Jump to content

Security suite infection


TightF

Recommended Posts

First, make sure you have saved all your work before you begin, and close your open apps.

1st

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

Step 2

Note: If using Firefox right-click on any download links and choose Save As

Save both files to the same place ---- the Desktop.

Please download OTH and SAVE to the Desktop

Please download OTL and SAVE to the Desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

IF you are running Vista or Windows 7, then do a Right-click on OTH and select Run As Administrator to start.

OTH_Main.gif

Once OTH has started, click on Start OTL. OTL will now start.

  • Do the following in OTL:
  • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

  • Back in OTH:
    Click the Internet Explorer button. Go to this forum & login & return to this topic.
    Copy & Paste these logs into your reply here.
  • After you are all done, press Reboot to start your system fresh.

Edited by Maurice Naggar
Link to post
Share on other sites

Thanks for helping, I've worked through the above and I have only got the OTL.Txt box opening.

OTL logfile created on: 06/09/2010 16:03:14 - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = D:\Documents and Settings\Richard\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free

Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 35.85 Gb Total Space | 18.14 Gb Free Space | 50.60% Space Free | Partition Type: NTFS

Drive D: | 197.03 Gb Total Space | 113.90 Gb Free Space | 57.81% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive J: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive L: | 3.81 Gb Total Space | 1.61 Gb Free Space | 42.15% Space Free | Partition Type: FAT32

Computer Name: SNA123456789

Current User Name: Richard

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/06 16:01:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Richard\Desktop\OTL.scr

PRC - [2010/09/06 16:00:40 | 000,258,560 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Richard\Desktop\OTH.scr

PRC - [2010/07/30 09:27:40 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe

PRC - [2010/07/30 09:27:37 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe

PRC - [2009/09/03 09:39:33 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe

PRC - [2009/09/03 09:39:27 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe

PRC - [2009/09/03 09:39:25 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe

========== Modules (SafeList) ==========

MOD - [2010/09/06 16:01:02 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Richard\Desktop\OTL.scr

MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)

SRV - [2010/07/30 09:27:37 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)

SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/03/26 11:58:47 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2009/09/06 07:06:20 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor8.0)

SRV - [2009/09/03 09:39:25 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)

SRV - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)

SRV - [2009/04/08 11:38:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Stopped] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)

SRV - [2008/10/09 16:32:56 | 000,014,336 | ---- | M] (Vodafone) [Auto | Stopped] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)

SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

SRV - [2006/02/23 13:09:06 | 000,114,784 | ---- | M] () [Auto | Stopped] -- c:\APPS\Powercinema\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)

SRV - [2006/02/23 13:09:04 | 000,266,338 | ---- | M] () [Auto | Stopped] -- c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)

SRV - [2006/02/23 13:08:28 | 001,073,152 | ---- | M] (Cyberlink) [Auto | Stopped] -- c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service)

SRV - [2006/01/30 09:47:48 | 000,032,768 | ---- | M] (Softex Inc.) [Auto | Stopped] -- C:\APPS\Softex\OmniPass\OmniServ.exe -- (omniserv)

SRV - [2005/10/20 07:15:00 | 000,090,112 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe -- (USBDeviceService)

SRV - [2005/03/14 13:05:02 | 000,069,632 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

SRV - [2005/01/31 10:45:20 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)

SRV - [2004/04/08 09:38:26 | 001,135,728 | ---- | M] (America Online, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\ZoneLabs\srescan.sys -- (srescan)

DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\rootrepeal.sys -- (rootrepeal)

DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)

DRV - [2010/02/19 09:45:22 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)

DRV - [2010/02/19 09:45:22 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)

DRV - [2010/02/19 09:45:21 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)

DRV - [2010/02/15 12:54:50 | 000,007,040 | ---- | M] (FNet Co., Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\FNETURPX.SYS -- (FNETURPX)

DRV - [2009/09/03 09:39:32 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)

DRV - [2009/09/03 09:39:32 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)

DRV - [2009/05/06 08:37:37 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)

DRV - [2009/02/17 15:05:47 | 000,024,616 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)

DRV - [2009/02/17 15:05:47 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)

DRV - [2009/02/13 09:03:03 | 000,008,552 | ---- | M] (Windows

Edited by Maurice Naggar
Emphasis added
Link to post
Share on other sites

The extras file has appeared after a reboot?

OTL Extras logfile created on: 06/09/2010 16:03:14 - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = D:\Documents and Settings\Richard\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free

Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 35.85 Gb Total Space | 18.14 Gb Free Space | 50.60% Space Free | Partition Type: NTFS

Drive D: | 197.03 Gb Total Space | 113.90 Gb Free Space | 57.81% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive J: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive L: | 3.81 Gb Total Space | 1.61 Gb Free Space | 42.15% Space Free | Partition Type: FAT32

Computer Name: SNA123456789

Current User Name: Richard

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [Digital Photo Professional] -- L:\canon\Digital Photo Professional\DPPViewer.exe /path "%1" File not found

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%ProgramFiles%\AOL 9.0\aol.exe" = %ProgramFiles%\AOL 9.0\aol.exe:*:Enabled:AOL -- (America Online, Inc.)

"%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\logo_ubi.exe" = %ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\logo_ubi.exe:*:Enabled:SPLINTER CELL PANDORA -- File not found

"%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\pandora.exe" = %ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\pandora.exe:*:Enabled:PANDORA -- File not found

"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()

"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon -- (Check Point Software Technologies LTD)

"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR

"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime

"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data

"{0BF5FBE7-3907-4A1F-9E48-8B66E52850D6}" = TrayApp

"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour

"{17DFE37C-064E-4834-AD8F-A4B2B4DF68F8}" = Adobe Photoshop Elements 8.0

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{1E1F1E70-14D8-4380-8652-BD1A895A7D65}" = Status

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}" = CP_Package_Variety2

"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations

"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 6.009.00

"{31263605-FC84-4787-B847-BA445B147E24}" = ScannerCopy

"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4

"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform

"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime

"{4041C245-7099-4C96-9738-5EBC23827B3C}" = BufferChm

"{4462265B-3DC7-44AD-B56D-D09BA67BA422}" = 6300

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin

"{4BE53DB2-C1F2-44D1-A9AB-1630BA7F2AF1}" = SolutionCenter

"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}" = CP_Package_Variety1

"{5A065EA0-0EEC-4E94-A2A0-40812576C122}" = Ulead PhotoImpact 10 SE

"{5E8A1B08-0FBD-4543-9646-F2C2D0D05750}" = Macromedia Flash Player 8

"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI

"{6DE721A5-5E89-4D74-994C-652BB3C0672E}" = Pinnacle Video Driver

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme

"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com

"{7D1D6A24-65D4-454C-8815-4F08A5FFF12C}" = Macromedia Shockwave Player

"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI

"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials

"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8EAB2384-C794-40ED-A9DD-3270A0D2BB76}" = Ulead VideoStudio 9.0 SE DVD

"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules

"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003

"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes

"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio

"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy

"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support

"{B57F2FF0-5A25-4332-B503-4592B370C02F}" = CP_Package_Variety3

"{BB7DEA41-298E-450B-9C3A-E7B48D9D021B}" = 6300_Help

"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord

"{BF4E9ED0-EF26-4A4C-A123-6A6A1ABEE411}" = DocProc

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C1212AE3-DBB9-4365-8473-F8ABC7B06BBB}" = Pinnacle Instant DVD Recorder

"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update

"{C656142F-EFE1-44CD-BFAD-6CBC6DCB9860}" = Vodafone Mobile Connect Lite

"{C6812939-B117-48E6-A3BA-1709C14A3C8C}" = Scan

"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA

"{C98E8D9D-21DE-4F87-A9B7-142BB89840FC}" = Toolbox

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CD442089-F88D-4F46-8E3C-E4B2964B2415}" = SageAcc

"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D7CAE58E-26DE-49B7-A75D-EAEDF76726BE}" = HP Photosmart Essential

"{DEBB2986-15B0-4D28-95FA-5C966A396589}" = HPProductAssistant

"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update

"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series

"{E5A8DDAB-AE80-48C6-A75B-D0FAB83B299D}" = HP PSC & OfficeJet 6.1.A

"{EC2715CE-C182-483C-84CC-81D7D914CF14}" = WebReg

"{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}" = HP Software Update

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F2AB49F2-D632-446C-9A6E-5B4A98DFF13B}" = 6300Trb

"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA

"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call

"{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = RAW Image Task

"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA

"7-Zip" = 7-Zip 4.65

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Photoshop Elements 8.0" = Adobe Photoshop Elements 8.0

"Alon Video Joiner_is1" = Alon Video Joiner

"AVG8Uninstall" = AVG Free 8.5

"BlazeDTV 4.0_is1" = BlazeDTV 4.0

"Burn4Free" = Burn4Free CD and DVD

"CAL" = Canon Camera Access Library

"CameraWindowDC" = Canon Utilities CameraWindow DC

"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX

"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX

"CameraWindowLauncher" = Canon Utilities CameraWindow

"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder

"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX

"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX

"Canon MOV Decoder" = Canon MOV Decoder

"Canon MOV Encoder" = Canon MOV Encoder

"CCleaner" = CCleaner

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"CSCLIB" = Canon Camera Support Core Library

"Download Accelerator Plus (DAP)" = Download Accelerator Plus (DAP)

"DPP" = Canon Utilities Digital Photo Professional 3.7

"Easy Video Joiner_is1" = Easy Video Joiner 5.21

"EOS Utility" = Canon Utilities EOS Utility

"FLV Player" = FLV Player 2.0 (build 25)

"Glary Utilities_is1" = Glary Utilities 2.23.0.923

"HP Imaging Device Functions" = HP Imaging Device Functions 6.1

"HP Solution Center & Imaging Support Tools" = HP Solution Center and Imaging Support Tools 6.1

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie8" = Windows Internet Explorer 8

"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin

"InstallShield_{CD442089-F88D-4F46-8E3C-E4B2964B2415}" = Sage Accounts V10.00

"InstallShield_{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = Canon RAW Image Task for ZoomBrowser EX

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX

"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MSMONEYV50" = Microsoft Money 5.0

"MyCamera" = Canon Utilities MyCamera

"MyCameraDC" = Canon Utilities MyCamera DC

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NVIDIA Drivers" = NVIDIA Drivers

"Original Data Security Tools" = Canon Utilities Original Data Security Tools

"PcCloneEX" = PcCloneEX

"PhotoStitch" = Canon Utilities PhotoStitch

"Picture Style Editor" = Canon Utilities Picture Style Editor

"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX

"RemoteCaptureDC" = Canon Utilities RemoteCapture DC

"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX

"Sage MIS 3.01" = Sage MIS 3.01

"TomTom HOME" = TomTom HOME 2.6.2.1586

"Update Service" = Update Service

"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

"WFTK" = Canon Utilities WFT-E1/E2/E3/E4/E5 Utility

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinGimp-2.0_is1" = GIMP 2.6.8

"WinLiveSuite_Wave3" = Windows Live Essentials

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"zfupload" = Zenfolio Uploader

"ZoneAlarm" = ZoneAlarm

"ZoneAlarm Toolbar" = ZoneAlarm Toolbar

"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 06/09/2010 05:58:10 | Computer Name = SNA123456789 | Source = Google Update | ID = 20

Description =

Error - 06/09/2010 06:58:12 | Computer Name = SNA123456789 | Source = Google Update | ID = 20

Description =

Error - 06/09/2010 07:09:43 | Computer Name = SNA123456789 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

Error - 06/09/2010 07:58:05 | Computer Name = SNA123456789 | Source = Google Update | ID = 20

Description =

Error - 06/09/2010 08:58:05 | Computer Name = SNA123456789 | Source = Google Update | ID = 20

Description =

Error - 06/09/2010 09:13:43 | Computer Name = SNA123456789 | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module ospihat.dll, version 1.0.0.823, fault address 0x00002f17.

Error - 06/09/2010 09:22:18 | Computer Name = SNA123456789 | Source = Application Error | ID = 1000

Description = Faulting application fvfidxmshdw.exe, version 5.1.2600.0, faulting

module unknown, version 0.0.0.0, fault address 0x7ca2a587.

Error - 06/09/2010 09:58:05 | Computer Name = SNA123456789 | Source = Google Update | ID = 20

Description =

Error - 06/09/2010 10:58:10 | Computer Name = SNA123456789 | Source = Google Update | ID = 20

Description =

Error - 06/09/2010 11:03:21 | Computer Name = SNA123456789 | Source = VMCService | ID = 0

Description = conflictManagerTypeValue

[ System Events ]

Error - 06/09/2010 11:02:20 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7034

Description = The Pml Driver HPZ12 service terminated unexpectedly. It has done

this 1 time(s).

Error - 06/09/2010 11:02:20 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7034

Description = The Softex OmniPass Service service terminated unexpectedly. It has

done this 1 time(s).

Error - 06/09/2010 11:02:20 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7034

Description = The Sony Ericsson OMSI download service service terminated unexpectedly.

It has done this 1 time(s).

Error - 06/09/2010 11:02:20 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7034

Description = The TomTomHOMEService service terminated unexpectedly. It has done

this 1 time(s).

Error - 06/09/2010 11:02:20 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7034

Description = The USBDeviceService service terminated unexpectedly. It has done

this 1 time(s).

Error - 06/09/2010 11:02:20 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7034

Description = The Ulead Burning Helper service terminated unexpectedly. It has

done this 1 time(s).

Error - 06/09/2010 11:02:20 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7031

Description = The Vodafone Mobile Connect Service service terminated unexpectedly.

It has done this 1 time(s). The following corrective action will be taken in

60000 milliseconds: Restart the service.

Error - 06/09/2010 11:02:20 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7034

Description = The CyberLink Task Scheduler (CTS) service terminated unexpectedly.

It has done this 1 time(s).

Error - 06/09/2010 11:02:20 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7034

Description = The Canon Camera Access Library 8 service terminated unexpectedly.

It has done this 1 time(s).

Error - 06/09/2010 11:02:21 | Computer Name = SNA123456789 | Source = Service Control Manager | ID = 7034

Description = The iPod Service service terminated unexpectedly. It has done this

1 time(s).

< End of report >

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not Richard and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Do as much as you can of steps 1, 2, 3. If you run into a roadblock, proceed to it's following step.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Step 4

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

  • Please double-click OTL.SCR otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    :processes
    killallprocesses
    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092
    O2 - BHO: (no name) - {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O4 - HKLM..\Run: [roycoyhn] C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\hmhdysrgu\fvfidxmshdw.exe (Security Suites Corporation)
    O4 - Startup: D:\Documents and Settings\Richard\Start Menu\Programs\Startup\wwwrfd32.exe ()
    :files
    D:\Documents and Settings\Richard\Start Menu\Programs\Startup\wwwrfd32.exe
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\hmhdysrgu\fvfidxmshdw.exe
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\hmhdysrgu
    D:\Documents and Settings\Richard\Local Settings\Application Data\53YQ5yXeP
    D:\Documents and Settings\All Users\Application Data\53YQ5yXeP
    D:\Documents and Settings\Richard\Local Settings\Application Data\760y
    D:\Documents and Settings\All Users\Application Data\760y
    D:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
    D:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
    D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    recycler /alldrives
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "roycoyhn"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a1bfbb8-3fc4-11de-9c5e-001731df5c54}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27312362-f9de-11de-942c-001731df5c54}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8ea072c-fccb-11dd-9c0d-001731df5c54}]
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 5

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the OTL MovedFiles log

and C:\Combofix.txt

Link to post
Share on other sites

Thanks for the help Maurice, I'm at the end of step 4

All processes killed

========== PROCESSES ==========

========== OTL ==========

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1BA40A2-75F2-51BD-F413-04B13A2C8953}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1BA40A2-75F2-51BD-F413-04B13A2C8953}\ not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\roycoyhn deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\hmhdysrgu\fvfidxmshdw.exe moved successfully.

File move failed. D:\Documents and Settings\Richard\Start Menu\Programs\Startup\wwwrfd32.exe scheduled to be moved on reboot.

========== FILES ==========

File move failed. D:\Documents and Settings\Richard\Start Menu\Programs\Startup\wwwrfd32.exe scheduled to be moved on reboot.

File\Folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\hmhdysrgu\fvfidxmshdw.exe not found.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\hmhdysrgu folder moved successfully.

D:\Documents and Settings\Richard\Local Settings\Application Data\53YQ5yXeP moved successfully.

D:\Documents and Settings\All Users\Application Data\53YQ5yXeP moved successfully.

D:\Documents and Settings\Richard\Local Settings\Application Data\760y moved successfully.

D:\Documents and Settings\All Users\Application Data\760y moved successfully.

File\Folder D:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9 not found.

File\Folder D:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0 not found.

File\Folder D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 not found.

C:\RECYCLER\S-1-5-21-639966265-279087241-1429654359-1003 folder moved successfully.

C:\RECYCLER\S-1-5-21-1181310321-50511119-2756981553-500 folder moved successfully.

C:\RECYCLER\S-1-5-21-1181310321-50511119-2756981553-1006\Dc1 folder moved successfully.

C:\RECYCLER\S-1-5-21-1181310321-50511119-2756981553-1006 folder moved successfully.

C:\RECYCLER folder moved successfully.

D:\RECYCLER\S-1-5-21-639966265-279087241-1429654359-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-3538388272-3312137957-3229232274-1006 folder moved successfully.

D:\RECYCLER\S-1-5-21-3449932123-1217478607-1450984100-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-3209823499-62348722-344252789-1003 folder moved successfully.

D:\RECYCLER\S-1-5-21-2181337577-978366292-606636883-1006 folder moved successfully.

D:\RECYCLER\S-1-5-21-1181310321-50511119-2756981553-500 folder moved successfully.

D:\RECYCLER\S-1-5-21-1181310321-50511119-2756981553-1006 folder moved successfully.

D:\RECYCLER folder moved successfully.

========== REGISTRY ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\roycoyhn not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a1bfbb8-3fc4-11de-9c5e-001731df5c54}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a1bfbb8-3fc4-11de-9c5e-001731df5c54}\ not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{27312362-f9de-11de-942c-001731df5c54}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27312362-f9de-11de-942c-001731df5c54}\ not found.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8ea072c-fccb-11dd-9c0d-001731df5c54}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f8ea072c-fccb-11dd-9c0d-001731df5c54}\ not found.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.SNA123456789

->Temp folder emptied: 194393 bytes

->Temporary Internet Files folder emptied: 518150 bytes

User: Aerial supplies

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService

->Temp folder emptied: 65716 bytes

->Temporary Internet Files folder emptied: 4369840 bytes

User: LocalService.NT AUTHORITY

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY.000

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY.001

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY.002

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY.003

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService.NT AUTHORITY

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.000

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.001

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.002

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.003

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.004

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Packard Bell

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Richard

->Temp folder emptied: 1023738 bytes

->Temporary Internet Files folder emptied: 14645206 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 39648570 bytes

->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 562230 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 38476472 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1573602 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 96.00 mb

Unable to start service SrService!

[EMPTYFLASH]

User: Administrator

User: Administrator.SNA123456789

User: Aerial supplies

->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: LocalService.NT AUTHORITY

User: LocalService.NT AUTHORITY.000

User: LocalService.NT AUTHORITY.001

User: LocalService.NT AUTHORITY.002

User: LocalService.NT AUTHORITY.003

User: NetworkService

User: NetworkService.NT AUTHORITY

User: NetworkService.NT AUTHORITY.000

User: NetworkService.NT AUTHORITY.001

User: NetworkService.NT AUTHORITY.002

User: NetworkService.NT AUTHORITY.003

User: NetworkService.NT AUTHORITY.004

User: Packard Bell

User: Richard

->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.11.0 log created on 09072010_095150

Files\Folders moved on Reboot...

D:\Documents and Settings\Richard\Start Menu\Programs\Startup\wwwrfd32.exe moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

I cannot get Combo-fix to run, I get a small box appear with green boxes scrolling across and then it closes.

Also I cannot connect to the internet wit a Fire wall running, I've checked he settings and ther appear ok.

Apart from that the PC looks a lot better.

A) You downloaded and SAVED Combofix to Desktop ? right? Then after, you started Combofix (with red lion icon) ?

It seems the "green boxes" you refer to would be the "progress bar" as Combofix first started.

Don't rerun Combofix until we determined what's what.

B: When did this internet connection issue show up? What do you mean by firewall running? which are you using? Zone Alarm?

See if you can manage this next:

Download Dr.Web CureIt to the desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Link to post
Share on other sites

Internet now working with Zonalarm running, the Drweb report is..

Process in memory: \??\C:\WINDOWS\system32\winlogon.exe:684;;Trojan.AuxSpy.187;Eradicated.;

owyg.exe;C:\WINDOWS\system32\config\systemprofile\Application Data\Cuwizy;Trojan.PWS.Panda.387;Deleted.;

oacci.bak;D:\DOCUME~1\Richard\LOCALS~1\Temp;Trojan.AuxSpy.187;Deleted.;

vaderetro_oe.exe;c:\program files\goto software\vade retro;BackDoor.Nels.11;Deleted.;

ospihat.dll;c:\windows;BackDoor.Tdss.4037;Deleted.;

Link to post
Share on other sites

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

It is very important you have MBAM remove all items it tags.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 2

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the MBAM scan log

and C:\Combofix.txt

Link to post
Share on other sites

Combo fix has run but now appears to have hung,

The blue box has been at"preparing log report" for 20 mins

Or so, a zonealarm box is asking if

Nircmd.exe can access the Internet ?

Not sure weather to allow it to

Sorry if there are more spelling errors than normall

Had to post from my phone!

Link to post
Share on other sites

I made an executive desicion and allowed it to run, combo fix then carried on and finnished, here's the report

ComboFix 10-09-07.01 - Richard 08/09/2010 12:34:43.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2814.2160 [GMT 1:00]

Running from: d:\documents and settings\Richard\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\axeyosamavab.dll

c:\windows\edidavemomixef.dll

c:\windows\ozogefimifetelag.dll

c:\windows\system32\Thumbs.db

d:\documents and settings\All Users\Application Data\hpe118.dll

.

((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))

.

2010-09-08 07:53 . 2010-09-08 08:24 -------- d-----w- d:\documents and settings\Richard\DoctorWeb

2010-09-07 09:12 . 2010-09-08 07:47 0 ----a-w- c:\windows\Wnocagidimeq.bin

2010-09-07 09:12 . 2010-09-07 09:12 120 ----a-w- c:\windows\Yvewujojulowunik.dat

2010-09-07 09:12 . 2010-09-07 09:12 -------- d-----w- d:\documents and settings\Richard\Local Settings\Application Data\{3C1AAA20-6DBF-4506-963E-C7A91F50E94C}

2010-09-07 08:33 . 2010-09-07 08:33 -------- d-----w- c:\program files\ERUNT

2010-09-06 14:53 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-06 14:53 . 2010-09-08 11:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-06 14:53 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-06 07:34 . 2010-09-06 07:34 0 ----a-w- d:\documents and settings\Richard\settings.dat

2010-09-03 12:07 . 2010-09-03 12:07 -------- d-----w- d:\documents and settings\Administrator.SNA123456789\Application Data\U3

2010-09-03 07:43 . 2010-09-03 07:43 -------- d-----w- C:\$AVG

2010-09-02 13:41 . 2010-09-02 13:41 -------- d-----w- d:\documents and settings\Administrator.SNA123456789\Application Data\Windows Search

2010-08-31 13:52 . 2010-08-31 13:52 -------- d-----w- c:\program files\iPod

2010-08-31 13:52 . 2010-08-31 13:53 -------- d-----w- c:\program files\iTunes

2010-08-10 08:37 . 2010-08-10 08:37 -------- d-----w- d:\documents and settings\Richard\Local Settings\Application Data\Zenfolio

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-08 11:27 . 2008-02-14 09:12 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP

2010-09-07 08:02 . 2010-09-07 09:12 8704 ----a-w- c:\windows\Internet Logs\xDB3.tmp

2010-09-07 08:02 . 2009-09-09 12:18 8489703 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2010-09-07 07:54 . 2010-09-07 08:02 8192 ----a-w- c:\windows\Internet Logs\xDB1130.tmp

2010-09-07 07:53 . 2010-09-07 07:53 8704 ----a-w- c:\windows\Internet Logs\xDB1123.tmp

2010-09-07 07:53 . 2010-09-07 07:53 8192 ----a-w- c:\windows\Internet Logs\xDB1121.tmp

2010-09-07 07:53 . 2010-09-07 07:53 8192 ----a-w- c:\windows\Internet Logs\xDB1120.tmp

2010-09-07 07:53 . 2010-09-07 07:53 8704 ----a-w- c:\windows\Internet Logs\xDB111F.tmp

2010-09-07 07:53 . 2010-09-07 07:53 8192 ----a-w- c:\windows\Internet Logs\xDB111E.tmp

2010-09-07 07:53 . 2010-09-07 07:53 8192 ----a-w- c:\windows\Internet Logs\xDB111D.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8192 ----a-w- c:\windows\Internet Logs\xDB111C.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8704 ----a-w- c:\windows\Internet Logs\xDB111B.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8192 ----a-w- c:\windows\Internet Logs\xDB111A.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8192 ----a-w- c:\windows\Internet Logs\xDB1119.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8192 ----a-w- c:\windows\Internet Logs\xDB1118.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8704 ----a-w- c:\windows\Internet Logs\xDB1117.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8192 ----a-w- c:\windows\Internet Logs\xDB1116.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8192 ----a-w- c:\windows\Internet Logs\xDB1115.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8192 ----a-w- c:\windows\Internet Logs\xDB1114.tmp

2010-09-07 07:52 . 2010-09-07 07:52 8192 ----a-w- c:\windows\Internet Logs\xDB1112.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8192 ----a-w- c:\windows\Internet Logs\xDB1111.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8192 ----a-w- c:\windows\Internet Logs\xDB1110.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8192 ----a-w- c:\windows\Internet Logs\xDB110F.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8704 ----a-w- c:\windows\Internet Logs\xDB110E.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8192 ----a-w- c:\windows\Internet Logs\xDB110D.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8192 ----a-w- c:\windows\Internet Logs\xDB110C.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8192 ----a-w- c:\windows\Internet Logs\xDB110B.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8192 ----a-w- c:\windows\Internet Logs\xDB110A.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8704 ----a-w- c:\windows\Internet Logs\xDB1109.tmp

2010-09-07 07:51 . 2010-09-07 07:51 8192 ----a-w- c:\windows\Internet Logs\xDB1108.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8704 ----a-w- c:\windows\Internet Logs\xDB10F9.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8192 ----a-w- c:\windows\Internet Logs\xDB10F8.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8192 ----a-w- c:\windows\Internet Logs\xDB10F7.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8192 ----a-w- c:\windows\Internet Logs\xDB10F6.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8192 ----a-w- c:\windows\Internet Logs\xDB10F5.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8192 ----a-w- c:\windows\Internet Logs\xDB10F4.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8704 ----a-w- c:\windows\Internet Logs\xDB10F3.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8192 ----a-w- c:\windows\Internet Logs\xDB10F2.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8192 ----a-w- c:\windows\Internet Logs\xDB10F1.tmp

2010-09-07 07:49 . 2010-09-07 07:49 8192 ----a-w- c:\windows\Internet Logs\xDB10F0.tmp

2010-09-07 07:48 . 2010-09-07 07:49 8192 ----a-w- c:\windows\Internet Logs\xDB10EF.tmp

2010-09-07 07:48 . 2010-09-07 07:48 8192 ----a-w- c:\windows\Internet Logs\xDB10EE.tmp

2010-09-07 07:48 . 2010-09-07 07:48 8192 ----a-w- c:\windows\Internet Logs\xDB10ED.tmp

2010-09-07 07:48 . 2010-09-07 07:48 8192 ----a-w- c:\windows\Internet Logs\xDB10EC.tmp

2010-09-07 07:48 . 2010-09-07 07:48 8192 ----a-w- c:\windows\Internet Logs\xDB10EB.tmp

2010-09-07 07:48 . 2010-09-07 07:48 8192 ----a-w- c:\windows\Internet Logs\xDB10EA.tmp

2010-09-07 07:48 . 2010-09-07 07:48 8704 ----a-w- c:\windows\Internet Logs\xDB10E9.tmp

2010-09-07 07:48 . 2010-09-07 07:48 8192 ----a-w- c:\windows\Internet Logs\xDB10E8.tmp

2010-09-07 07:48 . 2010-09-07 07:48 8192 ----a-w- c:\windows\Internet Logs\xDB10E7.tmp

2010-09-07 07:48 . 2010-09-07 07:48 8704 ----a-w- c:\windows\Internet Logs\xDB10E6.tmp

2010-09-07 07:47 . 2010-09-07 07:48 8192 ----a-w- c:\windows\Internet Logs\xDB10E5.tmp

2010-09-07 07:47 . 2010-09-07 07:47 8192 ----a-w- c:\windows\Internet Logs\xDB10E4.tmp

2010-09-07 07:47 . 2010-09-07 07:47 8192 ----a-w- c:\windows\Internet Logs\xDB10E3.tmp

2010-09-07 07:47 . 2010-09-07 07:47 8192 ----a-w- c:\windows\Internet Logs\xDB10E1.tmp

2010-09-07 07:47 . 2010-09-07 07:47 8704 ----a-w- c:\windows\Internet Logs\xDB10E0.tmp

2010-09-07 07:47 . 2010-09-07 07:47 8192 ----a-w- c:\windows\Internet Logs\xDB10DF.tmp

2010-09-07 07:38 . 2010-09-07 07:47 8192 ----a-w- c:\windows\Internet Logs\xDB10DE.tmp

2010-09-07 07:38 . 2010-09-07 07:38 8192 ----a-w- c:\windows\Internet Logs\xDB10DD.tmp

2010-09-07 07:38 . 2010-09-07 07:38 8704 ----a-w- c:\windows\Internet Logs\xDB10DC.tmp

2010-09-07 07:38 . 2010-09-07 07:38 8192 ----a-w- c:\windows\Internet Logs\xDB10DB.tmp

2010-09-07 07:38 . 2010-09-07 07:38 8192 ----a-w- c:\windows\Internet Logs\xDB10DA.tmp

2010-09-07 07:38 . 2010-09-07 07:38 8704 ----a-w- c:\windows\Internet Logs\xDB10D9.tmp

2010-09-07 07:38 . 2010-09-07 07:38 8192 ----a-w- c:\windows\Internet Logs\xDB10D8.tmp

2010-09-07 07:38 . 2010-09-07 07:38 8192 ----a-w- c:\windows\Internet Logs\xDB10D7.tmp

2010-09-07 07:38 . 2010-09-07 07:38 8704 ----a-w- c:\windows\Internet Logs\xDB10D6.tmp

2010-09-07 07:37 . 2010-09-07 07:38 8192 ----a-w- c:\windows\Internet Logs\xDB10D5.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8192 ----a-w- c:\windows\Internet Logs\xDB10D4.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8192 ----a-w- c:\windows\Internet Logs\xDB10D3.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8192 ----a-w- c:\windows\Internet Logs\xDB10D2.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8704 ----a-w- c:\windows\Internet Logs\xDB10D1.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8192 ----a-w- c:\windows\Internet Logs\xDB10D0.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8192 ----a-w- c:\windows\Internet Logs\xDB10CF.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8704 ----a-w- c:\windows\Internet Logs\xDB10CE.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8192 ----a-w- c:\windows\Internet Logs\xDB10CD.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8192 ----a-w- c:\windows\Internet Logs\xDB10CC.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8192 ----a-w- c:\windows\Internet Logs\xDB10CB.tmp

2010-09-07 07:37 . 2010-09-07 07:37 8192 ----a-w- c:\windows\Internet Logs\xDB10CA.tmp

2010-09-07 07:36 . 2010-09-07 07:36 8192 ----a-w- c:\windows\Internet Logs\xDB10C9.tmp

2010-09-07 07:36 . 2010-09-07 07:36 8192 ----a-w- c:\windows\Internet Logs\xDB10C8.tmp

2010-09-07 07:36 . 2010-09-07 07:36 8192 ----a-w- c:\windows\Internet Logs\xDB10C7.tmp

2010-09-07 07:36 . 2010-09-07 07:36 8192 ----a-w- c:\windows\Internet Logs\xDB10C6.tmp

2010-09-07 07:36 . 2010-09-07 07:36 8192 ----a-w- c:\windows\Internet Logs\xDB10C5.tmp

2010-09-07 07:36 . 2010-09-07 07:36 8192 ----a-w- c:\windows\Internet Logs\xDB10C4.tmp

2010-09-07 07:36 . 2010-09-07 07:36 8704 ----a-w- c:\windows\Internet Logs\xDB10C3.tmp

2010-09-07 07:36 . 2010-09-07 07:36 8192 ----a-w- c:\windows\Internet Logs\xDB10C2.tmp

2010-09-07 07:35 . 2010-09-07 07:36 8704 ----a-w- c:\windows\Internet Logs\xDB10C1.tmp

2010-09-07 07:35 . 2010-09-07 07:35 8192 ----a-w- c:\windows\Internet Logs\xDB10C0.tmp

2010-09-07 07:35 . 2010-09-07 07:35 8192 ----a-w- c:\windows\Internet Logs\xDB10BF.tmp

2010-09-07 07:34 . 2010-09-07 07:34 8192 ----a-w- c:\windows\Internet Logs\xDB10B2.tmp

2010-09-07 07:34 . 2010-09-07 07:34 8704 ----a-w- c:\windows\Internet Logs\xDB10B0.tmp

2010-09-07 07:34 . 2010-09-07 07:34 8192 ----a-w- c:\windows\Internet Logs\xDB10AF.tmp

2010-09-07 07:33 . 2010-09-07 07:34 8192 ----a-w- c:\windows\Internet Logs\xDB10AE.tmp

2010-09-07 07:33 . 2010-09-07 07:33 8704 ----a-w- c:\windows\Internet Logs\xDB10AD.tmp

2010-09-07 07:33 . 2010-09-07 07:33 8192 ----a-w- c:\windows\Internet Logs\xDB10AC.tmp

2010-09-07 07:33 . 2010-09-07 07:33 8192 ----a-w- c:\windows\Internet Logs\xDB10AB.tmp

2010-09-07 07:33 . 2010-09-07 07:33 8192 ----a-w- c:\windows\Internet Logs\xDB10AA.tmp

2010-09-07 07:33 . 2010-09-07 07:33 8192 ----a-w- c:\windows\Internet Logs\xDB10A9.tmp

2010-09-07 07:33 . 2010-09-07 07:33 8192 ----a-w- c:\windows\Internet Logs\xDB10A8.tmp

2010-09-07 07:33 . 2010-09-07 07:33 8704 ----a-w- c:\windows\Internet Logs\xDB10A7.tmp

2010-09-07 07:32 . 2010-09-07 07:33 8192 ----a-w- c:\windows\Internet Logs\xDB10A6.tmp

2002-04-16 10:27 . 2002-04-16 10:27 5 --sha-w- c:\windows\system32\CdI5T.drv

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-02-13 3134976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-10-09 2086912]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-01 86016]

"nwiz"="nwiz.exe" [2005-12-01 1519616]

"OmniPass"="c:\apps\Softex\OmniPass\scureapp.exe" [2006-01-30 1978368]

"PCMService"="c:\apps\Powercinema\PCMService.exe" [2006-02-23 147456]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"RTHDCPL"="RTHDCPL.EXE" [2006-02-10 15969280]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]

"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]

"USBToolTip"="c:\progra~1\COMMON~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-09 12:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-03 08:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

2006-01-30 08:53 49152 ----a-w- c:\apps\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Clone EX.LNK]

backup=c:\windows\pss\PC Clone EX.LNKCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

backup=c:\windows\pss\Windows Search.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\12742504

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetLog2

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

2010-07-30 08:27 2048352 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avg8wd"=2 (0x2)

"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%ProgramFiles%\\AOL 9.0\\aol.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/02/2009 11:51 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/02/2009 11:51 108552]

R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [15/02/2010 12:54 7040]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [28/04/2009 11:33 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/04/2009 11:33 66632]

R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [06/09/2009 07:06 169312]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]

R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 16:32 14336]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [29/03/2010 12:07 27632]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/01/2010 10:17 135664]

S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [29/03/2010 12:06 90112]

S3 EC168BDA;EC168BDA service;c:\windows\system32\drivers\EC168BDA.sys [25/02/2009 13:57 87296]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [17/02/2009 15:05 13224]

S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [17/02/2009 14:47 90408]

S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [17/02/2009 14:47 15016]

S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [17/02/2009 14:47 122024]

S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [17/02/2009 14:47 115368]

S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [17/02/2009 14:47 25768]

S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [17/02/2009 14:47 111784]

S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [17/02/2009 14:47 117544]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/04/2009 11:33 12872]

S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [13/02/2009 11:51 908056]

S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [13/02/2009 11:51 297752]

.

Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-02-13 09:01]

2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 09:16]

2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 09:16]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.blatchat.com/f.asp?id=1

IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\DAP\dapextie.htm

IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll

Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll

DPF: {62AEFF80-16AD-4AC4-B812-E70EB5F37301} - hxxp://www.zenfolio.com/zf/code/upload-ie-win-x86.cab

FF - ProfilePath - d:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\mxp7kzqk.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.blatchat.com/f.asp?id=1

FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - HiddenExtension: XULRunner: {3C1AAA20-6DBF-4506-963E-C7A91F50E94C} - d:\documents and settings\Richard\Local Settings\Application Data\{3C1AAA20-6DBF-4506-963E-C7A91F50E94C}

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)

HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

HKLM-Run-Kyufizuq - c:\windows\axeyosamavab.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-08 12:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\apps\Softex\OmniPass\opxpgina.dll

.

Completion time: 2010-09-08 13:16:27

ComboFix-quarantined-files.txt 2010-09-08 12:16

Pre-Run: 19,328,806,912 bytes free

Post-Run: 19,283,271,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 977674286FDD8672623EEDA547C1F0BB

Edited by Maurice Naggar
Emphasis added
Link to post
Share on other sites

Good decison made. That doggone firewall asked for permission. Yes, nircmd is ok (from combofix).

We should follow-up with an Update of MBAM, and then a FULL scan.

Close/exit any apps you started. For this next run, temporarily disable your antivirus program.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a FULL Scan.

It is very important you have MBAM remove all items it tags.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Re-enable your antivirus and post the latest MBAM scan log.

Link to post
Share on other sites

All starting to look a lot better now thanks.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4578

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

09/09/2010 09:12:42

mbam-log-2010-09-09 (09-12-42).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 350925

Time elapsed: 52 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\axeyosamavab.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.

D:\_OTL\MovedFiles\09072010_095150\C_WINDOWS\system32\config\systemprofile\Local Settings\Application Data\hmhdysrgu\fvfidxmshdw.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

D:\_OTL\MovedFiles\09072010_095150\D_Documents and Settings\Richard\Start Menu\Programs\Startup\wwwrfd32.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

Edited by Maurice Naggar
Highlights added for emphasis
Link to post
Share on other sites

This system had some serious backdoor trojans, spyware, password stealer, and TDSS rootkits.

While the last MBAM result looks promising, it alone will not catch everything.

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.

I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

Here is some additional information:

What Is A Backdoor Trojan?

Danger: Remote Access Trojans

Consumers

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.