Jump to content

Only log I could capture-from Spyware Terminator

Recommended Posts

I cannot download and manually scan any spyware program-or they go MIA. It sounds very much like the other topic here by Hi-tech1. I got this from a scheduled scan of Spyware Terminator. I know very little about tech stuff, sorry, but will try if you are willing to help. Thanks, Barry

Logfile of Spyware Terminator v2.6.0.110 (db:

Scan Time: 9/21/2009 3:53:01 PM length: 645 s

Platform: WXP (

User: Admin

Boot Mode: Normal

Scan type: Fast_Spyware_Scan

Scanned Objects: 48281 (Critical:0)

Filter: No System items, No Safe items, No Invalid items

Running Processes

AOLAcsd.exe [AOL LLC] : C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

aoltsmon.exe [America Online, Inc] : C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

AppleMobileDeviceService.exe [Apple Inc.] : C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

ITMRTSVC.exe [CA, Inc.] : C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

aoltpspd.exe [America Online Inc] : C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

PRISMXL.SYS [New Boundary Technologies, Inc.] : C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

wanmpsvc.exe [America Online, Inc.] : C:\WINDOWS\wanmpsvc.exe

AOLSoftware.exe [AOL LLC] : C:\Program Files\Common Files\AOL\1177334885\ee\AOLSoftware.exe

HPWuSchd2.exe [Hewlett-Packard] : C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

KbdAp32A.exe : C:\Program Files\Multimedia keyboard utility\1.3\KbdAp32A.exe

waol.exe [America Online, Inc.] : C:\Program Files\America Online 9.0a\waol.exe

BigFix.exe [bigFix Inc.] : C:\Program Files\BigFix\BigFix.exe

IAM.exe [CallWave, Inc.] : C:\Program Files\CallWave\IAM.exe

hpqtra08.exe [Hewlett-Packard Co.] : C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

Webshots.scr [Webshots.com] : C:\Program Files\Webshots\Webshots.scr

Internet Settings

R - HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar = http://www.google.com

R - HKLM\Software\Microsoft\Internet Explorer\Main, SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R - HKLM\Software\Microsoft\Internet Explorer\Main, CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R - HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

R - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, Domain =

R - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, DomainName =


02 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - [RealPlayer] : C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll


04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AOL Fast Start : [America Online, Inc.] : C:\Program Files\AMERICA ONLINE 9.0A\AOL.EXE

04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HostManager : [AOL LLC] : C:\Program Files\Common Files\AOL\1177334885\ee\AOLSoftware.exe

04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HP Software Update : [Hewlett-Packard] : C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AppleSyncNotifier : [Apple Inc.] : C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Pure Networks Port Magic : [Pure Networks, Inc.] : C:\Program Files\Pure Networks\Port Magic\PortAOL.exe

04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, FLMK08KB : : C:\Program Files\Multimedia keyboard utility\1.3\MMKEYBD.EXE

04 - Startup: %STARTUP%\Webshots.lnk : C:\Program Files\Webshots\Launcher.exe

04 - Startup: %STARTUPALL%\BigFix.lnk [bigFix Inc.] : C:\Program Files\BigFix\BigFix.exe

04 - Startup: %STARTUPALL%\CallWave.lnk [CallWave, Inc.] : C:\Program Files\CallWave\IAM.exe

04 - Startup: %STARTUPALL%\HP Digital Imaging Monitor.lnk [Hewlett-Packard Co.] : C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

Shell Extensions

Microsoft Office Outlook - {00020D75-0000-0000-C000-000000000046} - [Microsoft Corporation] : C:\Program Files\Microsoft Office\OFFICE11\MLSHEXT.DLL

Outlook File Icon Extension - {0006F045-0000-0000-C000-000000000046} - [Microsoft Corporation] : C:\Program Files\Microsoft Office\OFFICE11\OLKFSTUB.DLL

SampleView - {7F67036B-66F1-411A-AD85-759FB9C5B0DB} - [XSS] : C:\WINDOWS\system32\ShellvRTF.dll

My Sharing Folders - {FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} - [Microsoft Corporation] : C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll

iTunes - {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - [Apple Inc.] : C:\Program Files\iTunes\iTunesMiniPlayer.dll

RealOne Player Context Menu Class - {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - [RealNetworks, Inc.] : C:\Program Files\Real\RealPlayer\rpshell.dll

Protocol Handler

- {828030A1-22C1-4009-854F-8E305202313F} - [Microsoft Corporation] : C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

- {828030A1-22C1-4009-854F-8E305202313F} - [Microsoft Corporation] : C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

Data Page Plugable Protocal mso-offdap11 Handler - {32505114-5902-49B2-880A-1F7738E5A384} - [Microsoft Corporation] : C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL


23 - [Realtek Semiconductor Corp.] : C:\WINDOWS\system32\drivers\ALCXWDM.SYS

23 - [(Standard Mouse Types)] : C:\WINDOWS\system32\DRIVERS\Amfilter.sys

23 - [(Standard Mouse Types)] : C:\WINDOWS\system32\DRIVERS\Amusbprt.sys

23 - [AOL LLC] : C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

23 - [America Online, Inc] : C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

23 - [Apple Inc.] : C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

23 - [A4Tech Co.,Ltd.] : C:\WINDOWS\system32\DRIVERS\Arfumftr.sys

23 - [intel Corporation] : C:\WINDOWS\system32\DRIVERS\e100b325.sys

23 - [GEAR Software Inc.] : C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

23 - [Conexant Systems, Inc.] : C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

23 - [Conexant Systems, Inc.] : C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

23 - [intel Corporation] : C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

23 - [CA, Inc.] : C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

23 - [New Boundary Technologies, Inc.] : C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

23 - [Crawler.com] : C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

23 - [Alcor Micro Corp.] : C:\WINDOWS\system32\Drivers\sunkfilt.sys

23 - [Promise Technology, Inc.] : C:\WINDOWS\system32\DRIVERS\ultra.sys

23 - [America Online, Inc.] : C:\WINDOWS\system32\DRIVERS\wanatw4.sys

23 - [America Online, Inc.] : C:\WINDOWS\wanmpsvc.exe

23 - [Conexant Systems, Inc.] : C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

Winlogon Notify

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName : [intel Corporation] : C:\WINDOWS\system32\igfxdev.dll

Advanced Files Report

%PROGRAMFILES%\CA\PPRT\bin\CACheck.dll [CA, Inc.] [eTrust PestPatrol Realtime Protection] MD5=35C7D2A784F46E815E4D9DFC0C1ECCCC SIZE=125968

%PROGRAMFILES%\CA\PPRT\bin\CAHook.dll [CA, Inc.] [eTrust PestPatrol Realtime Protection] MD5=2F450D1F3F810EBB56E0D93AF9465531 SIZE=158736

%PROGRAMFILES%\CA\PPRT\bin\CAServer.dll [CA, Inc.] [eTrust PestPatrol Realtime Protection] MD5=3F88FC88D4875665F3F09F818B3B4330 SIZE=157200


%SYSDIR%\hpzlnt12.dll [HP] [HP DeskJet] MD5=52417880AC75AC4B7F4E5C3B54CA6621 SIZE=139345

%COMMONFILES%\AOL\ACS\AOLAcsd.exe [AOL LLC] [AOL Connectivity Service] MD5=85180CF88C5EBAD73B452A43A004CA51 SIZE=46640

%COMMONFILES%\AOL\ACS\AOLacsd.dll [AOL LLC] [AOL Connectivity Service] MD5=B1081E9380ACEEF7B9C5F928261EC569 SIZE=1263152

%COMMONFILES%\AOL\ACS\xpat.dll [AOL LLC] [AOL Connectivity Service] MD5=C64B23D10FAFE5BFABD89C53EBDB270E SIZE=124464

%COMMONFILES%\AOL\ACS\ACSMDiag.dll [AOL LLC] [AOL Connectivity Service] MD5=6181BD3B38F360B53D76C0802FE842C3 SIZE=87600

%COMMONFILES%\AOL\AOLDiag\tbdiag.dll [AOL LLC] [AOL Diagnostics] MD5=15B9CC21717F3CD0F660AF315521E3C0 SIZE=106496

%COMMONFILES%\AOL\ACS\AcsCmn.dll [AOL LLC] [AOL Connectivity Service] MD5=E3C1E0E02EBF63BAF138EC42CE39BA7C SIZE=206384

%COMMONFILES%\AOL\ACS\ACSSwu.dll [AOL LLC] [AOL Connectivity Service] MD5=24B23C8E8C69A158B09B3C4690B5750B SIZE=235056

%COMMONFILES%\AOL\TopSpeed\2.0\aoltsmon.exe [America Online, Inc] [AOL TopSpeed Monitor] MD5=7FB54900AA9792AB6307C699EC1859D4 SIZE=100016

%COMMONFILES%\AOL\TopSpeed\2.0\aoltsmon.dll [America Online, Inc.] [AOL TopSpeed Monitor] MD5=45FD9BA5DDB706C1C6CC0A386ED27D93 SIZE=122977

%COMMONFILES%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [Apple Inc.] [Apple Mobile Device Service] MD5=68277BB887A67D992A81B01710AFF92A SIZE=116040

%PROGRAMFILES%\CA\PPRT\bin\ITMRTSVC.exe [CA, Inc.] [eTrust PestPatrol Realtime Protection] MD5=D3AC7881F875CC6EA7AC54F724DE76CE SIZE=280080

%COMMONFILES%\AOL\TopSpeed\2.0\aoltpspd.exe [America Online Inc] [AOL TopSpeed] MD5=CAF7C2FDDADF73A02AC84C6FB6030BBF SIZE=46768

%COMMONFILES%\AOL\TopSpeed\2.0\velocity.dll [America Online, Inc.] [AOL TopSpeed] MD5=AA6A4F94D9A84D2B392342F2B56241EC SIZE=569438

%COMMONFILES%\McAfee\MSC\mcutil\9,15,101,0\mcutil.dll [McAfee, Inc.] [McAfee SecurityCenter] MD5=D31E75588C0A4A928B0CDA31F78207EC SIZE=215872

%PROGRAMFILES%\McAfee\MSC\oem\565\Mccobres.dll [McAfee, Inc.] [McAfee SecurityCenter] MD5=59902271A9C92935AF41EFADC2B52615 SIZE=558400

%PROGRAMFILES%\McAfee\MSC\mcsubmgr\9,15,126,0\mcsubmgr.dll [McAfee, Inc.] [McAfee SecurityCenter] MD5=349D0EB519A7FF4A0D8BEE6183B1F94B SIZE=645328

%PROGRAMFILES%\McAfee\MSC\mcregobj\9,15,126,0\mcregobj.dll [McAfee, Inc.] [McAfee SecurityCenter] MD5=906422F841A7BA10EDBA8E168B353754 SIZE=320408

%PROGRAMFILES%\McAfee\VirusScan\Engine\5301.4018\mcscan32.dll [McAfee, Inc.] [McScan] MD5=7D2DB489F984628A63AA4D3703B079B4 SIZE=3092646

%PROGRAMFILES%\McAfee\VirusScan\Engine\5301.4018\mc5300up.001 [McAfee, Inc.] [McScan] MD5=9C64289E6B6D270A50DAE8FA0972FCB1 SIZE=770197

%COMMONFILES%\New Boundary\PrismXL\PRISMXL.SYS [New Boundary Technologies, Inc.] [PrismXL Software Family] MD5=33D7285F12D934268A34206DFC4AD1B3 SIZE=172032

%WINDIR%\wanmpsvc.exe [America Online, Inc.] [America Online] MD5=EB9A99AB5D17B1727034FF191E6448D7 SIZE=65536

%PROGRAMFILES%\AOL Deskbar\deskbar.dll [America Online, Inc.] [AOL Deskbar] MD5=91F6C96D688481B52608122C4E560460 SIZE=370264

%COMMONFILES%\AOL\AOL Toolbar\Smartbox.dll [America Online, Inc.] [AOL Smartbox Module] MD5=EE17AF90ECC9FC80597102462DCAAFDB SIZE=136792

%COMMONFILES%\AOL\AOL Toolbar\AOLHelper.dll [America Online, Inc.] [AOLHelper Module] MD5=2F93FE7E2487123D4D59BDF79D68DB4A SIZE=111728

%PROGRAMFILES%\iTunes\iTunesMiniPlayer.dll [Apple Inc.] [iTunes] MD5=CD0C30F0E9E01BBEEA8BAFEBACA6CB00 SIZE=132392

%PROGRAMFILES%\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll [Apple Inc.] [iTunes] MD5=109257E4D6C4898DF4C0E751BE78B999 SIZE=43008

%PROGRAMFILES%\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll [Apple Inc.] [iTunes] MD5=C68BF163C04C8BB10C0946A35A8BD7B1 SIZE=129536

%PROGRAMFILES%\CallWave\CWIdle.dll MD5=306CD9CE761854AFDA5EF5051196C083 SIZE=163840

%COMMONFILES%\AOL\ACS\WLHook.dll [America Online] [AOL Connectivity Service] MD5=FE5DE976ACBDF5F15A717E6452A2EE0B SIZE=4608

%COMMONFILES%\AOL\1177334885\ee\AOLSvcMgr.dll [AOL LLC] [AOL Runtime Libraries] MD5=F6334C6F8D02B904C2C4C1E6D879243D SIZE=586752

%COMMONFILES%\AOL\1177334885\ee\xprt6.dll [AOL LLC] [XPRT Runtime Library] MD5=D9BFD66AFA50D266FF3789269E043BF4 SIZE=249856

%COMMONFILES%\aol\1177334885\ee\services\os\ver5_2_1_1\OS.dll [AOL LLC] [AOL OS service] MD5=483302397A9A1334FB9D44DD16638898 SIZE=180736

%COMMONFILES%\AOL\1177334885\EE\xprt5.dll [AOL LLC] [XPRT Runtime Library] MD5=01D280B0DFB2A0580F72AAD3BD2EF15D SIZE=249856

%COMMONFILES%\aol\1177334885\ee\services\os\ver5_2_1_1\AOLIdleMon.dll [AOL LLC] [AOL OS service] MD5=1337EF044854F38B9DFD085E56EBC3A2 SIZE=5632

%COMMONFILES%\aol\1177334885\ee\services\notification\ver6_4_1_1\Notify.dll [AOL LLC] [Notification Service] MD5=272DDA68347F2A265F4B9A12FDBF01DF SIZE=130560

%COMMONFILES%\aol\1177334885\ee\services\localStorage\ver7_3_3_1\clsSvc.dll [AOL LLC] [Common Local Store] MD5=255AF34C14E3F5CE45CC515EFB65FC41 SIZE=318976

%COMMONFILES%\aol\1177334885\ee\services\metrics\ver3_6_16_1\cmls.dll [AOL LLC] [Client Metrics Service] MD5=7204F76E069854A2785796A0911AFB27 SIZE=262144

%COMMONFILES%\aol\1177334885\ee\services\aolsystrayservice\ver3_1_3_2\AOLSysTrayService.dll [AOL LLC] [AOL Service Libraries] MD5=069766726AAABAD9AC53F7038256ABA4 SIZE=167936

%COMMONFILES%\aol\1177334885\ee\services\suiteFramework\ver4_1_6_1\suiteFramework.dll [AOL LLC.] [suiteFramework Service] MD5=4A9476E8EF7051BCF06D33A746339E9C SIZE=292864

%COMMONFILES%\aol\1177334885\ee\services\dialerTray\ver4_7_14_1\AOLDialS.dll [AOL LLC] [AOL Connectivity Service] MD5=D047389D299DF501E08358C9CD5D794F SIZE=247344

%SYSDIR%\hccutils.DLL [intel Corporation] [intel® Common User Interface] MD5=C750B2D3CD45955D39AF207B4D1FA937 SIZE=73728

%SYSDIR%\igfxsrvc.dll [intel Corporation] [intel® Common User Interface] MD5=513E016ABD4BD3B4E64BBE185D9C51B1 SIZE=57344

%SYSDIR%\igfxres.dll [intel Corporation] [intel® Common User Interface] MD5=2BA722EC9926815F96E72917712AFFB3 SIZE=135168

%COMMONFILES%\AOL\ACS\AOLdialr.dll [AOL LLC] [AOL Connectivity Service] MD5=DF135DA435592062132228675CE428EE SIZE=624176

%COMMONFILES%\AOL\ACS\US\DialRes.dll [America Online] [AOL Connectivity Service] MD5=76B732B823A1449A351ED2FCA10D7830 SIZE=99888

%COMMONFILES%\AOL\ACS\ACSEECln.dll [AOL LLC] [AOL Connectivity Service] MD5=648E8B175D87B98B6F3C1A10D69E1FC8 SIZE=140848

%COMMONFILES%\aol\1177334885\ee\services\sysinfo\ver2_3_7_1\SysInfo.dll [AOL LLC] [system Information Service] MD5=2F7CEA732AE1C019E25FC15678556850 SIZE=712704

%PROGRAMFILES%\Multimedia keyboard utility\1.3\KbdAp32A.exe MD5=CD87ABB9C30ACD6D5EC8DC5C1724BDB6 SIZE=380416

%PROGRAMFILES%\Multimedia keyboard utility\1.3\KBDDL32A.DLL MD5=27E51EA93F163726FE3D28D888FB3BA1 SIZE=53248

%PROGRAMFILES%\Multimedia keyboard utility\1.3\KBDMDLLA.DLL MD5=D5011679019AB8BE5E3FE778F17FDA58 SIZE=49152

%PROGRAMFILES%\Multimedia keyboard utility\1.3\KBD32S.DLL MD5=FB01D1B236714CDD141C1D9FA6AE62BC SIZE=12288

%PROGRAMFILES%\Multimedia keyboard utility\1.3\KBD32G.DLL MD5=1E8604255619E1267104CFFF85B72712 SIZE=32768

%PROGRAMFILES%\America Online 9.0a\waol.exe [America Online, Inc.] [America Online] MD5=7FAB3C273C8214D517BDD0CBD2BA1815 SIZE=37464

%PROGRAMFILES%\America Online 9.0a\waol.dll [America Online, Inc.] [America Online] MD5=35BCFC97EA410B9152842405B1D38BFB SIZE=290816

%PROGRAMFILES%\America Online 9.0a\supersub.dll [America Online, Inc.] [America Online] MD5=2FDC43FC221F015CD81952FBB25E2AA2 SIZE=454656

%PROGRAMFILES%\America Online 9.0a\Xpcs.dll [America Online, Inc.] [COOL Runtime Libraries] MD5=2BB1FFAA7874A150578B7A453F12A44B SIZE=29696

%PROGRAMFILES%\America Online 9.0a\Xprt3.dll [America Online, Inc.] [COOL Runtime Libraries] MD5=C301C97DF837668F3E76D24BF55049DA SIZE=172032

%PROGRAMFILES%\America Online 9.0a\zlib.dll [ZLib.DLL] MD5=98A1B90A7A30DCC7EEDD3D6AE6368DEE SIZE=45056

%PROGRAMFILES%\America Online 9.0a\xmlparse.dll MD5=4BF2029BBEDA32417ED67F7B4CD924D2 SIZE=53248

%PROGRAMFILES%\America Online 9.0a\xmltok.dll MD5=949BE5445C00147C2D9426683DD50DB9 SIZE=81920

%PROGRAMFILES%\America Online 9.0a\comm.dll [America Online, Inc.] [America Online] MD5=24552F47F8FB561ADFD03A29A89980CD SIZE=245760

%PROGRAMFILES%\America Online 9.0a\Xptl.dll [America Online, Inc.] [COOL Runtime Libraries] MD5=0FF681F0F7E61E54C64B8A7D87CEADAB SIZE=8192

%PROGRAMFILES%\America Online 9.0a\manager.dll [America Online, Inc.] [America Online] MD5=16C83DB7220F09650C9E99D7BA447A25 SIZE=901120

%PROGRAMFILES%\America Online 9.0a\SYNCCORE.dll [America Online, Inc.] [America Online] MD5=AEA4142CB7E194C4939ED83F68A9F91B SIZE=23040

%PROGRAMFILES%\America Online 9.0a\ProxyMgr.dll [America Online, Inc.] [America Online] MD5=54E8579D7833385F394EDEA321E12A3E SIZE=39936

%PROGRAMFILES%\America Online 9.0a\TAI.dll [America Online, Inc.] [AOL TopSpeed[TM] Application Interface] MD5=7D1642D9208ED21BF36CE8725B2FDD17 SIZE=6656

%PROGRAMFILES%\America Online 9.0a\APPDATA.dll [America Online, Inc.] [America Online] MD5=DE2D5F8BEA7FDDDF36F51912D6A11795 SIZE=10240

%PROGRAMFILES%\America Online 9.0a\acfBase.DLL [America Online] [acf Module] MD5=7E6F996AF3F02FDFA70ABAE3B7E1B026 SIZE=41472

%PROGRAMFILES%\America Online 9.0a\resource.dll [America Online, Inc.] [America Online] MD5=CEC71FE650BD2934E1F8590DAB3169A2 SIZE=2707456

%PROGRAMFILES%\America Online 9.0a\TOOL\imfdecode.rct [America Online, Inc.] [America Online] MD5=E32F9E30A6163EF12ADFBC908B828E30 SIZE=421888

%PROGRAMFILES%\America Online 9.0a\TOOL\coretool.rct [America Online, Inc.] [America Online] MD5=BE94C8100548AA763352C03931DA2C7F SIZE=331776

%PROGRAMFILES%\America Online 9.0a\DUNZIP32.dll [inner Media, Inc.] [DynaZIP-32 Multi-Threading UnZIP DLL] MD5=E6C3EC8ADB7396B709CD1DECDC18276C SIZE=110592

%PROGRAMFILES%\America Online 9.0a\TOOL\mip.tol [America Online, Inc.] [America Online] MD5=7C559476079C445BF5C2E3122E821EEC SIZE=315392

%PROGRAMFILES%\America Online 9.0a\ABOOK.dll [America Online, Inc.] [America Online] MD5=2E37772481EB7D823DF2362536958B6B SIZE=380928

%PROGRAMFILES%\America Online 9.0a\TOOL\rich.rct [America Online, Inc.] [America Online] MD5=3094B6F869E3F4D1852027F5C050BF93 SIZE=434176

%PROGRAMFILES%\America Online 9.0a\TOOL\actvx.rct [America Online, Inc.] [America Online] MD5=2DB06E788D640E14E0B547E3A0AD679E SIZE=163840

%PROGRAMFILES%\America Online 9.0a\TOOL\sec.cct [America Online, Inc.] [America Online] MD5=47F185FA66F4F211F0FBCFC14882186E SIZE=163840

%PROGRAMFILES%\America Online 9.0a\TOOL\chat.tol [America Online, Inc.] [America Online] MD5=49F806A5272E71B855066C01E595C750 SIZE=364544

%PROGRAMFILES%\America Online 9.0a\TOOL\htmlview.tol [America Online, Inc.] [America Online] MD5=B40840D033FE4725544DB1D7A4986E20 SIZE=348160

%PROGRAMFILES%\America Online 9.0a\TOOL\www.tol [America Online, Inc.] [America Online] MD5=1DF5FBC0D5C02BEF8561A2C13F68F1E7 SIZE=249856

%PROGRAMFILES%\America Online 9.0a\TOOL\lvi.tol [America Online, Inc.] [America Online] MD5=31EA7ED79DF81F74D20E406D5EDE818F SIZE=77824

%PROGRAMFILES%\America Online 9.0a\COOLAPI.dll [America Online, Inc.] [America Online] MD5=95427DC2997AA2A5F62CDF25319B6416 SIZE=192512

%PROGRAMFILES%\America Online 9.0a\idleproc.dll [America Online, Inc.] [America Online] MD5=AE9C8C59ADDAA5F545F0C0423FEFA739 SIZE=6144

%PROGRAMFILES%\America Online 9.0a\TOOL\talk.tol [America Online, Inc.] [America Online] MD5=0CA7F6CE06F27730D414E7C02A5F926D SIZE=27648

%PROGRAMFILES%\America Online 9.0a\cool\CoolBucky.dll [America Online, Inc.] [COOL Component Libraries] MD5=D0681767C0197964FE6B191C08E9FF05 SIZE=122880

%PROGRAMFILES%\America Online 9.0a\cool\CoolSocket.dll [America Online, Inc.] [COOL Component Libraries] MD5=F048998F0647F591CFB3001EC6B370CD SIZE=73728

%PROGRAMFILES%\America Online 9.0a\cool\CoolBos.dll [America Online, Inc.] [COOL Component Libraries] MD5=DC51096A32008FB2B82D0B867B661202 SIZE=184320

%PROGRAMFILES%\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll [Viewpoint Corporation] [Viewpoint Media Player for Internet Explorer] MD5=3163B59E1C568C8C6EACA1EAB06FA851 SIZE=245810

%PROGRAMFILES%\Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll [Viewpoint Corporation] [ComponentMgr] MD5=153A74D7361FDF58FEE6710C067D6C84 SIZE=208946

%PROGRAMFILES%\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll [Viewpoint Corporation] [Viewpoint Media Player Scene Component] MD5=F68440A921D0F5A3B4979D78EA735BB8 SIZE=1183796

%PROGRAMFILES%\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll [Viewpoint Corporation] [Viewpoint Media Player AOLUserShell] MD5=930D959F612AA545DEF48CA94616E5D8 SIZE=413746

%PROGRAMFILES%\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll [Viewpoint Corporation] [Viewpoint Media Player Rasterizer Component] MD5=3BADDC0379DC2E57F654E900F403D5AE SIZE=528430

%PROGRAMFILES%\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll [Viewpoint Corporation] [Viewpoint Media Player SWFView Component] MD5=20085B5B8BC179425ED29DCE0C5DD6DD SIZE=659501

%PROGRAMFILES%\BigFix\BigFix.exe [bigFix Inc.] [bigFix] MD5=3802278FED9E3594B4BC3377FF0CFF3B SIZE=1742384

%PROGRAMFILES%\BigFix\Lib\Engine.dll [bigFix] [Engine] MD5=0483F2FC32E50EDF52AED3BC265826D3 SIZE=337456

%PROGRAMFILES%\BigFix\Lib\Inspectors\Inspect.dll [bigFix] [inspect] MD5=0495ECB66F35764933D778B61BB157CA SIZE=652848

%PROGRAMFILES%\CallWave\IAM.exe [CallWave, Inc.] [CallWave Service] MD5=B20B055D6E20D8792A0BE198290AAE27 SIZE=1940544

%PROGRAMFILES%\HP\Digital Imaging\bin\hpqtra08.exe [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=C519CEC624CF9BCBA3059F32266C8FFF SIZE=258048

%PROGRAMFILES%\HP\Digital Imaging\bin\hpqcxm08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=2BB391A3E24991F303DBEF3C0B99BEB6 SIZE=143360

%PROGRAMFILES%\HP\Digital Imaging\bin\hpquio08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=CF044EABD7510F6A50A584B814065D7D SIZE=102400

%PROGRAMFILES%\HP\Digital Imaging\bin\hpqtra08.rsc [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=8B611B660B071C00989515DA28D5B56F SIZE=45056

%PROGRAMFILES%\HP\Digital Imaging\bin\hpqtao08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=A7BE8CDFE0F9C3799F014FB5F6810848 SIZE=65536

%PROGRAMFILES%\HP\Digital Imaging\bin\hpotra08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=4755978C1CAC77D07DB07519B92E924E SIZE=212992

%PROGRAMFILES%\HP\Digital Imaging\bin\hpotra08.rsc [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=776828B0E057D595AB43A09C01417792 SIZE=28672

%PROGRAMFILES%\HP\Digital Imaging\bin\hpodio08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=A3A18B8F2BDD9B154FE9BD33564114F1 SIZE=651264

%PROGRAMFILES%\HP\Digital Imaging\bin\hpotradd.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=4762C83EA26C685D0464030FDC1F57C6 SIZE=53248

%PROGRAMFILES%\HP\Digital Imaging\bin\hpoSTD08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=632A5ED567A8F4821EE0B90952CB9BAC SIZE=389120

%PROGRAMFILES%\HP\Digital Imaging\bin\hpqtap08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=03DB9F2C54A0935CA0D637DB58E6BA5B SIZE=53248

%PROGRAMFILES%\HP\Digital Imaging\bin\hpoSTD08.rsc [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=DF2202493AF3A7A1DAE65927214552CC SIZE=299008

%SYSDIR%\hpzidr12.dll [HP] [HP Dot4Rtl] MD5=3A2030BBD08924970DCDB7ABBA4C4D92 SIZE=278584

%SYSDIR%\hpzipr12.dll [HP] [HP PmlRtl] MD5=D6D559B94671573A026ED47C5E75964B SIZE=204800

%PROGRAMFILES%\HP\Digital Imaging\bin\hpodvd09.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=A01ADD440BD19F4960558AA001DC6070 SIZE=63488

%PROGRAMFILES%\HP\Digital Imaging\bin\hpoddcomm09.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=E2809C835480E801FBF2E0006EAFC398 SIZE=91648

%PROGRAMFILES%\HP\Digital Imaging\bin\hpocxi08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=1BAE120AF11F296052E5CD31E5AD6573 SIZE=270336

%PROGRAMFILES%\HP\Digital Imaging\bin\hpqcob08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=C7B04879F5C16564110282E24FE7A470 SIZE=53248

%PROGRAMFILES%\HP\Digital Imaging\bin\hpodev08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=F4CE11DE5BA65E326EEB95EFA40468B1 SIZE=73728

%PROGRAMFILES%\HP\Digital Imaging\bin\hpodeb08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=59FDE0F5519FEFDBAFE4D89A771E5029 SIZE=204800

%PROGRAMFILES%\HP\Digital Imaging\bin\hposcn08.dll [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=8D812FC5DE751FE5C1F9560F37DF61D1 SIZE=118784

%PROGRAMFILES%\HP\Digital Imaging\bin\hpoSCN08.rsc [Hewlett-Packard Co.] [hp digital imaging - hp all-in-one series] MD5=FCE8900B3615860011FD30551108C53B SIZE=24576

%PROGRAMFILES%\Webshots\Webshots.scr [Webshots.com] [The Webshots Desktop] MD5=2AB49695448B54C965D3CE81C4AEA2C0 SIZE=1650688

%PROGRAMFILES%\Webshots\Launcher.exe MD5=C49ABED368CA0F06EFF3C715C62C781C SIZE=45056



%PROGRAMFILES%\Microsoft Office\OFFICE11\MLSHEXT.DLL [Microsoft Corporation] [Microsoft Office Outlook] MD5=283926C9F1D6C0EC263962F684F502A1 SIZE=33120

%PROGRAMFILES%\Microsoft Office\OFFICE11\OLKFSTUB.DLL [Microsoft Corporation] [Microsoft Office Outlook] MD5=EEFF9EB53DE2111DEC77E7C9E8D090F0 SIZE=236384

%SYSDIR%\ShellvRTF.dll [XSS] [XSS ShellvRTF] MD5=8305E5132173A9E9CE591CAD4EB5C9B4 SIZE=122880

%PROGRAMFILES%\Windows Live\Messenger\fsshext.8.5.1302.1018.dll [Microsoft Corporation] [Messenger] MD5=8BDE1F61DFBAAE7A2916170E8B75FE0F SIZE=329240

%PROGRAMFILES%\Real\RealPlayer\rpshell.dll [RealNetworks, Inc.] [RealPlayer] MD5=E56ADA1922D173913EF98470FC4788DF SIZE=63016

%SYSDIR%\igfxdev.dll [intel Corporation] [intel® Common User Interface] MD5=A56583F05DDDE0B425ACBF5BE60FBACC SIZE=131072

%SYSDIR%\drivers\ALCXWDM.SYS [Realtek Semiconductor Corp.] [Windows ® WDM driver for Realtek AC'97 Audio(HRTF data Copyright 1994 by MIT Media Lab)] MD5=95AA37BEC6C72C277C2CAEAEE736DD2D SIZE=2317504

%SYSDIR%\DRIVERS\Amfilter.sys [(Standard Mouse Types)] [iWheelWorks Mouse Driver] MD5=92E90096B37017A730F086A7E36D549C SIZE=6656

%SYSDIR%\DRIVERS\Amusbprt.sys [(Standard Mouse Types)] [iWheelWorks Mouse Driver] MD5=884A16E80A1A67415C5CD75FF52FF2A8 SIZE=12800

%SYSDIR%\DRIVERS\Arfumftr.sys [A4Tech Co.,Ltd.] [A4Tech iWheelWorks Mouse Driver] MD5=B2E312E38367B47C042ED0BBBA320961 SIZE=10904

%SYSDIR%\svchost.exe -k netsvcs

%SYSDIR%\svchost -k DcomLaunch

%SYSDIR%\svchost.exe -k NetworkService

%SYSDIR%\DRIVERS\e100b325.sys [intel Corporation] [intel® PRO/100 Adapter] MD5=7D91DC6342248369F94D6EBA0CF42E99 SIZE=154112

%SYSDIR%\Drivers\GEARAspiWDM.sys [GEAR Software Inc.] [CD DVD Filter] MD5=5DC17164F66380CBFEFD895C18467773 SIZE=16168

%SYSDIR%\DRIVERS\HSFHWBS2.sys [Conexant Systems, Inc.] [softK56 Modem Driver] MD5=B6B0721A86E51D141EC55C3CC1CA5686 SIZE=231168

%SYSDIR%\DRIVERS\HSF_DPV.sys [Conexant Systems, Inc.] [softK56 Modem Driver] MD5=698204D9C2832E53633E53A30A53FC3D SIZE=1035008

%SYSDIR%\DRIVERS\ialmnt5.sys [intel Corporation] [intel Graphics Accelerator Drivers for Windows NT®] MD5=0294A30B302CA71A2C26E582DDA93486 SIZE=830684

%SYSDIR%\svchost.exe -k LocalService

%SYSDIR%\svchost -k rpcss

%SYSDIR%\drivers\sp_rsdrv2.sys [Crawler.com] [spyware Terminator] MD5=8831252BCF05FCFB5ABD116A22E552D8 SIZE=142592

%SYSDIR%\svchost.exe -k imgsvc

%SYSDIR%\Drivers\sunkfilt.sys [Alcor Micro Corp.] [sunkFilt] MD5=86CA1A5C15A5A98D5533945FB1120B05 SIZE=36804

%SYSDIR%\DRIVERS\ultra.sys [Promise Technology, Inc.] [Promise ultra66 Miniport Driver for WindowsNT] MD5=1B698A51CD528D8DA4FFAED66DFC51B9 SIZE=36736

%SYSDIR%\DRIVERS\wanatw4.sys [America Online, Inc.] [Wan Miniport (ATW)] MD5=0A716C08CB13C3A8F4F51E882DBF7416 SIZE=33588

%SYSDIR%\DRIVERS\HSF_CNXT.sys [Conexant Systems, Inc.] [softK56 Modem Driver] MD5=74CF3F2E4E40C4A2E18D39D6300A5C24 SIZE=717952

%PROGRAMFILES%\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll [Microsoft Corporation] [Messenger] MD5=56319E6B4D190A2DEB4463A9CE4D4F74 SIZE=66072

%COMMONFILES%\Microsoft Shared\Web Components\11\OWC11.DLL [Microsoft Corporation] [Microsoft Office 2003] MD5=6038EB24E4B56F42E92072C5A306ECA8 SIZE=8058192

End of Report

Link to post
Share on other sites

Still can't run any spyware software, including Malwarebytes, after downloading again. Unless it's a scheduled scan, in McAfee or Spyware Blaster, then it runs. McAfee has picked up the same item recently, called Coupon Bar, and it was removed, twice now.

Hard to sit and wait when your computer is infected, so I at least did the next logical step, from what I've been reading here (download and run Win32diag). But now I'm stuck...it didn't go too far. Where to go from here? Help! Thanks, Barry

Win32diag log:

Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\85D2416L\Win32kDiag[1].exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB971961\KB971961

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\inf\ASM\ASM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Link to post
Share on other sites

  • Staff


* Please visit this webpage for instructions for downloading and running ComboFix:


Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Link to post
Share on other sites


* Please visit this webpage for instructions for downloading and running ComboFix:


Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Hi Mieke,

Thank you-I will begin downloading Combofix shortly--I'm not sure what "temporary uninstall" of McAfee means-I went and disabled all items I could from the control panel. Or do I just go to add or remove, and remove McAfee, then re-install later?


Link to post
Share on other sites


Even when you disable McAfee, it still interferes with Combofix in a lot of cases. That's why it's better to uninstall McAfee for now. You can reinstall it later again once we are done with everything. :)

OK, that's probably why Combofix didn't work. After that, I uninstalled McAfee. Now, should I uninstall Combofix and download it again? But there may be one problem, now when I go to Control Panel, click on add or remove programs, there is nothing there!

Combofix got as far as Attempting to establish a restore point-and then it just disappeared. I tried running it again, even after I uninstalled McAfee, but no go. Uh-oh! What did I do now? :)

Link to post
Share on other sites

  • Staff


Yes, please download Combofix again and run it. Because in this case, when you run it once, because of this infections, permissions are probably already set on it in order to block Combofix.

Please use this method...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:



[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Hi Mieke,

Not doing too well here...disabled everything as instructed...re-downloaded CF and relabled to C-F, etc. It ran for a short time, and said it has determined rootkit activity and needs to reboot...and after it ran again, it just disappeared. So I ran it in Safe Mode, and the same thing happened. It finally rebooted to normal mode, ran shortly, and disappeared again. Ugh!!!

You said if it didn't work in safe mode, to name it to ieexplorer.exe or winlogon.exe but I don't know how to do that, even where or when.

Gee, I hope you haven't gone to bed yet!! ; )

Thank you,


Link to post
Share on other sites

Could not get Combofix to work again-after new download, and in safe mode. I renamed it combo-fix1, though you didn't tell me to rename it. Anyway, while I was in safe mode, I tried running Win32Diag again, and this time it worked (though maybe I just didn't wait long enough the first time-it took forever!).

OK, now this forum says my post was too long-should I include the scan as an attachment? And how would I do that? :)



Link to post
Share on other sites

  • Staff


1. Please download The Avenger2 by SwanDog46

2. Unzip avenger.exe to your desktop.

3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.

5. Read the prompt that appears, and press OK.

6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

7. Press the "Execute" button.

8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.


Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

Also, after above was done successfully, you should be able to run Combofix, but please redownload it again and before you save it, rename it to bluespider.exe or so :)

Link to post
Share on other sites


Hi Mieke,

Thank you for hanging in there with me....got through that last one OK! Did the Avenger, and then Combofix again, and then I needed to download the Windows recovery console...and finally, I have a Combofix log to present to you! Here it is, and thank you! I probably have more to go yet, but at least it feels we've gotten somewhere! :blink:


ComboFix 09-09-22.03 - Owner 09/23/2009 17:12.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.296 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\bluespider.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\program files\Image ActiveX Access






((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))







((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))


2009-09-23 18:15 . 2009-09-23 18:20 -------- d-----w- C:\Combo-Fix31809C

2009-09-23 18:08 . 2009-09-23 18:15 -------- d-----w- C:\Combo-Fix

2009-09-23 17:28 . 2009-09-23 18:08 -------- d-----w- C:\ComboFix

2009-09-21 20:27 . 2009-09-21 20:27 -------- d-----w- c:\program files\Trend Micro

2009-09-21 14:25 . 2009-09-21 14:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-09-21 14:24 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-21 14:24 . 2009-09-21 17:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-21 14:24 . 2009-09-21 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-21 14:24 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-13 12:38 . 2009-09-23 18:41 -------- d-----w- c:\program files\Spyware Terminator

2009-09-01 04:11 . 2009-09-01 04:11 -------- d-----w- c:\program files\Multimedia keyboard utility


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2009-09-23 20:43 . 2007-04-23 16:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView

2009-09-23 20:43 . 2007-04-23 15:25 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec

2009-09-23 18:42 . 2008-03-10 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-23 18:03 . 2009-08-01 17:28 -------- d-----w- c:\program files\Crawler

2009-09-23 16:45 . 2007-05-06 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-23 13:59 . 2007-04-23 17:16 -------- d-----w- c:\program files\CallWave

2009-09-23 04:49 . 2009-01-09 22:49 -------- d-----w- c:\documents and settings\Owner\Application Data\WeatherBug

2009-09-21 20:38 . 2007-07-13 14:46 15614 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-09-21 19:44 . 2007-04-24 02:10 -------- d-----w- c:\program files\SpywareBlaster

2009-09-21 12:47 . 2007-04-23 15:05 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6

2009-09-18 06:53 . 2008-02-21 07:22 -------- d-----w- c:\program files\Coupons

2009-09-17 06:57 . 2008-11-23 17:27 -------- d-----w- c:\program files\America Online 9.0a

2009-09-12 14:04 . 2008-11-04 08:43 -------- d-----w- c:\documents and settings\maviblue\Application Data\Spyware Terminator

2009-08-18 03:58 . 2009-08-18 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\293A9

2009-08-05 09:01 . 2005-03-23 16:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2005-03-23 16:52 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2005-03-23 16:53 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2005-03-23 16:53 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2005-03-23 16:52 17408 ----a-w- c:\windows\system32\corpol.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown



"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [2005-07-12 50776]


"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"HostManager"="c:\program files\Common Files\AOL\1177334885\ee\AOLSoftware.exe" [2008-06-24 41824]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-24 185872]

"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"FLMK08KB"="c:\program files\Multimedia keyboard utility\1.3\MMKEYBD.EXE" [2009-09-01 207360]


"OOBEDDDemise"="erase" [X]


"AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [2005-07-12 50776]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Webshots.lnk - c:\program files\Webshots\Launcher.exe [2007-4-24 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BigFix.lnk - c:\program files\BigFix\BigFix.exe [2007-4-23 1742384]

CallWave.lnk - c:\program files\CallWave\IAM.exe [2007-10-15 1940544]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]




"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1177334885\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\America Online 9.0a\\waol.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\1177334885\\EE\\aolsoftware.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

"c:\\Program Files\\CallWave\\IAM.exe"=

R3 Arfumftr;Trust RF-Mouse filter driver;c:\windows\system32\drivers\Arfumftr.sys [12/17/2001 4:27 PM 10904]



------- Supplementary Scan -------


uStart Page = hxxp://cdbaby.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM

IE: Crawler Search - tbr:iemenu

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: hotmail.com

Trusted Zone: msn.com

Trusted Zone: passport.com

Trusted Zone: windowslive.com

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\ctbr.dll


- - - - ORPHANS REMOVED - - - -



AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe

AddRemove-AP Guitar Tuner - c:\program files\Audio Phonics

AddRemove-Webshots Toolbar - c:\program files\Webshots\ToolbarUninstall.exe


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 17:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...


OOBEDDDemise = cmd /x /c erase c:\windows\System32\oobe\msoobe.exe??????????????????????C?w?????????????????|??????@z??????????????i?wis???????????H???????????????????????????*&?|l????&?|??-w?????????????????????????????????????`??????????????`??????????????|?&?|?????&?|B%?|???????????????????|?$?|??????-wC

scanning hidden files ...

scan completed successfully

hidden files: 0



--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3400)


c:\program files\Common Files\AOL\ACS\WLHook.dll


c:\program files\AOL Deskbar\deskbar.dll

c:\program files\Common Files\AOL\AOL Toolbar\Smartbox.dll



c:\program files\Common Files\AOL\AOL Toolbar\AOLHelper.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll


------------------------ Other Running Processes ------------------------


c:\program files\Common Files\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\CA\PPRT\bin\ITMRTSVC.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS




c:\program files\Multimedia keyboard utility\1.3\KBDAP32A.EXE

c:\program files\America Online 9.0a\waol.exe


c:\program files\iPod\bin\iPodService.exe

c:\program files\America Online 9.0a\shellmon.exe




Completion time: 2009-09-23 17:35 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-23 21:35

Pre-Run: 70,133,882,880 bytes free

Post-Run: 70,395,674,624 bytes free


[boot loader]



[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

198 --- E O F --- 2009-09-15 12:26

Link to post
Share on other sites

:) I was able to re-download Malwarebytes again, and run a first quick scan! Yay! I will now re-download Hijackthis, and do the same.

Malwarebytes log:

Malwarebytes' Anti-Malware 1.41

Database version: 2853

Windows 5.1.2600 Service Pack 3

9/23/2009 6:48:10 PM

mbam-log-2009-09-23 (18-48-10).txt

Scan type: Quick Scan

Objects scanned: 108291

Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\imeshmediabar.stockbar (Adware.Softomate) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Could not run Hijack This. It downloaded to my desktop (installer), but after installing it (had done this once before), there was a blank icon besides the install icon. Clicking on the blank one said that it could not be located. Yet, it does not show up on my add or delete folder in the control panel??? Maybe I'm just doing something wrong? And it was going so well too! :)

Link to post
Share on other sites

I also did a complete scan with Malwarebytes and it came up clean-here's the log. Any further recommendations-any other files and folders to scan?

And, how about the Hijackthis problem I had? Thanks!

Malwarebytes log:

Malwarebytes' Anti-Malware 1.41

Database version: 2853

Windows 5.1.2600 Service Pack 3

9/23/2009 9:11:42 PM

mbam-log-2009-09-23 (21-11-42).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 249534

Time elapsed: 1 hour(s), 42 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff


Sorry for the late reply. I guess we are in different timezones. :)

It looks like we are almost done here. Yes, it's possible that you'll still get errors when you want to run programs, this because the malware you were dealing with previously changed permissions on them (as with HijackThis).

To fix this...

1) Please download this file

2) Place fr33.exe next to the exe file that doesn't want to run

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe). In your case, you should do it with the Hijackthis.exe file or any other exe files that won't run.


You can do that with every exe file that cannot run.

Or, in case you want to know/interests you how to do this manually and take ownership of locked files, then please see here (XP/Vista) for more info. Note, on XP Home, the "Security" tab is only visible in Safe mode. In case there's no Security tab in XP Pro, then please see here (XP Pro

But not needed to do it manually if you use fr33.exe instead to "unlock" files. :blink:

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Good afternoon Mieke! Or-just got up and trying to open my eyes morning here-it's 6:30am here. :)

I downloaded the FR33 file to my desktop as instructed, dragged the blank HijackThis icon over to it, but I still can't run HJthis. Tried it a couple of times and just still get this: Windows cannot access the specified device path or file...

OK, ran the ComboFix /u, and it removed the last installment of ComboFix, thank you. But I still have 3 more to remove on my desktop: ComboFix, Combo-Fix, and Combo-Fix1. How should I go about removing each of those?

Also have the Avenger zip file and folder on my desktop-what should I do with them?

Thank you! Hope your day is going well! :)


Link to post
Share on other sites

Hi Mieke,

OK, I see-guess that's all that's left of HJT on my system? I don't remember getting rid of it, but in my all programs list it's just there as a blank icon too. And as I said before, it doesn't show up on the add or delete program page either in the control panel.

Link to post
Share on other sites

That didn't work for me Mieke. It downloaded like it was already there-very quickly. I guess the exe file is on my computer somewhere, but not on the desktop, even after downloading again. I tried the drag and drop again too-it says done, but when I click on HJT (still blank) icon on my desktop, it says it can't be found still.

Link to post
Share on other sites

  • Staff

Anyway, let's have a look this way, so do next...

Open notepad and copy and paste next present in the quotebox in it:

DIR /a/s C:\hijackthis.* >Look.txt

Start notepad Look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

Doubleclick on it and notepad should open.

Copy and paste the contents of it in your next reply.

Link to post
Share on other sites

OK, Mieke, yes, that worked, here you go:

Volume in drive C has no label.

Volume Serial Number is A846-C63D

Directory of C:\Documents and Settings\All Users\Start Menu\Programs

09/21/2009 04:27 PM <DIR> HijackThis

0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis

09/24/2009 07:48 AM 1,650 HijackThis.lnk

1 File(s) 1,650 bytes

Directory of C:\Documents and Settings\Owner\Desktop

09/24/2009 07:48 AM 1,638 HijackThis.lnk

1 File(s) 1,638 bytes

Directory of C:\Program Files\Trend Micro

09/21/2009 04:27 PM <DIR> HijackThis

0 File(s) 0 bytes

Directory of C:\Program Files\Trend Micro\HijackThis

09/21/2009 04:27 PM 396,288 HijackThis.exe

1 File(s) 396,288 bytes

Total Files Listed:

3 File(s) 399,576 bytes

2 Dir(s) 75,283,001,344 bytes free

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.