 . 2009-05-15 00:33 -------- d-----w c:\program files\Safer Networking

2009-05-09 02:12 . 2009-05-09 02:13 13601528 ----a-w C:\virusfighter_en.exe

2009-05-08 14:53 . 2009-05-08 14:55 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-08 14:52 . 2009-05-08 14:52 -------- d-----w c:\documents and settings\Administrator\Application Data\GRETECH

2009-05-08 14:28 . 2009-05-08 14:28 -------- d-----w c:\documents and settings\Administrator\Application Data\IObit

2009-05-06 16:40 . 2009-05-06 16:40 390664 ----a-w c:\documents and settings\Laurie Bergen\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-22 16:07 . 2008-05-02 15:13 -------- d-----w c:\program files\Shaw Secure

2009-05-20 19:52 . 2008-11-14 01:05 33408 ----a-w c:\windows\system32\drivers\fsbts.sys

2009-05-20 03:08 . 2006-07-08 21:36 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-17 03:37 . 2009-02-14 23:25 -------- d-----w c:\program files\Windows Live

2009-04-16 18:43 . 2008-07-28 19:41 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\PC-FAX TX

2009-04-10 21:12 . 2009-04-10 21:12 21419 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-04-10 21:10 . 2009-04-10 21:10 -------- d-----w c:\program files\Belkin

2009-04-01 01:35 . 2009-02-24 03:12 -------- d-----w c:\documents and settings\Laurie Bergen\Application Data\F-Secure

2009-03-31 02:26 . 2003-07-29 20:20 -------- d--h--w c:\program files\InstallShield Installation Information

2009-03-31 01:30 . 2009-03-31 01:30 -------- d-----w c:\program files\Blitzz

2009-03-17 21:40 . 2009-03-17 21:40 307200 ----a-w c:\documents and settings\Laurie Bergen\Application Data\GRETECH\GomPlayer\GrLauncherTempSetup.exe

2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2004-12-08 00:37 826368 ----a-w c:\windows\system32\wininet.dll

2002-08-29 10:00 . 2002-08-29 10:00 94784 -csh--w c:\windows\TWAIN.DLL

2008-04-14 00:12 . 2002-08-29 10:00 50688 --sh--w c:\windows\twain_32.dll

2008-04-14 00:12 . 2002-08-29 10:00 57344 --sha-w c:\windows\SYSTEM32\msvcirt.dll

2008-04-14 00:12 . 2002-08-29 10:00 11776 --sha-w c:\windows\SYSTEM32\regsvr32.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Norman ZANDA"="c:\virusfighter\Npm\bin\ZLH.EXE" [2008-06-02 273520]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Belkin F5D8053 N Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F5D8053\Belkinwcui.exe [2007-9-17 1732608]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-17 809488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\-

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-17 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-11-08 00:41 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" /splash

"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=

"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 fsbts;fsbts;c:\windows\SYSTEM32\DRIVERS\fsbts.sys [13/11/2008 6:05 PM 33408]

R0 FSFW;F-Secure Firewall Driver;c:\windows\SYSTEM32\DRIVERS\fsdfw.sys [04/05/2008 9:33 AM 79904]

R1 F-Secure HIPS;F-Secure HIPS;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [13/11/2008 5:57 PM 66720]

R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [17/02/2009 4:38 PM 10384]

R2 Ndiskio;Ndiskio;c:\virusfighter\Nse\Bin\Ndiskio.sys [14/05/2009 7:15 PM 20448]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [04/05/2008 9:32 AM 84608]

R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [13/11/2008 5:58 PM 55904]

R3 nsesvc;Norman Scanner Engine Service;c:\virusfighter\Nse\Bin\Nsesvc.exe [14/05/2009 7:15 PM 322616]

R3 NVCScheduler;Norman Virus Control Scheduler;c:\virusfighter\Nvc\Bin\Nvcsched.exe [14/05/2009 7:15 PM 146488]

R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\SYSTEM32\DRIVERS\rt2870.sys [28/07/2007 2:50 PM 517632]

S1 SuperMounter;SuperMounter; [x]

S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\CtUsbMs.sys [08/10/2006 7:25 PM 14720]

S3 nvcoas;Norman Virus Control on-access component;c:\virusfighter\Nvc\Bin\Nvcoas.exe [14/05/2009 7:15 PM 183352]

S3 PCNat;PC-Nat Miniport;c:\windows\SYSTEM32\DRIVERS\pcnat.sys [09/03/2004 6:12 PM 30336]

S3 ZD1211U(Blitzz Technology Inc.);ZyDAS ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(Blitzz Technology Inc.);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [30/03/2009 6:30 PM 209408]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [04/05/2008 9:32 AM 39776]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [04/05/2008 9:32 AM 25184]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

.

Contents of the 'Scheduled Tasks' folder

2003-08-07 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2003-08-07 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2009-05-23 c:\windows\Tasks\Scheduled scanning task.job

- c:\progra~1\SHAWSE~1\Anti-Virus\fsav.exe [2008-05-04 13:35]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = proxy:8080

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

LSP: c:\program files\Shaw Secure\FSPS\program\fslsp.dll

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-22 18:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(924)

c:\program files\Shaw Secure\FSPS\program\fslsp.dll

- - - - - - - > 'explorer.exe'(284)

c:\virusfighter\nvc\bin\Niphk.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ati2evxx.exe

c:\virusfighter\npm\bin\elogsvc.exe

c:\virusfighter\npm\bin\Zanda.exe

c:\windows\SYSTEM32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Shaw Secure\Anti-Virus\fsgk32st.exe

c:\program files\Shaw Secure\Common\FSMA32.EXE

c:\program files\Shaw Secure\Anti-Virus\fsgk32.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\windows\SYSTEM32\PnkBstrA.exe

c:\program files\Shaw Secure\Common\FSMB32.EXE

c:\windows\SYSTEM32\wdfmgr.exe

c:\program files\Shaw Secure\Common\FCH32.EXE

c:\program files\Shaw Secure\Common\FAMEH32.EXE

c:\program files\Shaw Secure\Anti-Virus\fsqh.exe

c:\virusfighter\npm\bin\Njeeves.exe

c:\program files\Shaw Secure\Anti-Virus\fssm32.exe

c:\program files\Shaw Secure\FSAUA\program\fsaua.exe

c:\program files\Shaw Secure\FWES\program\fsdfwd.exe

c:\progra~1\SHAWSE~1\Anti-Virus\fsav32.exe

c:\windows\SYSTEM32\wscntfy.exe

c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE

c:\virusfighter\Nvc\Bin\Nip.exe

c:\virusfighter\Nvc\Bin\CClaw.exe

.

**************************************************************************

.

Completion time: 2009-05-23 18:28 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-23 01:28

ComboFix2.txt 2008-07-19 21:30

Pre-Run: 69,828,116,480 bytes free

Post-Run: 70,083,956,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

226 --- E O F --- 2009-05-15 10:03

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:29:25 PM, on 22/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE

C:\VIRUSfighter\Npm\Bin\Zanda.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\Shaw Secure\Common\FSMA32.EXE

C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Shaw Secure\Common\FSMB32.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Shaw Secure\Common\FCH32.EXE

C:\Program Files\Shaw Secure\Common\FAMEH32.EXE

C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe

C:\VIRUSfighter\Npm\bin\NJEEVES.EXE

C:\WINDOWS\System32\alg.exe

C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe

C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe

C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe

C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe

C:\VIRUSfighter\nse\bin\NSESVC.EXE

C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE

C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\VIRUSfighter\Npm\bin\ZLH.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\F5D8053\Belkinwcui.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\VIRUSfighter\Nvc\BIN\NIP.EXE

C:\VIRUSfighter\Nvc\bin\cclaw.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

O4 - HKLM\..\Run: [Norman ZANDA] "C:\VIRUSfighter\Npm\bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: AutorunsDisabled

O4 - Global Startup: Belkin F5D8053 N Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F5D8053\Belkinwcui.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://sympatico.zone.msn.com/bingame/amad...t/atomaders.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoshare.shaw.ca/files/ImageUploader4.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...342/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe

O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE

O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\VIRUSfighter\Npm\bin\NJEEVES.EXE

O23 - Service: Norman ZANDA - Norman ASA - C:\VIRUSfighter\Npm\Bin\Zanda.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\VIRUSfighter\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\VIRUSfighter\Nvc\bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O24 - Desktop Component 0: (no name) - http://www.mytelus.com/news_images/cp_hockey/h122264.jpg

--

End of file - 7625 bytes

Thank you again.

Link to post
Share on other sites

  • Root Admin

You have TOO many Anti-Virus products installed. You can only have one of them installed as they conflict with each other and can block each other from doing their job.

Please choose 1 Anti-Virus program and remove the others.

1. F-Secure AV

2. Normam AV

3. Shaw Secure AV

When you have chosen one and removed the others then make sure the one you keep is up to date.

Then run a NEW MBAM Quick Scan and Run Combofix again as well.

Link to post
Share on other sites

Hi,

The shaw secure and the F-secure are the same antivirus program. I uninstalled it anyway. I cannot uninstall this Norman Virusfighter program, it will not uninstall on it's own, and it doesn't show up in any uninstall programs I've tried. I think this Virusfighter program is the cause of some of the problems, i never installed the damn thing intentionally. Is there a way of getting rid of this thing? Thank you

Link to post
Share on other sites

Ok I uninstalled a bunch of the programs to help clean this mess up. I think I've uninstalled the f-secure and shaw. It took me a while but I found an obscure post on how to uninstall Virusfighter so I think I got it? I'm thinking blow out the antivirus programs completely then installing the F-secure the comes with my internet provider? Again thank you for helping me!

ComboFix 09-05-22.05 - Laurier Martin 23/05/2009 16:11.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1161 [GMT -7:00]

Running from: c:\documents and settings\Laurier Martin\Desktop\ComboFix.exe

AV: VIRUSfighter ver. 5.99 *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

.

((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))

.

2009-05-23 18:04 . 2009-05-23 18:04 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\VSRevoGroup

2009-05-23 16:33 . 2009-05-23 16:45 -------- d-----w c:\program files\VS Revo Group

2009-05-22 16:07 . 2009-05-22 16:07 -------- d-----w c:\program files\Trend Micro

2009-05-22 15:48 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-22 15:48 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-22 15:48 . 2009-05-22 15:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-20 02:55 . 2009-05-20 02:55 -------- d-----w c:\program files\Fighters

2009-05-20 02:55 . 2009-05-20 02:55 -------- d-----w c:\documents and settings\All Users\Application Data\Fighters

2009-05-15 00:33 . 2009-05-15 00:33 -------- d-----w c:\program files\Safer Networking

2009-05-08 14:53 . 2009-05-08 14:55 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-08 14:52 . 2009-05-08 14:52 -------- d-----w c:\documents and settings\Administrator\Application Data\GRETECH

2009-05-08 14:28 . 2009-05-08 14:28 -------- d-----w c:\documents and settings\Administrator\Application Data\IObit

2009-05-06 16:40 . 2009-05-06 16:40 390664 ----a-w c:\documents and settings\Laurie Bergen\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-23 17:58 . 2003-07-29 20:20 -------- d--h--w c:\program files\InstallShield Installation Information

2009-05-23 17:51 . 2007-01-11 05:49 -------- d-----w c:\program files\Activision

2009-05-23 17:40 . 2008-12-29 01:25 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\Skype

2009-05-23 17:40 . 2008-12-29 01:24 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-05-23 17:33 . 2008-07-25 20:53 -------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft

2009-05-23 17:33 . 2008-07-25 20:53 -------- d-----w c:\program files\ScanSoft

2009-05-23 17:29 . 2003-07-29 20:22 -------- d-----w c:\documents and settings\All Users\Application Data\QuickTime

2009-05-23 17:24 . 2008-07-25 20:55 -------- d-----w c:\program files\Nuance

2009-05-23 17:19 . 2003-07-29 20:23 -------- d-----w c:\program files\MUSICMATCH

2009-05-23 17:06 . 2008-09-25 22:45 -------- d-----w c:\program files\Living Books

2009-05-23 17:05 . 2006-11-05 19:33 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\Costco Photo Organizer

2009-05-23 17:05 . 2006-11-05 19:33 -------- d-----w c:\program files\Costco

2009-05-23 17:00 . 2007-10-11 02:53 -------- d-----w c:\program files\Camfrog

2009-05-23 16:55 . 2008-07-25 20:57 -------- d-----w c:\program files\Brother

2009-05-23 04:41 . 2008-05-02 15:13 -------- d-----w c:\program files\Shaw Secure

2009-05-23 04:35 . 2008-05-02 15:14 -------- d-----w c:\documents and settings\All Users\Application Data\F-Secure

2009-05-20 03:08 . 2006-07-08 21:36 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-17 03:37 . 2009-02-14 23:25 -------- d-----w c:\program files\Windows Live

2009-04-16 18:43 . 2008-07-28 19:41 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\PC-FAX TX

2009-04-10 21:12 . 2009-04-10 21:12 21419 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-04-10 21:10 . 2009-04-10 21:10 -------- d-----w c:\program files\Belkin

2009-04-01 01:35 . 2009-02-24 03:12 -------- d-----w c:\documents and settings\Laurie Bergen\Application Data\F-Secure

2009-03-31 01:30 . 2009-03-31 01:30 -------- d-----w c:\program files\Blitzz

2009-03-17 21:40 . 2009-03-17 21:40 307200 ----a-w c:\documents and settings\Laurie Bergen\Application Data\GRETECH\GomPlayer\GrLauncherTempSetup.exe

2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2004-12-08 00:37 826368 ----a-w c:\windows\system32\wininet.dll

2002-08-29 10:00 . 2002-08-29 10:00 94784 -csh--w c:\windows\TWAIN.DLL

2008-04-14 00:12 . 2002-08-29 10:00 50688 --sh--w c:\windows\twain_32.dll

2008-04-14 00:12 . 2002-08-29 10:00 57344 --sha-w c:\windows\SYSTEM32\msvcirt.dll

2008-04-14 00:12 . 2002-08-29 10:00 11776 --sha-w c:\windows\SYSTEM32\regsvr32.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-05-23_01.24.26 )))))))))))))))))))))))))))))))))))))))))

.

+ 2003-07-29 20:05 . 2009-05-23 04:34 65956 c:\windows\SYSTEM32\PERFC009.DAT

+ 2003-07-29 20:05 . 2009-05-23 04:34 411560 c:\windows\SYSTEM32\PERFH009.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\-

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-17 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-11-08 00:41 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" /splash

"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\StubInstaller.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [17/02/2009 4:38 PM 10384]

S1 SuperMounter;SuperMounter; [x]

S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\CtUsbMs.sys [08/10/2006 7:25 PM 14720]

S3 PCNat;PC-Nat Miniport;c:\windows\SYSTEM32\DRIVERS\pcnat.sys [09/03/2004 6:12 PM 30336]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\SYSTEM32\DRIVERS\rt2870.sys [28/07/2007 2:50 PM 517632]

S3 ZD1211U(Blitzz Technology Inc.);ZyDAS ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(Blitzz Technology Inc.);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [30/03/2009 6:30 PM 209408]

.

Contents of the 'Scheduled Tasks' folder

2003-08-07 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2003-08-07 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = proxy:8080

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-23 16:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

Completion time: 2009-05-23 16:17

ComboFix-quarantined-files.txt 2009-05-23 23:17

ComboFix2.txt 2009-05-23 18:22

ComboFix3.txt 2009-05-23 01:28

ComboFix4.txt 2008-07-19 21:30

Pre-Run: 85,943,697,408 bytes free

Post-Run: 85,921,476,608 bytes free

153 --- E O F --- 2009-05-15 10:03

Link to post
Share on other sites

  • Root Admin

The logs show that your Internet Explorer is set to use a Proxy Server at port 8080

This is very unlikely for a home computer. Please go into Tool/Interet Options/Connections and check all connections and write down the entries and then remove any PROXY SETTINGS unless you specifically set them on purpose.

Then let's see if you can now download and run MBAM

STEP 01

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 02

Then delete you current copy of DDS and download and run a NEW copy of it.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Hi,

Ok I went to the internet connections there are no entries. This computer connects to the internet wirelessly.

MBAM updated fine here is the log:

Malwarebytes' Anti-Malware 1.36

Database version: 2181

Windows 5.1.2600 Service Pack 3

26/05/2009 7:15:37 AM

mbam-log-2009-05-26 (07-15-37).txt

Scan type: Quick Scan

Objects scanned: 90733

Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:16:31 AM, on 26/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: AutorunsDisabled

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://sympatico.zone.msn.com/bingame/amad...t/atomaders.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoshare.shaw.ca/files/ImageUploader4.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...342/mcfscan.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O24 - Desktop Component 0: (no name) - http://www.mytelus.com/news_images/cp_hockey/h122264.jpg

--

End of file - 4612 bytes

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 06/08/2003 5:27:30 PM

System Uptime: 26/05/2009 7:07:04 AM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0M2035

Processor: Intel® Pentium® 4 CPU 2.60GHz | Microprocessor | 2593/800mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 112 GiB total, 80.298 GiB free.

D: is CDROM (CDFS)

E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP801: 26/02/2009 6:52:29 AM - System Checkpoint

RP802: 27/02/2009 7:28:22 AM - System Checkpoint

RP803: 28/02/2009 5:04:53 PM - System Checkpoint

RP804: 01/03/2009 8:21:12 PM - System Checkpoint

RP805: 02/03/2009 10:46:30 PM - System Checkpoint

RP806: 04/03/2009 2:44:25 PM - System Checkpoint

RP807: 05/03/2009 5:08:56 PM - System Checkpoint

RP808: 07/03/2009 6:26:39 AM - System Checkpoint

RP809: 08/03/2009 7:35:45 AM - System Checkpoint

RP810: 09/03/2009 9:58:42 AM - System Checkpoint

RP811: 10/03/2009 10:21:22 AM - System Checkpoint

RP812: 11/03/2009 2:00:23 AM - Software Distribution Service 3.0

RP813: 12/03/2009 2:58:43 PM - System Checkpoint

RP814: 13/03/2009 6:01:29 PM - System Checkpoint

RP815: 15/03/2009 4:00:28 PM - System Checkpoint

RP816: 16/03/2009 4:40:13 PM - System Checkpoint

RP817: 17/03/2009 5:49:54 PM - System Checkpoint

RP818: 19/03/2009 2:49:23 AM - System Checkpoint

RP819: 20/03/2009 3:00:57 AM - Software Distribution Service 3.0

RP820: 21/03/2009 5:15:38 AM - System Checkpoint

RP821: 23/03/2009 9:32:36 PM - System Checkpoint

RP822: 25/03/2009 9:29:20 AM - System Checkpoint

RP823: 26/03/2009 10:17:26 AM - System Checkpoint

RP824: 27/03/2009 5:00:20 PM - System Checkpoint

RP825: 29/03/2009 5:14:16 PM - System Checkpoint

RP826: 30/03/2009 5:36:33 PM - System Checkpoint

RP827: 30/03/2009 6:30:15 PM - Installed Blitzz 802.11g USB Adapter Utility

RP828: 30/03/2009 6:33:13 PM - Unsigned driver install

RP829: 30/03/2009 7:06:18 PM - Removed Blitzz 802.11g USB Adapter Utility

RP830: 30/03/2009 7:37:58 PM - Unsigned driver install

RP831: 31/03/2009 9:34:57 PM - System Checkpoint

RP832: 02/04/2009 5:15:15 PM - System Checkpoint

RP833: 03/04/2009 5:39:40 PM - System Checkpoint

RP834: 04/04/2009 9:26:37 PM - System Checkpoint

RP835: 05/04/2009 10:07:31 PM - System Checkpoint

RP836: 07/04/2009 3:34:53 PM - System Checkpoint

RP837: 08/04/2009 3:52:57 PM - System Checkpoint

RP838: 09/04/2009 8:30:22 PM - System Checkpoint

RP839: 10/04/2009 2:10:37 PM - Installed Belkin F5D8053 N Wireless USB Adapter

RP840: 11/04/2009 7:06:09 PM - System Checkpoint

RP841: 12/04/2009 7:18:01 PM - System Checkpoint

RP842: 13/04/2009 7:19:07 PM - System Checkpoint

RP843: 14/04/2009 8:17:27 PM - System Checkpoint

RP844: 15/04/2009 3:00:46 AM - Software Distribution Service 3.0

RP845: 16/04/2009 3:29:28 AM - System Checkpoint

RP846: 17/04/2009 9:22:37 PM - System Checkpoint

RP847: 18/04/2009 10:01:48 PM - System Checkpoint

RP848: 20/04/2009 4:07:21 AM - System Checkpoint

RP849: 21/04/2009 7:43:50 AM - System Checkpoint

RP850: 22/04/2009 9:15:30 AM - System Checkpoint

RP851: 23/04/2009 9:26:38 AM - System Checkpoint

RP852: 24/04/2009 9:33:44 AM - System Checkpoint

RP853: 25/04/2009 1:11:50 PM - System Checkpoint

RP854: 26/04/2009 1:40:16 PM - System Checkpoint

RP855: 27/04/2009 2:48:10 PM - System Checkpoint

RP856: 28/04/2009 3:26:05 PM - System Checkpoint

RP857: 29/04/2009 4:25:25 PM - System Checkpoint

RP858: 30/04/2009 3:01:25 AM - Software Distribution Service 3.0

RP859: 01/05/2009 4:55:10 AM - System Checkpoint

RP860: 02/05/2009 5:01:48 AM - System Checkpoint

RP861: 03/05/2009 1:31:59 PM - System Checkpoint

RP862: 04/05/2009 7:55:30 PM - System Checkpoint

RP863: 08/05/2009 7:14:17 PM - System Checkpoint

RP864: 14/05/2009 7:38:16 PM - Removed Bonjour

RP865: 14/05/2009 7:39:09 PM - Removed KhalInstallWrapper.

RP866: 22/05/2009 9:35:55 AM - System Checkpoint

RP867: 23/05/2009 9:34:09 AM - Revo Uninstaller's restore point - Arthur's Preschool

RP868: 23/05/2009 9:53:28 AM - Revo Uninstaller's restore point - BitTorrent

RP869: 23/05/2009 9:54:56 AM - Revo Uninstaller's restore point - Brother MFL-Pro Suite

RP870: 23/05/2009 9:55:29 AM - Removed Brother MFL-Pro Suite

RP871: 23/05/2009 9:56:10 AM - Revo Uninstaller's restore point - Call of Duty® 2

RP872: 23/05/2009 9:56:27 AM - Configured PRODUCT_NAME

RP873: 23/05/2009 10:00:11 AM - Revo Uninstaller's restore point - Camfrog Video Chat 5.1

RP874: 23/05/2009 10:01:23 AM - Revo Uninstaller's restore point - Call of Duty® 4 - Modern Warfare

RP875: 23/05/2009 10:01:44 AM - Configured Call of Duty® 4 - Modern Warfare

RP876: 23/05/2009 10:03:18 AM - Revo Uninstaller's restore point - Costco Photo Organizer

RP877: 23/05/2009 10:06:19 AM - Revo Uninstaller's restore point - Green Eggs and Ham

RP878: 23/05/2009 10:07:10 AM - Revo Uninstaller's restore point - iPod for Windows 2006-03-23

RP879: 23/05/2009 10:07:22 AM - Configured iPod for Windows 2006-03-23

RP880: 23/05/2009 10:10:10 AM - Revo Uninstaller's restore point - iTunes

RP881: 23/05/2009 10:12:35 AM - Revo Uninstaller's restore point - JumpStart Advanced Preschool

RP882: 23/05/2009 10:14:05 AM - Revo Uninstaller's restore point - JAlbum 7.4

RP883: 23/05/2009 10:15:25 AM - Revo Uninstaller's restore point - JumpStart Advanced School Time

RP884: 23/05/2009 10:16:39 AM - Revo Uninstaller's restore point - JumpStart Languages

RP885: 23/05/2009 10:17:56 AM - Revo Uninstaller's restore point - LimeWire 4.18.8

RP886: 23/05/2009 10:19:18 AM - Revo Uninstaller's restore point - MUSICMATCH

Link to post
Share on other sites

  • Root Admin

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
  • O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
  • O4 - Global Startup: AutorunsDisabled
  • O24 - Desktop Component 0: (no name) - http://www.mytelus.com/news_images/cp_hockey/h122264.jpg
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 02

Click on START -> CONTROL PANEL -> Display -> Desktop -> Customize Desktop... -> Web tab

Then uncheck and delete everything you find in there (except for "My Current Home Page")

Remove the checkmark from the the Lock Desktop Items box if it is checked.

Click OK and Exit the Display properties.

STEP 03

Without doing a lot of manual Registry work to remove VirusFighter it is probably easier to reinstall the product and then go to the Control Panel, Add/Remove and then remove the product and make sure you read the dialog boxes and select to remove all.

http://download.nl.spamfighter.com/virusfi...sfighter_en.exe

I think these folders are from the Virus Fighters program and when removed they probably should remove or be removed as well.

c:\program files\Fighters

c:\docume~1\alluse~1\applic~1\Fighters

STEP 04

This software is old and has updates to address security. I'd remove and get the newer 9.1.1 from Adobe

Adobe Reader 7.1.0

DNA This is a Peer2Peer file sharing software. Just a warning that P2P software can easily infect your box. I'd recommend not using it or being very careful using it.

You appear to have 2 different versions of Spybot installed (if you wish to use then I'd recommend removal of both and install the latest version and get their updates but DO NOT use the Tea Timer just yet as it will block repairs, or just wait till we're done before reinstalling it)

Spybot - Search & Destroy

Spybot - Search & Destroy 1.5.2.20

STEP 05

These version of Java have been exploited and need to be removed.

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 3

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 9

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

STEP 06

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup219.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 07

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
SuperMounter

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 08

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 13.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 13 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u13-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer
Link to post
Share on other sites

Hi,

Ok started down the list, was able to do steps 1,2, 4 and 5. I re installed the Virusfighter......but it will not let me uninstall the dumb ass program. I tried to use the add/remove but it says error, program doesn't seem to be installed. So I thought I should stop till I get this out before I do the Ccleaner step. Any ideas on how to blow this thing out? the unistall file I found before doesn't work now.

Thx

Link to post
Share on other sites

  • Root Admin

Sorry about that some programs are just junk. Yes go ahead and use the CCleaner. It will remove unwanted junk.

Then run this scanner which will hopefully provide enough information to remove most of it.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Ok I ran CCLeaner. Here is the logs as requested.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 06/08/2003 5:27:30 PM

System Uptime: 26/05/2009 4:28:23 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0M2035

Processor: Intel® Pentium® 4 CPU 2.60GHz | Microprocessor | 2593/800mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 112 GiB total, 80.587 GiB free.

D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP801: 26/02/2009 6:52:29 AM - System Checkpoint

RP802: 27/02/2009 7:28:22 AM - System Checkpoint

RP803: 28/02/2009 5:04:53 PM - System Checkpoint

RP804: 01/03/2009 8:21:12 PM - System Checkpoint

RP805: 02/03/2009 10:46:30 PM - System Checkpoint

RP806: 04/03/2009 2:44:25 PM - System Checkpoint

RP807: 05/03/2009 5:08:56 PM - System Checkpoint

RP808: 07/03/2009 6:26:39 AM - System Checkpoint

RP809: 08/03/2009 7:35:45 AM - System Checkpoint

RP810: 09/03/2009 9:58:42 AM - System Checkpoint

RP811: 10/03/2009 10:21:22 AM - System Checkpoint

RP812: 11/03/2009 2:00:23 AM - Software Distribution Service 3.0

RP813: 12/03/2009 2:58:43 PM - System Checkpoint

RP814: 13/03/2009 6:01:29 PM - System Checkpoint

RP815: 15/03/2009 4:00:28 PM - System Checkpoint

RP816: 16/03/2009 4:40:13 PM - System Checkpoint

RP817: 17/03/2009 5:49:54 PM - System Checkpoint

RP818: 19/03/2009 2:49:23 AM - System Checkpoint

RP819: 20/03/2009 3:00:57 AM - Software Distribution Service 3.0

RP820: 21/03/2009 5:15:38 AM - System Checkpoint

RP821: 23/03/2009 9:32:36 PM - System Checkpoint

RP822: 25/03/2009 9:29:20 AM - System Checkpoint

RP823: 26/03/2009 10:17:26 AM - System Checkpoint

RP824: 27/03/2009 5:00:20 PM - System Checkpoint

RP825: 29/03/2009 5:14:16 PM - System Checkpoint

RP826: 30/03/2009 5:36:33 PM - System Checkpoint

RP827: 30/03/2009 6:30:15 PM - Installed Blitzz 802.11g USB Adapter Utility

RP828: 30/03/2009 6:33:13 PM - Unsigned driver install

RP829: 30/03/2009 7:06:18 PM - Removed Blitzz 802.11g USB Adapter Utility

RP830: 30/03/2009 7:37:58 PM - Unsigned driver install

RP831: 31/03/2009 9:34:57 PM - System Checkpoint

RP832: 02/04/2009 5:15:15 PM - System Checkpoint

RP833: 03/04/2009 5:39:40 PM - System Checkpoint

RP834: 04/04/2009 9:26:37 PM - System Checkpoint

RP835: 05/04/2009 10:07:31 PM - System Checkpoint

RP836: 07/04/2009 3:34:53 PM - System Checkpoint

RP837: 08/04/2009 3:52:57 PM - System Checkpoint

RP838: 09/04/2009 8:30:22 PM - System Checkpoint

RP839: 10/04/2009 2:10:37 PM - Installed Belkin F5D8053 N Wireless USB Adapter

RP840: 11/04/2009 7:06:09 PM - System Checkpoint

RP841: 12/04/2009 7:18:01 PM - System Checkpoint

RP842: 13/04/2009 7:19:07 PM - System Checkpoint

RP843: 14/04/2009 8:17:27 PM - System Checkpoint

RP844: 15/04/2009 3:00:46 AM - Software Distribution Service 3.0

RP845: 16/04/2009 3:29:28 AM - System Checkpoint

RP846: 17/04/2009 9:22:37 PM - System Checkpoint

RP847: 18/04/2009 10:01:48 PM - System Checkpoint

RP848: 20/04/2009 4:07:21 AM - System Checkpoint

RP849: 21/04/2009 7:43:50 AM - System Checkpoint

RP850: 22/04/2009 9:15:30 AM - System Checkpoint

RP851: 23/04/2009 9:26:38 AM - System Checkpoint

RP852: 24/04/2009 9:33:44 AM - System Checkpoint

RP853: 25/04/2009 1:11:50 PM - System Checkpoint

RP854: 26/04/2009 1:40:16 PM - System Checkpoint

RP855: 27/04/2009 2:48:10 PM - System Checkpoint

RP856: 28/04/2009 3:26:05 PM - System Checkpoint

RP857: 29/04/2009 4:25:25 PM - System Checkpoint

RP858: 30/04/2009 3:01:25 AM - Software Distribution Service 3.0

RP859: 01/05/2009 4:55:10 AM - System Checkpoint

RP860: 02/05/2009 5:01:48 AM - System Checkpoint

RP861: 03/05/2009 1:31:59 PM - System Checkpoint

RP862: 04/05/2009 7:55:30 PM - System Checkpoint

RP863: 08/05/2009 7:14:17 PM - System Checkpoint

RP864: 14/05/2009 7:38:16 PM - Removed Bonjour

RP865: 14/05/2009 7:39:09 PM - Removed KhalInstallWrapper.

RP866: 22/05/2009 9:35:55 AM - System Checkpoint

RP867: 23/05/2009 9:34:09 AM - Revo Uninstaller's restore point - Arthur's Preschool

RP868: 23/05/2009 9:53:28 AM - Revo Uninstaller's restore point - BitTorrent

RP869: 23/05/2009 9:54:56 AM - Revo Uninstaller's restore point - Brother MFL-Pro Suite

RP870: 23/05/2009 9:55:29 AM - Removed Brother MFL-Pro Suite

RP871: 23/05/2009 9:56:10 AM - Revo Uninstaller's restore point - Call of Duty® 2

RP872: 23/05/2009 9:56:27 AM - Configured PRODUCT_NAME

RP873: 23/05/2009 10:00:11 AM - Revo Uninstaller's restore point - Camfrog Video Chat 5.1

RP874: 23/05/2009 10:01:23 AM - Revo Uninstaller's restore point - Call of Duty® 4 - Modern Warfare

RP875: 23/05/2009 10:01:44 AM - Configured Call of Duty® 4 - Modern Warfare

RP876: 23/05/2009 10:03:18 AM - Revo Uninstaller's restore point - Costco Photo Organizer

RP877: 23/05/2009 10:06:19 AM - Revo Uninstaller's restore point - Green Eggs and Ham

RP878: 23/05/2009 10:07:10 AM - Revo Uninstaller's restore point - iPod for Windows 2006-03-23

RP879: 23/05/2009 10:07:22 AM - Configured iPod for Windows 2006-03-23

RP880: 23/05/2009 10:10:10 AM - Revo Uninstaller's restore point - iTunes

RP881: 23/05/2009 10:12:35 AM - Revo Uninstaller's restore point - JumpStart Advanced Preschool

RP882: 23/05/2009 10:14:05 AM - Revo Uninstaller's restore point - JAlbum 7.4

RP883: 23/05/2009 10:15:25 AM - Revo Uninstaller's restore point - JumpStart Advanced School Time

RP884: 23/05/2009 10:16:39 AM - Revo Uninstaller's restore point - JumpStart Languages

RP885: 23/05/2009 10:17:56 AM - Revo Uninstaller's restore point - LimeWire 4.18.8

RP886: 23/05/2009 10:19:18 AM - Revo Uninstaller's restore point - MUSICMATCH

Link to post
Share on other sites

  • Root Admin

Okay please delete your current copy of Combofix.exe or honey.exe and download a new fresh copy.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Then rename Combofix.exe to LASKO.EXE and run it and post back the log and we'll do some manual removal of stuff.

Link to post
Share on other sites

Ok, here you go.

ComboFix 09-05-26.02 - Laurier Martin 26/05/2009 17:43.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1134 [GMT -7:00]

Running from: c:\documents and settings\Laurier Martin\Desktop\LASKO.exe

AV: VIRUSfighter ver. 5.99 *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

.

((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))

.

2009-05-26 22:00 . 2009-05-26 22:00 -------- d-----w c:\program files\CCleaner

2009-05-26 21:31 . 2009-05-26 21:31 -------- d-----w C:\VIRUSfighter

2009-05-24 02:44 . 2009-05-24 02:44 -------- d-----w c:\documents and settings\Laurie Bergen\Application Data\Malwarebytes

2009-05-24 01:58 . 2009-05-26 15:55 -------- d-----w c:\documents and settings\Laurier Martin\Tracing

2009-05-23 18:04 . 2009-05-23 18:04 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\VSRevoGroup

2009-05-23 16:33 . 2009-05-23 16:45 -------- d-----w c:\program files\VS Revo Group

2009-05-22 16:07 . 2009-05-22 16:07 -------- d-----w c:\program files\Trend Micro

2009-05-22 15:48 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-22 15:48 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-22 15:48 . 2009-05-22 15:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-20 02:55 . 2009-05-20 02:55 -------- d-----w c:\program files\Fighters

2009-05-20 02:55 . 2009-05-20 02:55 -------- d-----w c:\documents and settings\All Users\Application Data\Fighters

2009-05-15 00:33 . 2009-05-15 00:33 -------- d-----w c:\program files\Safer Networking

2009-05-08 14:53 . 2009-05-08 14:55 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-08 14:52 . 2009-05-08 14:52 -------- d-----w c:\documents and settings\Administrator\Application Data\GRETECH

2009-05-08 14:28 . 2009-05-08 14:28 -------- d-----w c:\documents and settings\Administrator\Application Data\IObit

2009-05-06 16:40 . 2009-05-06 16:40 390664 ----a-w c:\documents and settings\Laurie Bergen\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-26 21:26 . 2006-07-08 21:36 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-05-23 17:58 . 2003-07-29 20:20 -------- d--h--w c:\program files\InstallShield Installation Information

2009-05-23 17:51 . 2007-01-11 05:49 -------- d-----w c:\program files\Activision

2009-05-23 17:40 . 2008-12-29 01:25 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\Skype

2009-05-23 17:40 . 2008-12-29 01:24 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-05-23 17:33 . 2008-07-25 20:53 -------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft

2009-05-23 17:33 . 2008-07-25 20:53 -------- d-----w c:\program files\ScanSoft

2009-05-23 17:29 . 2003-07-29 20:22 -------- d-----w c:\documents and settings\All Users\Application Data\QuickTime

2009-05-23 17:24 . 2008-07-25 20:55 -------- d-----w c:\program files\Nuance

2009-05-23 17:19 . 2003-07-29 20:23 -------- d-----w c:\program files\MUSICMATCH

2009-05-23 17:06 . 2008-09-25 22:45 -------- d-----w c:\program files\Living Books

2009-05-23 17:05 . 2006-11-05 19:33 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\Costco Photo Organizer

2009-05-23 17:05 . 2006-11-05 19:33 -------- d-----w c:\program files\Costco

2009-05-23 17:00 . 2007-10-11 02:53 -------- d-----w c:\program files\Camfrog

2009-05-23 16:55 . 2008-07-25 20:57 -------- d-----w c:\program files\Brother

2009-05-23 04:41 . 2008-05-02 15:13 -------- d-----w c:\program files\Shaw Secure

2009-05-23 04:35 . 2008-05-02 15:14 -------- d-----w c:\documents and settings\All Users\Application Data\F-Secure

2009-04-17 03:37 . 2009-02-14 23:25 -------- d-----w c:\program files\Windows Live

2009-04-16 18:43 . 2008-07-28 19:41 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\PC-FAX TX

2009-04-10 21:12 . 2009-04-10 21:12 21419 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-04-10 21:10 . 2009-04-10 21:10 -------- d-----w c:\program files\Belkin

2009-04-01 01:35 . 2009-02-24 03:12 -------- d-----w c:\documents and settings\Laurie Bergen\Application Data\F-Secure

2009-03-31 01:30 . 2009-03-31 01:30 -------- d-----w c:\program files\Blitzz

2009-03-17 21:40 . 2009-03-17 21:40 307200 ----a-w c:\documents and settings\Laurie Bergen\Application Data\GRETECH\GomPlayer\GrLauncherTempSetup.exe

2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2004-12-08 00:37 826368 ----a-w c:\windows\system32\wininet.dll

2002-08-29 10:00 . 2002-08-29 10:00 94784 -csh--w c:\windows\TWAIN.DLL

2008-04-14 00:12 . 2002-08-29 10:00 50688 --sh--w c:\windows\twain_32.dll

2008-04-14 00:12 . 2002-08-29 10:00 57344 --sha-w c:\windows\SYSTEM32\msvcirt.dll

2008-04-14 00:12 . 2002-08-29 10:00 11776 --sha-w c:\windows\SYSTEM32\regsvr32.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-05-23_01.24.26 )))))))))))))))))))))))))))))))))))))))))

.

+ 2003-07-29 20:05 . 2009-05-23 04:34 65956 c:\windows\SYSTEM32\PERFC009.DAT

+ 2003-07-29 20:05 . 2009-05-23 04:34 411560 c:\windows\SYSTEM32\PERFH009.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Norman ZANDA"="c:\virusfighter\bin\ZLH.EXE" [2005-05-25 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-11-08 00:41 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" /splash

"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\StubInstaller.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [17/02/2009 4:38 PM 10384]

R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\SYSTEM32\DRIVERS\rt2870.sys [28/07/2007 2:50 PM 517632]

S1 SuperMounter;SuperMounter; [x]

S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\CtUsbMs.sys [08/10/2006 7:25 PM 14720]

S3 PCNat;PC-Nat Miniport;c:\windows\SYSTEM32\DRIVERS\pcnat.sys [09/03/2004 6:12 PM 30336]

S3 ZD1211U(Blitzz Technology Inc.);ZyDAS ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(Blitzz Technology Inc.);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [30/03/2009 6:30 PM 209408]

.

Contents of the 'Scheduled Tasks' folder

2003-08-07 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2003-08-07 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-26 17:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

Completion time: 2009-05-27 17:48

ComboFix-quarantined-files.txt 2009-05-27 00:48

ComboFix2.txt 2009-05-23 23:17

ComboFix3.txt 2009-05-23 18:22

ComboFix4.txt 2009-05-23 01:28

ComboFix5.txt 2009-05-27 00:42

Pre-Run: 86,540,234,752 bytes free

Post-Run: 86,530,035,712 bytes free

159 --- E O F --- 2009-05-15 10:03

Thank You

Link to post
Share on other sites

  • Root Admin

Well not enough information to remove a lot of those junk AV files. Please run this and then I'll take a look at it later tonight and provide you with some removal instructions.

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I also need for you to download this program
OTListIt2.exe
to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    "Scan All Users"
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.


Please allow me time to analyze your post. If you don't see a reply from me after 48 hours, feel free to PM me.

Link to post
Share on other sites

Here you go.

OTListIt logfile created on: 26/05/2009 6:49:29 PM - Run 1

OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Laurier Martin\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1.50 Gb Total Physical Memory | 1.11 Gb Available Physical Memory | 73.73% Memory free

2.86 Gb Paging File | 2.67 Gb Available in Paging File | 93.65% Paging File free

Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 111.73 Gb Total Space | 80.61 Gb Free Space | 72.15% Space Free | Partition Type: NTFS

Drive D: | 2.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: LAURIE

Current User Name: Laurier Martin

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Output = Standard

File Age = 30 Days

Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/01/13 21:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe

PRC - [2009/01/13 21:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe

PRC - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2007/11/26 15:54:12 | 01,554,728 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

PRC - [2005/05/31 15:45:30 | 00,176,128 | ---- | M] () -- C:\VIRUSfighter\Bin\Zanda.exe

PRC - [2004/08/11 02:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe

PRC - [2005/01/12 10:57:56 | 00,143,360 | ---- | M] () -- C:\VIRUSfighter\bin\NJEEVES.EXE

PRC - [2008/04/13 17:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe

PRC - [2005/05/25 13:11:16 | 00,135,168 | ---- | M] () -- C:\VIRUSfighter\bin\ZLH.EXE

PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2009/05/26 18:48:25 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Laurier Martin\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])

SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

SRV - [2009/01/13 21:34:00 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])

SRV - [2009/01/13 22:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\SYSTEM32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])

SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

SRV - [2008/07/19 10:33:06 | 00,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist [On_Demand | Stopped])

SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])

SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

SRV - [2007/11/26 15:54:12 | 01,554,728 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv [Auto | Running])

SRV - [2008/11/07 17:40:52 | 00,121,360 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ [On_Demand | Stopped])

SRV - [2007/11/28 11:27:24 | 00,800,040 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])

SRV - [2003/03/03 11:33:40 | 00,143,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc [On_Demand | Stopped])

SRV - [2007/06/27 19:04:00 | 00,279,848 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])

SRV - [2005/01/12 10:57:56 | 00,143,360 | ---- | M] () -- C:\VIRUSfighter\bin\NJEEVES.EXE -- (Norman NJeeves [On_Demand | Running])

SRV - [2005/05/31 15:45:30 | 00,176,128 | ---- | M] () -- C:\VIRUSfighter\Bin\Zanda.exe -- (Norman ZANDA [Auto | Running])

SRV - [2004/08/11 02:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])

SRV - [2004/08/11 01:46:56 | 00,483,328 | ---- | M] (Microsoft Corporation) -- c:\program files\windows media connect\mswmccds.exe -- (WmcCds [unknown | Stopped])

SRV - [2004/08/10 22:50:42 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect\mswmcls.exe -- (WmcCdsLs [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2002/04/01 14:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])

DRV - [2009/04/10 14:12:08 | 00,021,419 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])

DRV - [2001/08/17 11:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])

DRV - [2008/04/13 11:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])

DRV - [2001/08/17 11:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])

DRV - [2001/08/17 11:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])

DRV - [2009/01/14 00:14:01 | 03,455,488 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])

DRV - [2004/10/15 12:50:20 | 00,015,295 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys -- (BrScnUsb [On_Demand | Stopped])

DRV - [2006/12/12 11:28:26 | 00,052,224 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrSerIf.sys -- (BrSerIf [On_Demand | Stopped])

DRV - [2006/09/03 09:53:54 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrUsbSer.sys -- (BrUsbSer [On_Demand | Stopped])

DRV - File not found -- -- (catchme [Disabled | Running])

DRV - [2006/08/09 21:08:42 | 00,062,288 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [system | Running])

DRV - [2006/08/09 21:08:42 | 00,023,436 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [system | Running])

DRV - [2006/08/09 21:08:43 | 00,241,280 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp [system | Stopped])

DRV - [2001/08/17 11:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])

DRV - [2005/10/26 18:30:00 | 00,014,720 | ---- | M] (Creative Technology Pte Ltd) -- C:\WINDOWS\system32\DRIVERS\CtUsbMs.Sys -- (CtUsbMs [On_Demand | Stopped])

DRV - [2001/08/17 11:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])

DRV - [2003/03/04 12:56:26 | 00,145,408 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])

DRV - [2001/08/17 10:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\System32\DRIVERS\el90xbc5.sys -- (EL90XBC [On_Demand | Stopped])

DRV - [2008/01/29 12:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

DRV - [2002/10/29 14:38:10 | 00,170,499 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])

DRV - [2002/10/29 14:37:36 | 01,175,536 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Running])

DRV - [2004/08/03 22:29:36 | 00,161,020 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\i81xnt5.sys -- (i81x [On_Demand | Stopped])

DRV - [2004/08/03 22:29:37 | 00,012,415 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV01nt.sys -- (iAimFP0 [On_Demand | Stopped])

DRV - [2004/08/03 22:29:37 | 00,012,127 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV02NT.sys -- (iAimFP1 [On_Demand | Stopped])

DRV - [2004/08/03 22:29:37 | 00,011,775 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV05NT.sys -- (iAimFP2 [On_Demand | Stopped])

DRV - [2004/08/03 22:29:47 | 00,012,063 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys -- (iAimFP3 [On_Demand | Stopped])

DRV - [2004/08/03 22:29:49 | 00,019,455 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys -- (iAimFP4 [On_Demand | Stopped])

DRV - [2004/08/03 22:29:41 | 00,029,311 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV01nt.sys -- (iAimTV0 [On_Demand | Stopped])

DRV - [2004/08/03 22:29:42 | 00,019,551 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV02NT.sys -- (iAimTV1 [On_Demand | Stopped])

DRV - [2004/08/03 22:29:43 | 00,033,599 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV04nt.sys -- (iAimTV3 [On_Demand | Stopped])

DRV - [2004/08/03 22:29:45 | 00,023,615 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys -- (iAimTV4 [On_Demand | Stopped])

DRV - [2007/11/26 15:54:02 | 00,118,952 | ---- | M] (Nero AG) -- C:\WINDOWS\system32\drivers\InCDFs.sys -- (InCDfs [Disabled | Running])

DRV - [2007/11/26 15:54:12 | 00,036,776 | ---- | M] (Nero AG) -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass [system | Running])

DRV - [2007/11/26 15:54:12 | 00,038,440 | ---- | M] (Nero AG) -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm [system | Running])

DRV - [2008/09/26 10:52:00 | 00,020,240 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys -- (L8042Kbd [On_Demand | Running])

DRV - [2008/09/26 10:52:00 | 00,063,248 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\Drivers\L8042mou.sys -- (L8042mou [On_Demand | Running])

DRV - [2008/09/26 10:52:00 | 00,010,384 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\Drivers\LBeepKE.sys -- (LBeepKE [Auto | Running])

DRV - [2008/09/26 10:53:00 | 00,079,120 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\DRIVERS\LMouKE.Sys -- (LMouKE [On_Demand | Running])

DRV - [2005/03/10 13:08:40 | 00,014,592 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\drivers\LUsbKbd.sys -- (LUsbKbd [On_Demand | Stopped])

DRV - [2004/08/03 22:41:55 | 00,011,868 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])

DRV - [2001/08/17 11:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])

DRV - [2001/08/17 11:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])

DRV - [2002/11/08 11:45:06 | 00,017,217 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\System32\DRIVERS\omci.sys -- (omci [system | Running])

DRV - [2003/03/26 13:51:52 | 00,030,336 | ---- | M] (JDSoft Inc.) -- C:\WINDOWS\System32\DRIVERS\pcnat.sys -- (PCNat [On_Demand | Stopped])

DRV - [2002/08/29 03:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])

DRV - [2003/06/27 11:05:38 | 00,472,332 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\LVCM.sys -- (QCMerced [On_Demand | Stopped])

DRV - [2001/08/17 11:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])

DRV - [2001/08/17 11:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])

DRV - [2001/08/17 11:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])

DRV - [2007/07/28 14:50:36 | 00,517,632 | ---- | M] (Ralink Technology, Corp.) -- C:\WINDOWS\system32\DRIVERS\rt2870.sys -- (rt2870 [On_Demand | Running])

DRV - [2008/01/15 22:50:52 | 00,459,520 | ---- | M] (Ralink Technology, Corp.) -- C:\WINDOWS\system32\DRIVERS\Dr71WU.sys -- (RT73 [On_Demand | Stopped])

DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])

DRV - [2008/04/13 11:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])

DRV - [2003/02/28 10:17:18 | 00,545,024 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])

DRV - [2001/08/17 14:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])

DRV - [2001/08/17 12:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])

DRV - [2001/08/17 12:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])

DRV - [2001/08/17 12:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])

DRV - [2001/08/17 12:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])

DRV - [2001/08/17 12:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])

DRV - [2006/08/09 21:08:43 | 00,206,464 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp [system | Running])

DRV - [2001/08/17 11:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])

DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])

DRV - [2002/10/29 14:31:28 | 00,604,240 | ---- | M] (Conexant Systems) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

DRV - [2004/03/31 17:49:34 | 00,209,408 | R--- | M] (ZyDAS Technology Corporation) -- C:\WINDOWS\system32\DRIVERS\zd1211u.sys -- (ZD1211U(Blitzz Technology Inc.) [On_Demand | Stopped])

DRV - [2004/01/14 11:30:00 | 00,017,151 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\system32\ZDPNDIS5.SYS -- (ZDPNDIS5 [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\S-1-5-21-2216547981-3837015729-2769555212-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O3 - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found

O4 - HKLM..\Run: [Norman ZANDA] C:\VIRUSfighter\bin\ZLH.EXE /LOAD /SPLASH ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O7 - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\S-1-5-21-2216547981-3837015729-2769555212-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O15 - HKU\.DEFAULT\..Trusted Domains: 42 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-18\..Trusted Domains: 42 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-19\..Trusted Domains: 87 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-20\..Trusted Domains: 87 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab (MSN Photo Upload Tool)

O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} http://sympatico.zone.msn.com/bingame/amad...t/atomaders.cab (AtlAtomadersCtlAttrib Class)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Value error.)

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} http://support.f-secure.com/ols/fscax.cab (F-Secure Online Scanner 3.3)

O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab (F-Secure Online Scanner 4.0 Launcher)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://photoshare.shaw.ca/files/ImageUploader4.cab (Image Uploader Control)

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/...342/mcfscan.cab (McFreeScan Class)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2002/09/03 06:59:58 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - * [2009/05/26 18:48:25 | 00,000,000 | R--D | M]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]

[2009/05/26 18:48:22 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Laurier Martin\Desktop\OTListIt2.exe

[2009/05/26 17:48:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp

[2009/05/26 17:48:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Laurier Martin\Local Settings\temp

[2009/05/26 17:42:17 | 02,999,490 | R--- | C] () -- C:\Documents and Settings\Laurier Martin\Desktop\LASKO.exe

[2009/05/26 15:00:49 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Laurier Martin\Desktop\CCleaner.lnk

[2009/05/26 15:00:49 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2009/05/26 14:31:43 | 00,000,000 | ---D | C] -- C:\VIRUSfighter

[2009/05/26 07:17:42 | 00,359,883 | ---- | C] () -- C:\Documents and Settings\Laurier Martin\Desktop\dds.scr

[2009/05/23 11:04:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Laurier Martin\Application Data\VSRevoGroup

[2009/05/23 10:42:47 | 00,000,945 | ---- | C] () -- C:\Documents and Settings\Laurier Martin\Desktop\Run Hunter Mode.lnk

[2009/05/23 09:51:31 | 16,096,33792 | -HS- | C] () -- C:\hiberfil.sys

[2009/05/23 09:33:07 | 00,000,917 | ---- | C] () -- C:\Documents and Settings\Laurier Martin\Desktop\Revo Uninstaller.lnk

[2009/05/23 09:33:06 | 00,000,000 | ---D | C] -- C:\Program Files\VS Revo Group

[2009/05/22 18:07:02 | 00,000,211 | ---- | C] () -- C:\Boot.bak

[2009/05/22 18:06:59 | 00,260,272 | ---- | C] () -- C:\cmldr

[2009/05/22 18:06:57 | 00,000,000 | RHSD | C] -- C:\cmdcons

[2009/05/22 17:55:23 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2009/05/22 17:55:23 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2009/05/22 17:55:23 | 00,154,624 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2009/05/22 17:55:23 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2009/05/22 17:55:23 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2009/05/22 17:55:23 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2009/05/22 17:55:23 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2009/05/22 09:07:39 | 00,001,740 | ---- | C] () -- C:\Documents and Settings\Laurier Martin\Desktop\HijackThis.lnk

[2009/05/22 09:07:38 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2009/05/22 09:07:28 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Laurier Martin\Desktop\HJTInstall.exe

[2009/05/22 08:48:19 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2009/05/22 08:48:19 | 00,000,714 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/05/22 08:48:16 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009/05/22 08:48:15 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2009/05/22 08:47:59 | 02,967,816 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Laurier Martin\Desktop\mbam-setup.exe

[2009/05/19 19:55:57 | 00,000,000 | ---D | C] -- C:\Program Files\Fighters

[2009/05/19 19:55:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Fighters

[2009/05/15 03:03:05 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI

[2009/05/14 19:38:18 | 00,000,000 | -HSD | C] -- C:\Config.Msi

[2009/05/14 17:33:01 | 00,000,000 | ---D | C] -- C:\Program Files\Safer Networking

[2009/05/08 07:53:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/05/07 21:18:38 | 02,967,816 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Laurier Martin\My Documents\mbam-setup.exe

[2009/03/30 18:30:15 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll

[2009/01/18 15:24:53 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI

[2009/01/08 16:38:52 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2008/07/25 14:01:03 | 00,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI

[2008/07/25 14:01:03 | 00,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI

[2008/07/25 13:59:34 | 00,000,881 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini

[2008/07/25 13:59:34 | 00,000,153 | ---- | C] () -- C:\WINDOWS\brpcfx.ini

[2008/07/25 13:57:31 | 00,000,009 | ---- | C] () -- C:\WINDOWS\Brfaxrx.ini

[2008/07/25 13:57:28 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll

[2008/07/25 13:55:03 | 00,031,567 | ---- | C] () -- C:\WINDOWS\maxlink.ini

[2008/05/24 21:46:15 | 00,000,049 | ---- | C] () -- C:\WINDOWS\Navigator.INI

[2008/05/24 09:30:45 | 00,000,045 | ---- | C] () -- C:\WINDOWS\System32\RPVersion.ini

[2008/05/19 15:57:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\_Nobeltec.INI

[2008/04/28 21:59:55 | 00,000,080 | ---- | C] () -- C:\WINDOWS\SuperUtil.ini

[2007/12/11 11:03:47 | 00,001,733 | ---- | C] () -- C:\WINDOWS\TSearch.INI

[2007/08/02 11:42:28 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2007/01/10 21:36:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\acroread.ini

[2007/01/08 23:20:43 | 00,696,320 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll

[2006/07/13 06:36:36 | 01,167,360 | ---- | C] () -- C:\WINDOWS\System32\acAuth.dll

[2006/05/16 21:06:09 | 00,000,084 | ---- | C] () -- C:\WINDOWS\netdet.ini

[2006/02/02 23:45:22 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll

[2005/08/31 12:43:32 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\resourceGeneric.dll

[2005/06/28 09:29:00 | 00,000,037 | ---- | C] () -- C:\WINDOWS\kbrick32.ini

[2005/06/28 09:29:00 | 00,000,037 | ---- | C] () -- C:\WINDOWS\bricks32.ini

[2005/02/04 11:42:14 | 00,000,029 | ---- | C] () -- C:\WINDOWS\RRK.INI

[2005/02/04 11:42:01 | 00,000,106 | ---- | C] () -- C:\WINDOWS\E-REGTLC.INI

[2005/02/04 11:41:36 | 00,000,062 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI

[2005/02/03 20:23:57 | 00,000,155 | ---- | C] () -- C:\WINDOWS\KA.INI

[2005/02/03 20:16:25 | 00,000,416 | ---- | C] () -- C:\WINDOWS\hegames.ini

[2005/01/28 18:36:51 | 00,000,020 | ---- | C] () -- C:\WINDOWS\btw.ini

[2005/01/28 18:32:13 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

[2005/01/28 18:29:18 | 00,000,057 | ---- | C] () -- C:\WINDOWS\viewer.ini

[2005/01/28 18:29:15 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\CPUINF32.DLL

[2005/01/28 18:29:03 | 00,044,544 | ---- | C] () -- C:\WINDOWS\System32\gif89.dll

[2005/01/21 16:43:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI

[2005/01/17 19:24:31 | 00,000,033 | ---- | C] () -- C:\WINDOWS\LVMMail.INI

[2005/01/17 15:31:46 | 00,000,437 | ---- | C] () -- C:\WINDOWS\disney.ini

[2004/12/27 19:55:00 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2004/09/14 08:58:36 | 00,002,628 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini

[2004/02/12 22:25:25 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

[2004/01/27 12:22:49 | 00,090,225 | ---- | C] () -- C:\WINDOWS\iaxclient.dll

[2003/10/25 20:46:27 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll

[2003/10/23 16:53:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Unsetup.INI

[2003/10/08 14:34:26 | 00,121,440 | ---- | C] () -- C:\WINDOWS\System32\MSDRMCtrl.dll

[2003/09/07 14:52:03 | 00,000,651 | ---- | C] () -- C:\WINDOWS\Sierra.ini

[2003/09/06 11:34:47 | 00,000,223 | ---- | C] () -- C:\WINDOWS\HP PrecisionScan Pro.INI

[2003/08/27 17:37:09 | 00,157,184 | ---- | C] () -- C:\WINDOWS\System32\Vrazrar.dll

[2003/08/27 17:37:09 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\Vrazace.dll

[2003/08/27 17:26:31 | 00,023,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\NaiFiltr.sys

[2003/08/22 10:21:21 | 00,000,220 | ---- | C] () -- C:\WINDOWS\kodakpcd.Laurier Martin.ini

[2003/08/12 13:23:08 | 00,071,749 | ---- | C] () -- C:\WINDOWS\HCExtOutput.dll

[2003/08/12 13:23:08 | 00,000,823 | ---- | C] () -- C:\WINDOWS\TSC.ini

[2003/08/08 17:00:29 | 00,000,478 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2003/08/07 19:16:47 | 00,000,092 | ---- | C] () -- C:\WINDOWS\MFPD.INI

[2003/08/07 18:51:55 | 00,000,030 | ---- | C] () -- C:\WINDOWS\Morpheus.INI

[2003/08/07 11:52:06 | 00,000,028 | ---- | C] () -- C:\WINDOWS\qbwcd.ini

[2003/08/07 11:50:15 | 00,001,454 | ---- | C] () -- C:\WINDOWS\WININIT.INI

[2003/08/06 21:33:43 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini

[2003/07/29 13:26:51 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2003/07/29 13:24:41 | 00,000,258 | ---- | C] () -- C:\WINDOWS\System32\BDEMERGE.INI

[2003/07/29 13:22:02 | 00,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini

[2003/07/29 13:22:00 | 00,000,599 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI

[2003/07/29 13:17:11 | 00,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2003/07/29 12:53:18 | 00,000,546 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2003/02/03 03:26:18 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

[2003/01/07 21:57:37 | 00,014,938 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini

[2002/09/03 06:59:58 | 00,001,339 | ---- | C] () -- C:\WINDOWS\WIN.INI

[2002/09/03 06:50:58 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

[2000/04/14 16:50:02 | 00,343,040 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll

[1999/07/23 13:46:48 | 00,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini

[1999/07/23 10:53:20 | 00,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

[1999/07/05 03:00:00 | 00,075,346 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll

[1999/01/22 11:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

[1998/06/11 13:08:06 | 00,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]

[2009/05/26 18:48:25 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Laurier Martin\Desktop\OTListIt2.exe

[2009/05/26 17:48:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2009/05/26 17:46:42 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2009/05/26 17:42:17 | 02,999,490 | R--- | M] () -- C:\Documents and Settings\Laurier Martin\Desktop\LASKO.exe

[2009/05/26 16:36:15 | 00,359,883 | ---- | M] () -- C:\Documents and Settings\Laurier Martin\Desktop\dds.scr

[2009/05/26 16:29:19 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL

[2009/05/26 16:29:11 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Laurier Martin\Local Settings\DESKTOP.INI

[2009/05/26 16:28:53 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT

[2009/05/26 16:28:47 | 16,096,33792 | -HS- | M] () -- C:\hiberfil.sys

[2009/05/26 15:00:49 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Laurier Martin\Desktop\CCleaner.lnk

[2009/05/24 16:01:49 | 00,154,624 | ---- | M] () -- C:\WINDOWS\PEV.exe

[2009/05/23 10:15:29 | 00,000,155 | ---- | M] () -- C:\WINDOWS\KA.INI

[2009/05/23 09:55:32 | 00,000,009 | ---- | M] () -- C:\WINDOWS\Brfaxrx.ini

[2009/05/23 09:33:07 | 00,000,945 | ---- | M] () -- C:\Documents and Settings\Laurier Martin\Desktop\Run Hunter Mode.lnk

[2009/05/23 09:33:07 | 00,000,917 | ---- | M] () -- C:\Documents and Settings\Laurier Martin\Desktop\Revo Uninstaller.lnk

[2009/05/22 21:34:47 | 00,411,560 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT

[2009/05/22 21:34:47 | 00,065,956 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT

[2009/05/22 18:23:00 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts

[2009/05/22 18:07:02 | 00,000,281 | RHS- | M] () -- C:\BOOT.INI

[2009/05/22 09:07:39 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\Laurier Martin\Desktop\HijackThis.lnk

[2009/05/22 08:54:42 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Laurier Martin\Desktop\HJTInstall.exe

[2009/05/22 08:48:19 | 00,000,714 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/05/19 19:43:46 | 02,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Laurier Martin\Desktop\mbam-setup.exe

[2009/05/15 03:03:05 | 00,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI

[2009/05/08 07:53:09 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2009/05/07 21:18:38 | 02,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Laurier Martin\My Documents\mbam-setup.exe

[2009/05/07 00:16:29 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

Thx

Link to post
Share on other sites

And the extras.

OTListIt Extras logfile created on: 26/05/2009 6:49:29 PM - Run 1

OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Laurier Martin\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1.50 Gb Total Physical Memory | 1.11 Gb Available Physical Memory | 73.73% Memory free

2.86 Gb Paging File | 2.67 Gb Available in Paging File | 93.65% Paging File free

Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 111.73 Gb Total Space | 80.61 Gb Free Space | 72.15% Space Free | Partition Type: NTFS

Drive D: | 2.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: LAURIE

Current User Name: Laurier Martin

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Output = Standard

File Age = 30 Days

Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

File not found -- C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)

[2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[2009/02/06 19:21:00 | 00,583,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call

[2009/02/06 19:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[2008/04/13 17:12:33 | 00,077,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\rtcshare.exe:*:Enabled:RTC App Sharing

[2008/04/13 17:12:15 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows

Link to post
Share on other sites

  • Root Admin

Okay we'll try to remove some of this stuff manually but you may have to go into the Registry editor and manually remove some stuff if it gives us problems.

Let's start by seeing if we can remove these services or not.

STEP 01

Click on START - RUN and Copy/Paste this into the run line and hit OK

CMD /C SC CONFIG InCDsrv start= disabled

Then the same thing for this one.

CMD /C SC DEL "Norman NJeeves"

Then the same thing for this one.

CMD /C SC DEL "Norman ZANDA"

STEP 02

Not sure if you use the Roxio program or not but its currently not working properly. You may want to uninstall it and then when we're done look at reinstalling it again.

STEP 03

Please download this tool from Microsoft: Windows Installer CleanUp Utility

Then install it and run it. Be very careful with it as it can wipe out installation entries that can not be repaired without a full reinstall of the program.

Locate the VIRUSfighter program and remove it.

Locate DSoft Inc or Bandwidth Manager and remove it.

If you do decide to remove Roxio, then when all done look for anything to do with Roxio with this program as well and remove it, but only after using the normal Add/Remove in the Control Panel.

STEP 04

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

The names may be a little different in HJT but should still show up with quite similar names.

STEP 05

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
C:\WINDOWS\System32\InsDrvZD.dll
C:\StubInstaller.exe
C:\Program Files\DNA\btdna.exe

Folder::
C:\VIRUSfighter
C:\Program Files\Fighters
C:\Documents and Settings\All Users\Application Data\Fighters
C:\Program Files\DNA

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 06

Please restart the computer now and let me know if there are any error messages that popup when you log back in again.

Link to post
Share on other sites

Hi, Sorry for the delay, was away for the day. Here is what I accomplished.

1- Done

2- Could not find any reference to a roxio programs in add/remove, CCLeaner or Windows install cleaner

3- Could not find any refernce to Virusfighter, Dsoft, Bandwith manager in Windows install cleaner

4- Was able to find most of this and checked them

5- Combo log attached below this.

6- re-started with no errors

ComboFix 09-05-26.05 - Laurier Martin 27/05/2009 21:19.6 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1158 [GMT -7:00]

Running from: c:\documents and settings\Laurier Martin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Laurier Martin\Desktop\CFscript.txt

AV: VIRUSfighter ver. 5.99 *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

FILE ::

"c:\program files\DNA\btdna.exe"

"C:\StubInstaller.exe"

"c:\windows\System32\InsDrvZD.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\DNA

c:\program files\DNA\btdna.exe

c:\program files\DNA\DNAcpl.cpl

c:\program files\DNA\plugins\npbtdna.dll

C:\StubInstaller.exe

C:\VIRUSfighter

c:\virusfighter\Bin\D2htls32.dll

c:\virusfighter\Bin\Descr.dll

c:\virusfighter\Bin\eLogger.exe

c:\virusfighter\Bin\Licwiz.exe

c:\virusfighter\Bin\Lnq.exe

c:\virusfighter\Bin\Ndfedit.exe

c:\virusfighter\Bin\Nerrors.dll

c:\virusfighter\Bin\Njeeves.exe

c:\virusfighter\Bin\Njev_Npt.dll

c:\virusfighter\Bin\Njev_Pwr.dll

c:\virusfighter\Bin\Noemrc.dll

c:\virusfighter\Bin\Npipe.dll

c:\virusfighter\Bin\Npt.dll

c:\virusfighter\Bin\Nptbin.dll

c:\virusfighter\Bin\Nptevlg2.dll

c:\virusfighter\Bin\Nptndesk.dll

c:\virusfighter\Bin\Nptndpip.dll

c:\virusfighter\Bin\Nptpipx.dll

c:\virusfighter\Bin\Nptpop.dll

c:\virusfighter\Bin\Nptxmit.dll

c:\virusfighter\Bin\Nren.exe

c:\virusfighter\Bin\NupdEx.dll

c:\virusfighter\Bin\Nvccf.exe

c:\virusfighter\Bin\Nvccf0.dll

c:\virusfighter\Bin\Nvccf0f.dll

c:\virusfighter\Bin\Nvccf0F.HLP

c:\virusfighter\Bin\Nvccf0g.dll

c:\virusfighter\Bin\Nvccf0G.HLP

c:\virusfighter\Bin\Nvccf0h.dll

c:\virusfighter\Bin\Nvccf0H.HLP

c:\virusfighter\Bin\Nvccf0o.dll

c:\virusfighter\Bin\Nvccf0O.HLP

c:\virusfighter\Bin\Nvccf0q.dll

c:\virusfighter\Bin\Nvccf0Q.HLP

c:\virusfighter\Bin\Nvcevlog.dll

c:\virusfighter\Bin\Zanda.exe

c:\virusfighter\Bin\Zlh.exe

c:\virusfighter\Bin\Zlh_zan.dll

c:\virusfighter\Bin\Zlhapi.dll

c:\virusfighter\Config\Config.ndf

c:\virusfighter\Config\Descr.ndf

c:\virusfighter\Config\Noemcf.ndf

c:\virusfighter\Config\Nsedescr.ndf

c:\virusfighter\Config\nsestate.ndf

c:\virusfighter\Config\Nvcdescr.ndf

c:\virusfighter\Config\nvcstate.ndf

c:\virusfighter\Config\Qtndescr.ndf

c:\virusfighter\Config\qtnstate.ndf

c:\virusfighter\Config\State.ndf

c:\virusfighter\Config\Zandescr.ndf

c:\virusfighter\Config\zanstate.ndf

c:\virusfighter\Download\GINST002.ZIP

c:\virusfighter\Download\NSE00001.ZIP

c:\virusfighter\Download\NSE20002.ZIP

c:\virusfighter\Download\NSE21001.ZIP

c:\virusfighter\Download\NSE22001.ZIP

c:\virusfighter\Download\NSE30001.ZIP

c:\virusfighter\Download\NVC00901.ZIP

c:\virusfighter\Download\NVC10901.ZIP

c:\virusfighter\Download\NVC11001.ZIP

c:\virusfighter\Download\NVC20902.ZIP

c:\virusfighter\Download\NVC30002.ZIP

c:\virusfighter\Download\NVC40002.ZIP

c:\virusfighter\Download\NVC41001.ZIP

c:\virusfighter\Download\NVC50001.ZIP

c:\virusfighter\Download\NVC60901.ZIP

c:\virusfighter\Download\NVC70901.ZIP

c:\virusfighter\Download\NVC80901.ZIP

c:\virusfighter\Download\NVC90001.ZIP

c:\virusfighter\Download\NVCA0001.ZIP

c:\virusfighter\Download\NVCB0001.ZIP

c:\virusfighter\Download\NVCC0001.ZIP

c:\virusfighter\Download\NVCD0001.ZIP

c:\virusfighter\Download\NVCE0001.ZIP

c:\virusfighter\Download\NVCF0001.ZIP

c:\virusfighter\Download\QTN00001.ZIP

c:\virusfighter\Download\QTN20001.ZIP

c:\virusfighter\Download\QTN80901.ZIP

c:\virusfighter\Download\ZAN00901.ZIP

c:\virusfighter\Download\ZAN01901.ZIP

c:\virusfighter\Download\ZAN20001.ZIP

c:\virusfighter\Download\ZAN21001.ZIP

c:\virusfighter\Download\ZAN30901.ZIP

c:\virusfighter\Download\ZAN40001.ZIP

c:\virusfighter\Download\ZAN80901.ZIP

c:\virusfighter\Msg\NPTBIN_2009_05_26_1432.NPS

c:\virusfighter\Msg\NPTBIN_2009_05_26_1515.NPS

c:\virusfighter\Msg\NPTBIN_2009_05_26_1629.NPS

c:\virusfighter\Msg\NPTBIN_2009_05_26_2019.NPS

c:\virusfighter\Msg\NPTBIN_2009_05_27_0825.NPS

c:\virusfighter\Msg\NPTBIN_2009_05_27_2049.NPS

c:\virusfighter\Msg\NPTPOP.NPQ

c:\virusfighter\Temp\Prefspp.ndf

c:\virusfighter\Temp\Relnotes.htm

c:\windows\System32\InsDrvZD.dll

.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))

.

2009-05-28 03:59 . 2009-05-28 03:59 3584 ----a-r c:\documents and settings\Laurier Martin\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2009-05-28 03:59 . 2009-05-28 03:59 -------- d-----w c:\program files\Windows Installer Clean Up

2009-05-28 03:56 . 2009-05-28 03:58 -------- d-----w c:\program files\MSECACHE

2009-05-26 22:00 . 2009-05-26 22:00 -------- d-----w c:\program files\CCleaner

2009-05-24 02:44 . 2009-05-24 02:44 -------- d-----w c:\documents and settings\Laurie Bergen\Application Data\Malwarebytes

2009-05-24 01:58 . 2009-05-26 15:55 -------- d-----w c:\documents and settings\Laurier Martin\Tracing

2009-05-23 18:04 . 2009-05-23 18:04 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\VSRevoGroup

2009-05-23 16:33 . 2009-05-23 16:45 -------- d-----w c:\program files\VS Revo Group

2009-05-22 16:07 . 2009-05-22 16:07 -------- d-----w c:\program files\Trend Micro

2009-05-22 15:48 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-22 15:48 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-22 15:48 . 2009-05-22 15:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-15 00:33 . 2009-05-15 00:33 -------- d-----w c:\program files\Safer Networking

2009-05-08 14:53 . 2009-05-08 14:55 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-08 14:52 . 2009-05-08 14:52 -------- d-----w c:\documents and settings\Administrator\Application Data\GRETECH

2009-05-08 14:28 . 2009-05-08 14:28 -------- d-----w c:\documents and settings\Administrator\Application Data\IObit

2009-05-06 16:40 . 2009-05-06 16:40 390664 ----a-w c:\documents and settings\Laurie Bergen\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-26 21:26 . 2006-07-08 21:36 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-05-23 17:58 . 2003-07-29 20:20 -------- d--h--w c:\program files\InstallShield Installation Information

2009-05-23 17:51 . 2007-01-11 05:49 -------- d-----w c:\program files\Activision

2009-05-23 17:40 . 2008-12-29 01:25 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\Skype

2009-05-23 17:40 . 2008-12-29 01:24 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-05-23 17:33 . 2008-07-25 20:53 -------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft

2009-05-23 17:33 . 2008-07-25 20:53 -------- d-----w c:\program files\ScanSoft

2009-05-23 17:29 . 2003-07-29 20:22 -------- d-----w c:\documents and settings\All Users\Application Data\QuickTime

2009-05-23 17:24 . 2008-07-25 20:55 -------- d-----w c:\program files\Nuance

2009-05-23 17:19 . 2003-07-29 20:23 -------- d-----w c:\program files\MUSICMATCH

2009-05-23 17:06 . 2008-09-25 22:45 -------- d-----w c:\program files\Living Books

2009-05-23 17:05 . 2006-11-05 19:33 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\Costco Photo Organizer

2009-05-23 17:05 . 2006-11-05 19:33 -------- d-----w c:\program files\Costco

2009-05-23 17:00 . 2007-10-11 02:53 -------- d-----w c:\program files\Camfrog

2009-05-23 16:55 . 2008-07-25 20:57 -------- d-----w c:\program files\Brother

2009-05-23 04:41 . 2008-05-02 15:13 -------- d-----w c:\program files\Shaw Secure

2009-05-23 04:35 . 2008-05-02 15:14 -------- d-----w c:\documents and settings\All Users\Application Data\F-Secure

2009-04-17 03:37 . 2009-02-14 23:25 -------- d-----w c:\program files\Windows Live

2009-04-16 18:43 . 2008-07-28 19:41 -------- d-----w c:\documents and settings\Laurier Martin\Application Data\PC-FAX TX

2009-04-10 21:12 . 2009-04-10 21:12 21419 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-04-10 21:10 . 2009-04-10 21:10 -------- d-----w c:\program files\Belkin

2009-04-01 01:35 . 2009-02-24 03:12 -------- d-----w c:\documents and settings\Laurie Bergen\Application Data\F-Secure

2009-03-31 01:30 . 2009-03-31 01:30 -------- d-----w c:\program files\Blitzz

2009-03-17 21:40 . 2009-03-17 21:40 307200 ----a-w c:\documents and settings\Laurie Bergen\Application Data\GRETECH\GomPlayer\GrLauncherTempSetup.exe

2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2004-12-08 00:37 826368 ----a-w c:\windows\system32\wininet.dll

2002-08-29 10:00 . 2002-08-29 10:00 94784 -csh--w c:\windows\TWAIN.DLL

2008-04-14 00:12 . 2002-08-29 10:00 50688 --sh--w c:\windows\twain_32.dll

2008-04-14 00:12 . 2002-08-29 10:00 57344 --sha-w c:\windows\SYSTEM32\msvcirt.dll

2008-04-14 00:12 . 2002-08-29 10:00 11776 --sha-w c:\windows\SYSTEM32\regsvr32.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-05-23_01.24.26 )))))))))))))))))))))))))))))))))))))))))

.

+ 2003-07-29 20:05 . 2009-05-23 04:34 65956 c:\windows\SYSTEM32\PERFC009.DAT

+ 2003-07-29 20:05 . 2009-05-23 04:34 411560 c:\windows\SYSTEM32\PERFH009.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-11-08 00:41 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave1"= serwvdrv.dll

"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE"

"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" /splash

"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 LBeepKE;LBeepKE;c:\windows\SYSTEM32\DRIVERS\LBeepKE.sys [17/02/2009 4:38 PM 10384]

S1 SuperMounter;SuperMounter; [x]

S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\CtUsbMs.sys [08/10/2006 7:25 PM 14720]

S3 PCNat;PC-Nat Miniport;c:\windows\SYSTEM32\DRIVERS\pcnat.sys [09/03/2004 6:12 PM 30336]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\SYSTEM32\DRIVERS\rt2870.sys [28/07/2007 2:50 PM 517632]

S3 ZD1211U(Blitzz Technology Inc.);ZyDAS ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(Blitzz Technology Inc.);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [30/03/2009 6:30 PM 209408]

.

Contents of the 'Scheduled Tasks' folder

2003-08-07 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2003-08-07 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-27 21:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ati2evxx.exe

c:\windows\SYSTEM32\ati2evxx.exe

c:\windows\SYSTEM32\wdfmgr.exe

c:\windows\SYSTEM32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-05-28 21:27 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-28 04:27

ComboFix2.txt 2009-05-27 00:48

ComboFix3.txt 2009-05-23 23:17

ComboFix4.txt 2009-05-23 18:22

ComboFix5.txt 2009-05-28 04:17

Pre-Run: 86,415,982,592 bytes free

Post-Run: 86,393,335,808 bytes free

266 --- E O F --- 2009-05-15 10:03

Again sorry for the delay, and thx for your help, its greatly appreciated.

Link to post
Share on other sites

  • Root Admin

Why do you have GomPlayer installed? VLC Media player can play just about any known video file on the planet and is FREE. I don't know anything about this player but doubt you need it.

Unless you really need it I'd recommend removing it.

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

AtJob::

Driver::
SUPERMOUNTER
SUPERMOUNTER.sys

Folder::
c:\program files\Shaw Secure
c:\documents and settings\All Users\Application Data\F-Secure
c:\documents and settings\Laurie Bergen\Application Data\F-Secure

File::
C:\WINDOWS\SYSTEM32\DRIVERS\SUPERMOUNTER.SYS
c:\windows\Tasks\ISP signup reminder 2.job
c:\windows\Tasks\ISP signup reminder 3.job

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{466F76BB-39CC-49DE-9B43-965D6E82134E}"=-
"BitTorrent DNA"=-
[HKEY_USERS\S-1-5-21-2216547981-3837015729-2769555212-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Click on START - RUN and type in MSCONFIG and click OK and check or set to the following.

GENERAL: Normal Startup - load all device drivers and services

SYSTEM.INI: Make sure there is a check mark on ALL items.

WIN.INI: Make sure there is a check mark on ALL items.

BOOT.INI: Uncheck /BOOTLOG and others if they're checked.

SERVICES: Place a check mark on ALL of them

STARTUP: Place a check mark on ALL of them

You may have to check and do this a couple times due to required reboot.

STEP 03

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility.

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from Malwarebytes v1.37 download

Note: If you're using a PAID version of Malwareybtes, you will need to reactivate the program using the license you were sent via e-mail.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 04

Please run this again now.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.