Jump to content

Am I (still) infected?


Recommended Posts

Sorry, this is going to be long...

Over the past 2 wks, I've been having several problems with my computer, which may be unrelated, but unfortunately overlap in time. My computer is a Dell Dimension 4600 Pentium 4, 2.39 GHz, with 2.5 GB RAM, running XP Pro SP3, fully patched. I will try to re-create what happened, but I am not sure I will get all the details or the chronological sequence 100% right.

My firewall is Comodo free personal FW, version 3.14, which I run with the Defense+ component activated (and I have a Linksys wired router). I know Comodo version 3.14 is not up-to-date -- I wanted to scan thoroughly to be sure my computer was clean, so that I could install the new version and run it in "safe PC mode". But I started having problems before I got around to installing the new Comodo version.

I also run Avast free, WinPatrol free, Prevx free, Windows Defender, TeaTimer, and usually A2 anti-dialer and Secunia Inspector. I run SpyWare Blaster periodically. My usual browser is Firefox, with the NoScript add-on, but my kid uses Safari. I had Ad-Aware installed when my problems started, but the last version never installed correctly, so I uninstalled it several days after these problems started. The uninstall might be related to one of my problems.

The first set of problems started around Jan 9th. Firefox 3.6.13 crashed several times, possibly b/c of a Flash page. I typically have many tabs open, and often several Firefox windows open. I was not sitting at the computer when the final crash occurred. I came back to a message: "plug-in container crashed".

I restarted the computer (after a little trouble getting everyone logged off). I immediately started getting a lot of Comodo Defense+ alerts -- various programs were trying to set global hooks, programs were trying to control each other, etc. Anytime I would try to run anything, I would get a flood of alerts, but all the programs I was being alerted about were my usual programs.

So I ran a Windows Defender quick scan, a Prevx "deep" scan (the default, which is not the "full" scan), and a Malwarebytes quick scan, in each case, running in Windows normal mode, and closing all other security programs except the FW. I believe I ran the scans from an admin level user. All scan results were clean. So I began to wonder if the computer was clean, but the crash had somehow affected the Comodo FW Defense component, making it "forget" the programs it had previously recognized as safe, or re-setting it to a more sensitive mode.

I also could not log off users normally -- the log-off started normally, but after the "saving your settings" msg, the computer would show a blank screen with that user's background color, and, though the mouse wasn't frozen, the computer would not respond, and would have to be rebooted. However, user switching was normal, and the computer could hibernate and resume from hibernation normally. I also started having a hang in my boot sequence, described below, but I think -- though I am not sure -- the boot-up hang started after I tried to uninstall Ad-Aware. Also, I was having trouble getting Prevx to run on some users, especially the one whose Firefox session crashed.

Somewhere around Jan 12 (or earlier), I backed up all my data!

On Jan 12, I ran a MalwareBytes full scan (except skipping my photo folder) -- result was clean. Also, on Jan 12, I decided to uninstall Ad-Aware, which never had installed properly (usually its tray icon said "you must reboot to complete installation", no matter how many times I rebooted). When I uninstalled (via Add/Remove), I was told to restart the computer, and when I did, there was a hang in my boot sequence -- the screen paused to let me choose whether to boot into Windows XP Pro or Recovery Console. That problem has persisted. After I rebooted into Windows XP Pro, Windows Defender wanted me to review a change that had been made -- something about a SafeBoot, from Lavasoft. Because I was concerned that I might be infected, I was not sure whether to allow the change, so I did nothing (I don't know if that equals deny or allow). So I suspect that maybe this is related to the boot up problem, but I am not sure how to go back and allow it. (Today, on Jan 27, I installed Super-AntiSpyware, and I see that it says it can repair a broken SafeBoot key, but I haven't tried it yet.)

I ran an A2- anti-dialer full scan and a Windows Defender full scan -- both in Windows normal mode, from an admin user -- both gave clean results. Then I ran MalwareBytes and Windows Defender quick scans, running as the system account, and both were clean.

On Jan 14, I tried to use System Restore. I tried two different restore points prior to Jan 9th, and neither would work -- I got a message that the computer could not be restored to that point.

THEN, to make things worse, I picked up an INFECTION on Jan 16th. While surfing from a limited user acct, I accidentally clicked on a Google search result link that was marked with a red circle by Web Of Trust (WOT). I realized right away what I had done, and closed the page without clicking on anything except the "x" -- should have used the taskbar to close, I guess. I put the FW in "block all activity" mode. I ran Prevx from that limited user. (It ran, which was a bit odd, b/c I had been unable to get it to run on that limited user since the crash on Jan 9t h. Also, I don't remember if the FW asked me to allow Prevx -- Prevx must be connected to internet to run.) Anyway, Prevx detected a browser hijacker (I don't remember the name, and I can't find the log, tho I think I saved it). I asked it to remove it, and it said it successfully quarantined it, and asked me to reboot, which I did. But I am not sure if it really quarantined anything, because I don't know if it can do that from a limited user acct. Also, subsequently, when I go to the Undo Clean section of Prevx, it says nothing has been quarantined. (That is what it says on the admin level user's Prevx, and it says the same thing on the limited user -- when it will run on the limited user-- usually it won't.)

After the "quarantining" and the subsequent reboot, I reset the FW to its usual mode, and then I got a Defender alert from Comodo that svchost.exe was trying to run? or install? srv.sys (which was in my Windows/system 32/drivers folder, and I chose "block" , though I'm not sure if I chose "remember my answer". I tried to re-run Prevx but it said it could not connect to the internet.

Then I turned the computer off, rebooted the modem and the router, then rebooted the computer. I was able to run Prevx from an admin acct. A quick scan gave clean results. I ran CCleaner on the limited user which I had been using when I got infected, and deleted the Firefox cache.

I decided to check the "My Trusted Vendor" list in Comodo, and found some things that looked iffy. They were things that seemed to do with chat and desktop control, remote access, etc. I removed a bunch of them, but left some I wasn't sure about. Some might be related to Firefox add-ons. This is not something I have checked before, so I don't know if these programs were newly added -- Comodo doesn't show when they were added to the trusted list. Maybe I should empty the "my trusted vendor" list completely?

On Jan 24, I booted into Safe Mode with Networking, and ran a Prevx deep scan (the default, not a full scan), a Windows Defender quick scan, and a MalwareBytes quick scan. All gave clean results. On Jan 26, I ran TrendMicro's online HouseCall scanner in Safe Mode, and scanned everything except my photos. The result was clean. Today, Jan 27, I installed SuperAntiSpyware free, and ran a quick scan. Two tracking cookies were found on my kid's user, so I quarantined them. Nothing else was found.

Just prior to posting this, I ran a MalwareBytes quick scan, which had clean results. Yesterday, as noted above, I ran a full online HouseCall virus scan in Safe Mode, and it was clean. I disabled CD emulation with Defogger. I ran DDS and saved the logs, which are attached. But when I tried to run GMER, after unchecking "show all" and "IAT/EAT", it ran for quite awhile, but then I got the following STOP error: BAD_POOL_CALLER. STOP: 0x000000C2 (0x00000040, 0x00000000, 0x80000000, 0x00000000). I tried to run it again after rebooting and this time I disabled Comodo Defense+ completely. This time it ran for quite a while, then the computer rebooted itself. I had saved the log that was produced initially when GMER started running, and I will attach that, but I don't have the full log. I called the mini-log ark1.txt, and I've attached it.

So that's pretty much where I am. My scans -- except maybe for GMER -- seem to be clean, but I am still suspicious, and I am trying not to do any online shopping until this is resolved. Thank you very much for reading all this, and for any help you can give. While waiting for help, I will may try to run Windows Disk Clean Up and ChkDsk and some more scans.

ark1.txt

Attach.zip

DDS.txt

Link to post
Share on other sites

  • Replies 84
  • Created
  • Last Reply

Top Posters In This Topic

I am replying to my own post, because I realize now that I should have pasted the DDS.txt log and the MalwareBytes log into my post. (The DDS.txt file was attached to my previous post, along with the ark.txt from the aborted GMER run.) Sorry for getting this wrong...

I will paste the DDS.txt and MalwareBytes log below, and will re-attach the zipped attach.txt and ark.txt files.

Please help, when you can...

Also, please bear with me if I don't respond right away. My computer (fan?) is making a nasty noise, and an ice storm is threatening our region, so power may go out. I will respond as quickly as possible. Thanks very much.

******************************** DDS.TXT***************************************************

DDS (Ver_10-12-12.02) - NTFSx86

Run by TheBoss at 15:01:15.18 on Thu 01/27/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1747 [GMT -5:00]

AV: Norton AntiVirus 2005 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Norton Internet Worm Protection *Enabled*

FW: COMODO Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\a-squared Anti-Dialer\a2service.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Prevx\prevx.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Common Files\Iconix\IconixService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Prevx\prevx.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\TheBoss\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.google.com

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - No File

BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: IconixBHOClass Class: {761233b6-f228-49e4-8f6b-668499d4e55a} - c:\program files\iconix\ieaddon\IconixBHO_45.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Windows Defender User Interface] c:\program files\windows defender\MSASCui.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sansaDispatch] c:\documents and settings\theboss\application data\sandisk\sansa updater\SansaDispatch.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iconixOEAddOn] "c:\program files\iconix\oeaddon\OEdmn_6.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [a-squared Anti-Dialer] "c:\program files\a-squared anti-dialer\a2adguard.exe" /d=60

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\theboss\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

mPolicies-explorer: <NO NAME> =

IE: &Google Search

IE: &Translate English Word

IE: Backward Links

IE: Cached Snapshot of Page

IE: Similar Pages

IE: Translate Page into English

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} - c:\program files\firetrust\sitehound\SiteHound.dll

IE: {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - {44E212AB-13EA-4CA4-BE65-197FBA170412} - c:\program files\iconix\ieaddon\IconixBHO_45.dll

IE: {BC3F6B6D-2E49-4603-B028-7411655713F3} - {0CC2F28D-D415-4FC6-A2E4-54B4D983609A} - c:\program files\iconix\ieaddon\IconixBHO_45.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: adobe.com\www

Trusted Zone: bitdefender.com

Trusted Zone: comodo.com

Trusted Zone: eset.com

Trusted Zone: eset.com\www

Trusted Zone: f-secure.com

Trusted Zone: f-secure.com\support

Trusted Zone: html-kit.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: java.com

Trusted Zone: lavasoft.com

Trusted Zone: lavasoft.de\www

Trusted Zone: lavasoftusa.com\www

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: microsoft.com\www

Trusted Zone: osha.gov\osharemote

Trusted Zone: pandasecurity.com\www

Trusted Zone: secunia.com

Trusted Zone: secunia.com\psi

Trusted Zone: sun.com

Trusted Zone: symantec.com\security

Trusted Zone: verizon.net\onlinehelp

Trusted Zone: windowsupdate.com

Trusted Zone: windowsupdate.com\download

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.pestscan.com/scanner/axscanner.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.com/scan8/oscan8.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185414703250

DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37540.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.4448611111

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab

DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://www.windowsecurity.com/trojanscan/axscan.cab

DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

AppInit_DLLs: c:\windows\system32\wmfhotfix.dll c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\theboss\applic~1\mozilla\firefox\profiles\ebtxti7b.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\mozilla firefox\extensions\{1253d21b-263b-1843-275c-1726da8b2a12}\components\FFProxy36.dll

FF - plugin: c:\documents and settings\theboss\application data\mozilla\firefox\profiles\ebtxti7b.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npIconixProxy36.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}

FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}

FF - Ext: Taboo: taboo@runningfrombears.com - %profile%\extensions\taboo@runningfrombears.com

FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Iconix: {1253D21B-263B-1843-275C-1726DA8B2A12} - c:\program files\mozilla firefox\extensions\{1253D21B-263B-1843-275C-1726DA8B2A12}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-1 28544]

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-1-28 15328]

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-6-28 22024]

R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-6-28 27656]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-23 294608]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-2-28 134344]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-2-28 25160]

R2 a2AntiDialer;a-squared Anti-Dialer Service;c:\program files\a-squared anti-dialer\a2service.exe [2007-6-20 425080]

R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-11-15 1858144]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-23 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-13 40384]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-2-28 723632]

R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-6-28 4368952]

R2 IconixService;Iconix Update Service;c:\program files\common files\iconix\IconixService.exe [2010-1-17 283992]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-2-12 10384]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-1-28 220128]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2010-12-21 987704]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

RUnknown SASKUTIL;SASKUTIL; [x]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 AntiVirService;AntiVir Service;c:\program files\avpersonal\AVGUARD.EXE [2005-11-3 208424]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 avgntdw;avgntdw;\??\c:\program files\avpersonal\avgntdw.sys --> c:\program files\avpersonal\AVGNTDW.SYS [?]

S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-1-27 194320]

S3 METROP;Hewlett-Packard ScanJet 5300C/5370C;c:\windows\system32\drivers\hp53pw2k.sys [2003-9-14 131712]

S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

S4 vsdatant;vsdatant; [x]

UnknownUnknown SASDIFSV;SASDIFSV; [x]

=============== Created Last 30 ================

2011-01-27 19:10:12 388096 ----a-r- c:\docume~1\theboss\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-01-26 05:56:18 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-01-26 01:43:56 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{71ad6fe4-ccfb-48e7-986f-17b6967a08f4}\mpengine.dll

2011-01-02 17:26:16 -------- d-----w- c:\docume~1\theboss\locals~1\applic~1\Secunia PSI

2011-01-02 17:25:59 -------- d-----w- c:\program files\Secunia

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 06:54:49 1880 ----a-w- c:\windows\AUTOLNCH.REG

2001-05-24 17:59:30 162304 ------w- c:\program files\UNWISE.EXE

============= FINISH: 15:02:43.59 ===============

****************** mbam-log-2011-01-27 (14-16-56).txt *************************************

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5622

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/27/2011 2:16:56 PM

mbam-log-2011-01-27 (14-16-56).txt

Scan type: Quick scan

Objects scanned: 202033

Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

ark1.txt

Link to post
Share on other sites

  • Root Admin

Part of your issues appear to be too much security software. You may be a bit too aggressive on installing security software to help you that may also be hindering you.

The logs show that you have multiple AV programs installed and running. You need to choose which AV you want to run and fully remove all others.

You have left over pieces for ZoneAlarm and Panda AV, etc that need to be removed as well.

Please review the list here for tools to help manually remove products as needed.

http://uninstallers.blogspot.com/

Please visit this site and restore Firefox back to the factory default settings.

Restore Firefox Default Settings Without Uninstalling It

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

Once you've done the above please run a new DDS scan and post back both of the logs.

Link to post
Share on other sites

Thank you very much -- I will get busy on these tasks.

As far as I was aware, the only AV I actually have running is Avast, altho I know I have other security programs running. (I haven't intentionally run Norton for yrs, and I can tell you I spent a lot of time with various tools, trying to dig it out after uninstalling it!)

A few questions about re-setting Firefox to its factory defaults:

  1. Do I have to check ALL the options? (Disable all add-ons, Reset toolbars and controls, Reset bookmarks to Firefox defaults, Reset all user preferences to Firefox defaults, Restore default search engines?)
    Can I keep add-ons and bookmarks? I use the Zotero add-on very extensively, and wouldn't want to lose all that information. And other users of this computer have bookmarks they would not want to lose.
    (If I do have to lose the add-ons and bookmarks, I guess I should back up all that bookmark and zotero data first.)
  2. Does this procedure have to be done on each XP user account? (I am guessing yes...)

And about CHKDSK -- any idea how long it may run? I have read it sometimes can take days (or hang), but that it should not be interrupted. Unfortunately, this is our family's only computer...

Thank you again.

Link to post
Share on other sites

  • Root Admin

On a semi modern PC (yours is getting a bit old) it probably won't run more than a couple of hours as long as it's doesn't have a new Terabytes drive installed.

You should always backup before making changes. For now let's just worry about the Admin account and we'll address the other limited user accounts at a later time if needed.

You can run the following first to help at least backup the registry.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from here
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say NO to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected.

    [*]Click on OK

    [*]Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Save your book marks, export settings from any special add-ons. Most of them have either a json or xml file that can be saved. If in doubt maybe visit the home page where the add-on is from and see if they have any support on how to back up said data. Though this reset should not remove the bookmarks.

Link to post
Share on other sites

I have backed up my registry with ERUNT.

I am working on getting my data from my Firefox extensions backed up. I have a backup of my Firefox profile, but if we don't want to re-load the whole profile, then I need to back up the data from Zotero and Session Manager separately, and I think I've done that. But I've only done that for the limited user acct I usually use for web browsing, so I still need to do that for the admin acct (and, at some point, I'll export bookmarks for the 2 other limited user accts).

I removed Panda ActiveScan via Add/Remove Programs. I visited the "Ultimate List of Uninstallers," and downloaded:


  1. pascleaner.zip -- for Panda
    FixAdix.exe -- for Symantec ActiveX Control cleanup
    SymNRT.exe -- for Norton removal
    cpes_clean.exe -- for Zone Alarm

I will use these programs (rebooting before and after running each one, and turning off all programs while running them), but it's going to have to wait wait until tomorrow -- it's midnite.

Then I will run chkdsk. And then DDS, and post the result.

Would it be better to run the uninstallers and chkdsk in Safe Mode, to be sure nothing is running in the background?

Thank you for the help!

Link to post
Share on other sites

I ran cpes_clean.exe to get rid of Zone Alarm remnants. It took longer to run than I expected (not sure how long, b/c I left the house). There is no user interface at all. (Just thought others might like to know, in case they run this.) I can't tell what it did, but computer re-booted okay.

Now I want to run pascleaner.zip to get rid of Panda ActiveScan remnants. I unzipped the folder. The readme file for Panda ActiveScan Cleaner (version 1) says:

"Before running this batch file, please ensure you have both removed the "ActiveScan Installer Class" from the

Downloaded Program Files folder, and have re-started your computer (may get errors otherwise)."

When I went to the C:\Windows\Downloaded Program Files folder, I saw an ActiveX control labeled: PPSDKActiveXScanner.MainScreen. I was wondering if that might be related to Panda, even tho the name is not exactly the same. Googling didn't give any useful info. When I right-clicked it, Properties>Version told me it is an ActiveX implementation of Pest Patrol's PPSDK. I decided to remove it, even though it did not seem to be related to Panda, because I don't use Pest Patrol (although the name is vaguely familiar, so maybe I did in the past -- or maybe it's just a name with a generic, familiar sound to it). On http://www.bleepingcomputer.com/tutorials/...42.html#O16Diag it says, "By deleting most ActiveX objects from your computer, you will not have a problem as you can download them again. Be aware that there are some company applications that do use ActiveX objects so be careful."

I also threw the Panda Security folder in Recycle bin, since I just uninstalled Panda ActiveScan with Add/Remove programs. I am planning to empty the recycle bin.

But here's where I got stuck -- the PAS Cleaner readme file also says:

"Please also make sure you have changed the paths in the .bat file, to the paths that reflect

your computer.

Once you have run this file, we strongly reccomend running a program such as RegCleaner, to

remove the registry entries that are also left behind by Panda's ActiveScan

----------------------

IMPORTANT NOTES FOR WINDOWS 2000/XP/SERVER 2003 USERS

----------------------

You will need to change the 'deltree /y ' command, to 'del ' (note the space) as these versions of

Windows do not support the deltree command (I know I know, I don't know why MS removed it either). "

First problem is, I am not sure how to make the suggested changes to the delPAS.bat file. If I right-click it, I see Open (but not Open With... which would let me choose Notepad or EditPad Lite) -- won't Open just run the file?

Also, I used to use CCleaner to clean my registry, but I stopped doing that awhile ago, b/c of reading warnings that cleaning the registry may well do more harm than good. Should I clean the registry? Are there some things that it is safe to clean up? (CCleaner gives you a lot of choices, but I don't know enough about this.)

While waiting for a response to these questions, I will go ahead and run the Norton removal tools FixAdix.exe and SymNRT.exe. (I believe I may have run the latter years ago, when trying to remove Norton, but I will run it again.) I hope these programs won't be as confusing to run!

Thank you!

Link to post
Share on other sites

I didn't run the Panda batch file, but by the time I saw your post I had run FixAdix (which said ActiveDataInfo ActiveXControl was not found on my computer), and SymNRT. Actually, SymNRT said it was an expired tool, so I ran Norton_Removal_Tool.exe, a later version of SymNRT (and I had to run it in Safe Mode because otherwise it hung up at "processing MSI's by product code").

I just ran the DDS scan -- logs below and attached.

But I have not yet reset FireFox to its defaults or run CHKDSK. I will reset Firefox to its defaults for all users now. Then I will run CHKDSK, but I might have to wait and run that overnight, b/c my kid will need the computer for homework this afternoon/evening. Then I will re-run DDS, and post back. Thanks for your patience.

*********DDS LOG (DDS_2.txt) ********

DDS (Ver_10-12-12.02) - NTFSx86

Run by TheBoss at 11:55:45.04 on Thu 02/03/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1880 [GMT -5:00]

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: COMODO Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\a-squared Anti-Dialer\a2service.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Prevx\prevx.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Common Files\Iconix\IconixService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Prevx\prevx.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\TheBoss\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.google.com

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - No File

BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: IconixBHOClass Class: {761233b6-f228-49e4-8f6b-668499d4e55a} - c:\program files\iconix\ieaddon\IconixBHO_45.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Windows Defender User Interface] c:\program files\windows defender\MSASCui.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sansaDispatch] c:\documents and settings\theboss\application data\sandisk\sansa updater\SansaDispatch.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iconixOEAddOn] "c:\program files\iconix\oeaddon\OEdmn_6.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [a-squared Anti-Dialer] "c:\program files\a-squared anti-dialer\a2adguard.exe" /d=60

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\theboss\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

mPolicies-explorer: <NO NAME> =

IE: &Google Search

IE: &Translate English Word

IE: Backward Links

IE: Cached Snapshot of Page

IE: Similar Pages

IE: Translate Page into English

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} - c:\program files\firetrust\sitehound\SiteHound.dll

IE: {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - {44E212AB-13EA-4CA4-BE65-197FBA170412} - c:\program files\iconix\ieaddon\IconixBHO_45.dll

IE: {BC3F6B6D-2E49-4603-B028-7411655713F3} - {0CC2F28D-D415-4FC6-A2E4-54B4D983609A} - c:\program files\iconix\ieaddon\IconixBHO_45.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: adobe.com\www

Trusted Zone: bitdefender.com

Trusted Zone: comodo.com

Trusted Zone: eset.com

Trusted Zone: eset.com\www

Trusted Zone: f-secure.com

Trusted Zone: f-secure.com\support

Trusted Zone: html-kit.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: java.com

Trusted Zone: lavasoft.com

Trusted Zone: lavasoft.de\www

Trusted Zone: lavasoftusa.com\www

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: microsoft.com\www

Trusted Zone: osha.gov\osharemote

Trusted Zone: pandasecurity.com\www

Trusted Zone: secunia.com

Trusted Zone: secunia.com\psi

Trusted Zone: sun.com

Trusted Zone: symantec.com\security

Trusted Zone: verizon.net\onlinehelp

Trusted Zone: windowsupdate.com

Trusted Zone: windowsupdate.com\download

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.com/scan8/oscan8.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185414703250

DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37540.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.4448611111

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab

DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://www.windowsecurity.com/trojanscan/axscan.cab

DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

AppInit_DLLs: c:\windows\system32\wmfhotfix.dll c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\theboss\applic~1\mozilla\firefox\profiles\ebtxti7b.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\mozilla firefox\extensions\{1253d21b-263b-1843-275c-1726da8b2a12}\components\FFProxy36.dll

FF - plugin: c:\documents and settings\theboss\application data\mozilla\firefox\profiles\ebtxti7b.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npIconixProxy36.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}

FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}

FF - Ext: Taboo: taboo@runningfrombears.com - %profile%\extensions\taboo@runningfrombears.com

FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Iconix: {1253D21B-263B-1843-275C-1726DA8B2A12} - c:\program files\mozilla firefox\extensions\{1253D21B-263B-1843-275C-1726DA8B2A12}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-1-28 15328]

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-6-28 22024]

R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-6-28 27656]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-23 294608]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-2-28 134344]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-2-28 25160]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 a2AntiDialer;a-squared Anti-Dialer Service;c:\program files\a-squared anti-dialer\a2service.exe [2007-6-20 425080]

R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-11-15 1858144]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-23 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-13 40384]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-2-28 723632]

R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-6-28 4368952]

R2 IconixService;Iconix Update Service;c:\program files\common files\iconix\IconixService.exe [2010-1-17 283992]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-2-12 10384]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-1-28 220128]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2010-12-21 987704]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 AntiVirService;AntiVir Service;c:\program files\avpersonal\AVGUARD.EXE [2005-11-3 208424]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 avgntdw;avgntdw;\??\c:\program files\avpersonal\avgntdw.sys --> c:\program files\avpersonal\AVGNTDW.SYS [?]

S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-1-27 194320]

S3 METROP;Hewlett-Packard ScanJet 5300C/5370C;c:\windows\system32\drivers\hp53pw2k.sys [2003-9-14 131712]

S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2011-02-01 22:30:19 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{e219aa99-d03e-43ab-8771-728afdf212fa}\mpengine.dll

2011-01-27 19:10:12 388096 ----a-r- c:\docume~1\theboss\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-01-26 05:56:18 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2001-05-24 17:59:30 162304 ------w- c:\program files\UNWISE.EXE

============= FINISH: 11:58:31.31 ===============

Attach_2.zip

Link to post
Share on other sites

  • Root Admin

Well I'm going to post some recommendations and general information and you need to let me know how you'd like to proceed.

Basically you just have way too much security software installed and the performance of your system has to be affected by all of this.

Again, it's up to you though but as I see it your current security software arsenal is almost as bad as being infected from a loss of power and resources point of view.

Let me know what you'd like to do and I can assist you in removing this stuff if you want.

This entry should be a browser helper object for Microsoft Money if not used then I'd remove

BHO: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - No File

This one is for RealPlayer - many other better players now than this one such as VLC or The KMPlayer

BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - No File

This one is a Norton Anti-Virus toolbar

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

This one appears to be for Google toolbar

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

This should be an Explorer bar for Real Player

EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File

Shouldn't really be running this when you have a full featured AV already installed and running

uRun: [Windows Defender User Interface] c:\program files\windows defender\MSASCui.exe

Doubt items like this need to run every time you start the computer, but up to you

"The Sansa Updater is an application that checks for the latest firmware updates then downloads and installs the firmware to your Sansa device."

uRun: [sansaDispatch] c:\documents and settings\theboss\application data\sandisk\sansa updater\SansaDispatch.exe

Both of these are good products but unless they're full paid versions they do some things similar so you may want to consider if you want both running all the time or not using resources

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

Not sure of the age of the computer and/or how often you've checked or used HP udpates but typically another tool that really doesn't need to run every time the computer starts

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

With all the other security software you have I really doubt you need this either

mRun: [a-squared Anti-Dialer] "c:\program files\a-squared anti-dialer\a2adguard.exe" /d=60

Up to you but myself I see no need to use or run this program either on every startup.

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

Media detector for Picasa's automatic photo organizer

I would also remove all of these myself and if/when you need/use another one as you've mentioned/referenced it will download a new one for you.

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.com/scan8/oscan8.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185414703250

DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37540.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.4448611111

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab

DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://www.windowsecurity.com/trojanscan/axscan.cab

DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

This is a driver from Prevex scanner still running

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-6-28 22024]

Pxsec.sys with description Prevx Realtime Analysis is a driver file from company Prevx belonging to product Prevx 3.0.

R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-6-28 27656]

Part of Prevx Realtime

R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-6-28 4368952]

Drivers from SUPERAntispyware - again may or may not be needed - there is such a thing as too much security but you need to be the judge of that yourself

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

From Asquared again - more Anti-Malware protection on top of the many others you have

R2 a2AntiDialer;a-squared Anti-Dialer Service;c:\program files\a-squared anti-dialer\a2service.exe [2007-6-20 425080]

R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-11-15 1858144]

VERY OLD Anti-Malware software should be removed.

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

From the Lavasoft Ad-Aware software

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

Related to AntiVir antivirus program but very old still running

S2 AntiVirService;AntiVir Service;c:\program files\avpersonal\AVGUARD.EXE [2005-11-3 208424]

S3 avgntdw;avgntdw;\??\c:\program files\avpersonal\avgntdw.sys --> c:\program files\avpersonal\AVGNTDW.SYS [?]

From an old Kaspersky Lab KLIF ActivityMonitor

S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-1-27 194320]

This is still there from ZoneAlarm that needs removal

S4 vsdatant;vsdatant; [x]

Recommendation to uninstall from the Control Panel, Add/Remove

a-squared Anti-Dialer 2.1

a-squared Free 3.5

Adobe Reader 9.4.1 (update to the 10.0 reader)

ESET Online Scanner

ESET Online Scanner v3

HiJackThis (grab the latest version and install it if you want it)

Microsoft Baseline Security Analyzer 1.2.1

see the following link if you want to use a tool like this

http://technet.microsoft.com/en-us/security/cc184924

Prevx 3.0 (can decide later if you want to continue to use it)

Safari

You have a plugin for Outlook Express yet you also have SeaMonkey intalled.

If you're not really using SeaMonkey you might want to remove it or at least ensure it's up to date

Not sure I'd use or trust this one - we actually had a confrontation with this company over stealing our database last year

Smart Defrag 1.20 (from iobit)

Spybot - Search & Destroy

SUPERAntiSpyware

It may be a different program but Webreg looks to possibly be an old Symantec Web Registration reminder program

Windows Defender

Windows Defender Signatures

Windows Live Safety Scanner (yet one more malware scanner)

Not malware or anything like it but sure is problematic software from Microsoft.

Windows Search 4.0

Link to post
Share on other sites

Hi, yes, I'm still here. Thanks for your reply. Our computer was being used for homework late into last night, but I was able to reclaim it today. I reset Firefox to its defaults in all users. And I ran CHKDSK, which took 3-4 hrs. I am not sure if it found anything to fix.

I am working on my response to your post, and will post more tomorrow. Thank you!

Link to post
Share on other sites

Hi, again -- Thank you for the very detailed response and suggestions. Sorry it's taken me so long to post back; I was trying to make this more compact and readable.

I certainly get your point about too much anti-spyware software. I am confused about what a good -- but small -- set of anti-malware programs would be, and your advice is much appreciated. I would like free programs that complement each other, in terms of what types of threats they protect against.

Also, I think it would be very helpful to me to distinguish between each program's usefulness as a background guard, and its usefulness as an on-board, on-demand scanner -- something you could use quickly if you got infected, without having to go online to download (assuming its definitions were kept up-to-date). So could you please give me a little more guidance as to whether I should uninstall these programs completely, or just keep their real-time components from running?

So to recap my options again (and, for what it's worth, I've included what my experience with these programs has been):

My AV is Avast (free). I don't usually scan with Avast, though, because it tends to give me false positives, which then take a lot of time to research. I periodically - tho infrequently - use an online scanner like ESET, House Call, Panda, Kaspersky, etc.

My FW is Comodo (free), but it needs to be updated to the latest version. I am wondering if I can do that now/soon, and set it to "Safe" mode, which I believe means that all my existing software would be allowed to run freely. Or is it still likely I could have malware on my computer?

My current version of Comodo explains the FW Safe Mode as:

While filtering network traffic, the firewall will automatically create rules that allow all traffic for the components of applications certified as 'Safe' by Comodo. For non-certified new applications, you will receive an alert whenever that application attempts to access the network. Should you choose, you can grant that application Internet access by choosing 'Treat this application as a Trusted Application' at the alert. This will deploy the predefined firewall policy 'Trusted Application' onto the application. 'Train with Safe Mode' is the recommended setting for most users - combining the highest levels of security with an easy-to-manage number of connection alerts.

Also, I am running Comodo FW with the Defense+ component (but not the AV component). So I am guessing that maybe the Defense+ component also overlaps some functions of the other anti-malware programs, rendering them unnecessary and causing interference between the programs?

(I do think that one of the anti-malware programs seems to be interfering with Comodo -- I think interfering with the Defense+ component -- because the Comodo shield in my taskbar will often get a red x across it. I thought the culprit was AdAware, but the problem has persisted after I uninstalling AdAware.)

Also, I think I should probably edit the Trusted Vendor list in the Comodo Defense+ component, and remove all that are user-defined as safe (though I may get a lot of alerts). Some of them look iffy -- some I may have placed there and forgotten about, but could some have been introduced by malware?

Windows Defender - I thought this was designed to leave running in the background, but I believe you are saying that one shouldn't run this in background with AV also running in background? You have suggesting uninstalling it (and its definitions) -- so I take it you believe that for my purposes, other programs are better? Would there be any value in keeping this as an on-demand scanner, and turning off real-time protection? It has a quick scan that is pretty fast. And I guess I thought that if it was from MS, they would have some insight into protecting their own OS...

Prevx - You have suggested uninstalling, but possibly re-installing. I have liked Prevx. It is always up-to-date (but requires Internet connection to run, which could be a limitation under some circumstances). As an on-demand scanner, it has a fast "quick scan". But since my crash on Jan 9th, it hasn't run consistently on all users, so I will uninstall it now, and then decide about re-installing it.

SUPERAntiSpyware or WinPatrol -- You have said these are fairly equivalent.

I don't have much recent experience with SUPERAntiSpyware -- except that I found its "quick" on-demand scan to be slow (50 min on my machine). It seems to offer a lot of "repair" options that might be good to have.

WinPatrol -- I've used this a long time. This program is the one that alerts me after I run SpyWare Blaster and immunize and my HOSTS file has been changed. (Why don't the other background programs alert me ??) It provides information about StartUp programs, services, etc. -- not that I always know what to do with that info! -- but doesn't run repairs for you, like SUPERAntiSpyware seems to. And, as far as I'm aware, you can't run an on-demand scan with it.

So though you've said SAS and WinPatrol are similar, I am not sure which is better for me...

a2 anti-dialer -- I thought maybe this would be better than the others at detecting trojans and dialers, but I guess you don't think so? Should I keep it as an on-demand scanner, or uninstall completely?

a2 free -- Should I keep this as an on-demand scanner or uninstall completely? Actually, I had stopped using this as an on-demand scanner because I was getting false positives, and it was taking me a lot of time to research them. But I see there's a new version, and I would be willing to try it again, especially if I thought I might be infected.

SpyBot and AdAware have both seemed useful as on-demand scanners in the past. And if I use them in sequence, often both will find something (most often tracking cookies), so clearly there are some things that each uniquely picks up. (Unfortunately, both scans are slow, so I don't run them very often.)

So, should I uninstall SpyBot completely, or just set TeaTimer not to autostart?

The background protection component of AdAware is new to me, and the last version I tried didn't settle in right, so I very recently uninstalled it. Would it be worth re-installing it, just for on-demand scans?

I also immunize with SpyWare Blaster periodically.

Another thing I often/usually have running in background is Secunia PSI. I find that it helps me keep my programs updated (I just wish it included all programs!). But I guess I could run it on demand periodically, rather than having it autostart.

Would the (new) Microsoft Baseline Security Analyzer would be a good thing for me to have? At least it seems like it will update itself via Windows Update. I will remove the old version.

Regarding non-security programs which autostart, I agree that neither Sansa Clip Updater nor Picasa Media Detector needs to autostart.

The HP Updater is probably associated with my stupid HP Photosmart D7560 printer. When you install the printer, It wants to load a boatload of crap that runs all the time. I didn't install everything that comes with the default installation, but then the card reader wouldn't work (and I needed it), so I had install more than I wanted to. I would like to try disabling the HP Updater from autostarting.

Regarding other items you have flagged --

I was aware of the problem with Iobit SmartDefrag, and have been intending to uninstall that.

I would like to remove all the BHO and TB's. (Are these BHOs and TBs just traces left in the registry? I no longer clean the registry, after reading warnings not to do that.)

I am happy to remove all items on the list of DPF's, if they are not needed -- do I not need the MS update and MS office update? I guess the Java is left over from a previous version? I currently have Java 6, update 23, installed.

Safari -- I have this because my kid complains that Facebooks works very slowly on Firefox, and I figured it was safer than running Internet Explorer. Even now, after resetting Firefox to its defaults, it is slow for FB, and the only add-ons I re-enabled were NoScript and WOT. Is Safari a very insecure browser? Is there a better alternative to Firefox (eg, Chrome)? (Or are there privacy issues with that browser? I am no longer as trusting of Google as I used to be.) Also, I intend to do some web page development, so it might be useful to have alternative browsers available.

SeaMonkey -- I do use this occasionally, like when I have Firefox set to restore a session with a lot of tabs, and I just need to check something online quickly. I do update it pretty regularly (when alerted by Secunia PSI). I could probably do w/o this, I guess...

"You have a plugin for Outlook Express" -- not sure what you meant by this. I do use Outlook Express as my mail program. I realize it's probably not the most secure, but I have my Internet Explorer security settings set very high (basically, only Windows Update can run), and I kind of like Outlook Express. Once, years ago, I tried to switch to Thunderbird, but it messed up when it imported my mail, so I went back to OE. Do think it is important to try switching again? By the way, any thoughts about the Iconix Email ID program?

Adobe Reader 9 -- ok, I will remove this -- but by "Adobe Reader 10" do you mean Adobe Reader X? I couldn't find a link to AR 10.

While in Add/Remove, I will also take out some other programs I no longer use. (There's a bunch of HP stuff there, but I have the HP printer and an (older) HP scanner, so I guess I'd better leave all that.)

I am sorry this post is so horribly long. Thank you again for all the help.

Link to post
Share on other sites

Update... I've now deleted all the programs you said to remove via Add/Remove programs EXCEPT:

WebReg and Windows Live Safety Scanner -- I don't see these listed there (tho maybe I removed the scanner without paying attention)

Safari and SeaMonkey -- I might still want these

Windows Defender and its signatures -- I am waiting to see if you have any additional information for me about this one

SUPERAntiSpyware -- I tried to remove this, but it is still listed. I will try again, and will use Safe Mode, if necessary.

All the others, including SpyBot, Prevx, a2 free, and a2 anti-dialer, have been removed.

Also, I removed Adobe Reader 9, and installed Adobe Reader X. I guess I should also remove the Spelling Dictionaries for Reader 9.

(And maybe "Shop for HP supplies".)

I've noticed 2 additional programs I think should kept from autostarting. One is Logitech Setpoint (I think it came with my mouse), and it always loads on startup. The other is NMBgMonitor.exe which I found running on a limited user (and slowing things down). I Googled it and learned it is some sort of indexing program associated with Nero, and is known to slow down computers. The service is seems to be set to "manual", so I don't know why it ran.

I am looking forward to hearing from you about my questions in my previous post. Thanks very much.

Link to post
Share on other sites

  • Root Admin

Wow, lot of questions - hehe...

Generally the issue is that many of the "on demand" scanners are not really "on demand" many always have either services or processes that ALWAYS run so that's not very "on demand".

Let me say the following and then see where you want to go.

As long as the following are strictly adhered to then I've not seen a legitimate infection attack the system.

  1. All Microsoft Critical Updates are installed and kept up to date at all times
  2. Firewall is installed and running that monitors both incoming and outgoing traffic
  3. Anit-Virus is fully functional, updated daily, and has continuous protection running at all times
  4. Malwarebytes' Anti-Malware Pro version installed, updated daily, File and Web protection modules always running
  5. All web browsing is done under a limited user account

Is it possible to get past the above, yes it is but it is very difficult and I've not personally seen it happen either. I've seen some javascripts do annoying things but normally closing the browser and reopening will correct that. Along with the above I too use the Javacool SpywareBlaster as well as NoScript and Adblock Plus on Firefox. Once you take the time to train NoScript it too is a powerful tool in protecting your system. Your limited user accounts should be running it too.

Nothing wrong with Safari as long as you keep it up to date the same goes with any of the other programs. Often these other programs are installed and the user doesn't realize it and doesn't keep them up to date and then some exploit comes along and takes advantage of it is all.

SUPERAntiSpyware and WinPatrol are not the same, just that some of the registry monitoring functions are the same. SAS does much more for actual detection and removal of Malware but even the free version adds services and processes even if you don't use it.

Again, these are my suggestions and you can and should make up your own mind on what you want to use.

If you follow the advise above then it should be very difficult to get infected and not need all these other tools.

No you should not be using Windows Defender when you have Avast AV full protection running.

Please go ahead and run a NEW DDS report and post back the new logs and we'll discuss further and go from there.

If you run EVENTVWR for the Event Logs you should see a WINLOGON in the APPLICATIONS and it will tell you what it found wrong when you ran CHKDSK

Link to post
Share on other sites

Thank you for a very clear and succinct answer to my questions. (Which will, nonetheless, provoke me to ask more questions!)

It is interesting to learn that many "on demand" scanners have services or processes that always run. You should be able to see them in Task Manager, right?

Your rules for safe browsing make perfect sense. And, in fact, except that I do not yet have a paid version of MBAM, I would say that we have been pretty good about following all these rules, and as a result, have not had any serious infections in the 10+ yrs we've had this computer (we've had a few, minor things that were easy to remove).

I admit that I sometimes do a little browsing from the admin acct, when I am trying to troubleshoot something, but I try to be careful - using Firefox with NoScript and WOT, and sticking to known, safe sites. I will try to avoid this more in the future.

When speaking of programs that are installed, but not used frequently, you said, "Often these other programs are installed and the user doesn't realize it and doesn't keep them up to date and then some exploit comes along and takes advantage of it is all." Can an exploit recognize something on your HD and exploit it even if you are not running it? In other words, are out-of-date programs a security issue at all times, or just if you try to run them w/o updating first?

And I am still curious to know how I was infected by browsing to a web page using a limited account, in Firefox, with NoScript actively blocking. I closed the page without clicking on anything other than the "X" in the top, right corner (I realize now I should have closed it from the taskbar). Why was I infected, if NoScript was active?

(Of course, if I hadn't been rushing, and hadn't accidentally clicked on a Google search result marked clearly in RED by WOT, this would never have happened!)

I immediately ran Prevx from that limited acct, and Prevx found some sort of hijacker, and said it quarantined it, though it did not seem to have stored anything in the quarantined area. I am also curious to know, if Prevx COULD effectively quarantine something, if run from a limited acct. Should all these scans always be run from an admin acct? I was worried about opening the admin acct, perhaps negating the benefit of browsing on a limited acct.

Anyway, I think I will follow your advice and purchase MBAM. Or would running Comodo FW with the Defense+ component properly setup be sufficient protection? And if I do purchase MBAM, Do I disable the Defense+ component of Comodo, or can they co-exist? Would I be able to continue running WinPatrol (for its information on startups and services)?

Anyway, back to our clean-up of my machine... I have now removed: SUPERAntiSpyware (I had to go to their website and download an uninstaller tool), Windows Defender (but I don't see its signatures listed in Add/Remove), and Prevx.

I found the CHKDSK log:

Cleaning up minor inconsistencies on the drive.

...

Cleaning up 1249 unused index entries from index $SII of file 0x9.

Cleaning up 1249 unused index entries from index $SDH of file 0x9.

Cleaning up 1249 unused security descriptors.

...

0 KB in bad sectors.

Also in the CHKDSK log, I see a lot of services that I probably should Google... Bonjour Service is listed many times with "Error" next to it (and I am not even sure why this should be running). Is it best to turn off Services through WinPatrol? Or another way?

I think I can now log off my limited user without needing to reboot (I have to try this a few more times to make sure it is consistently fixed), but I still have a pause in my boot up sequence (I'm given a choice of Windows XP Pro or Windows Recovery Console).

Also, is it normal for System Idle Process to use a lot of CPU resources? (Currently, it's 99, as seen in Task Manager, and it often seems very high.)

I realize that some of these problems, if not caused by malware, probably should be discussed in the PC Help forum, rather than here...

I installed Reader X. But I am having 2nd thoughts about using it -- it is getting bad user reviews, and, of course, reader_sl.exe runs as a startup (and I do use pdf files often, so I think it needs to run). CNET users seem to like both Foxit (especially ver 3) and PDF ReDirect better, in terms of drain on system resources.

The newest DDS logs are below and attached. The BHOs, TBs and DPFs we discussed previously are still there; can you pls tell me how to remove them? And I can see I probably should whittle down my trusted zone in Internet Explorer (which I actually only use for Windows Update).

Thank you so much!

****************************** DDS Log (DDS_3.txt) ******************************************************

DDS (Ver_10-12-12.02) - NTFSx86

Run by TheBoss at 14:42:57.42 on Sun 02/06/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2044 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: COMODO Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\a-squared Anti-Dialer\a2service.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Iconix\OEAddOn\OEdmn_6.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\TheBoss\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Common Files\Iconix\IconixService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\TheBoss\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.google.com

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - No File

BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - No File

BHO: IconixBHOClass Class: {761233b6-f228-49e4-8f6b-668499d4e55a} - c:\program files\iconix\ieaddon\IconixBHO_45.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Windows Defender User Interface] c:\program files\windows defender\MSASCui.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sansaDispatch] c:\documents and settings\theboss\application data\sandisk\sansa updater\SansaDispatch.exe

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iconixOEAddOn] "c:\program files\iconix\oeaddon\OEdmn_6.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\theboss\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

mPolicies-explorer: <NO NAME> =

IE: &Google Search

IE: &Translate English Word

IE: Backward Links

IE: Cached Snapshot of Page

IE: Similar Pages

IE: Translate Page into English

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - {73F7F495-A325-4C52-BE48-5F97FA511E89} - c:\program files\firetrust\sitehound\SiteHound.dll

IE: {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - {44E212AB-13EA-4CA4-BE65-197FBA170412} - c:\program files\iconix\ieaddon\IconixBHO_45.dll

IE: {BC3F6B6D-2E49-4603-B028-7411655713F3} - {0CC2F28D-D415-4FC6-A2E4-54B4D983609A} - c:\program files\iconix\ieaddon\IconixBHO_45.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: adobe.com\www

Trusted Zone: bitdefender.com

Trusted Zone: comodo.com

Trusted Zone: eset.com

Trusted Zone: eset.com\www

Trusted Zone: f-secure.com

Trusted Zone: f-secure.com\support

Trusted Zone: html-kit.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: java.com

Trusted Zone: lavasoft.com

Trusted Zone: lavasoft.de\www

Trusted Zone: lavasoftusa.com\www

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: microsoft.com\www

Trusted Zone: osha.gov\osharemote

Trusted Zone: pandasecurity.com\www

Trusted Zone: secunia.com

Trusted Zone: secunia.com\psi

Trusted Zone: sun.com

Trusted Zone: symantec.com\security

Trusted Zone: verizon.net\onlinehelp

Trusted Zone: windowsupdate.com

Trusted Zone: windowsupdate.com\download

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.com/scan8/oscan8.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185414703250

DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37540.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.4448611111

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab

DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://www.windowsecurity.com/trojanscan/axscan.cab

DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

AppInit_DLLs: c:\windows\system32\wmfhotfix.dll c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\theboss\applic~1\mozilla\firefox\profiles\ebtxti7b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://www.google.com/

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npIconixProxy36.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}

FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-1-28 15328]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-23 294608]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-2-28 134344]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-2-28 25160]

R2 a2AntiDialer;a-squared Anti-Dialer Service;c:\program files\a-squared anti-dialer\a2service.exe [2007-6-20 425080]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-23 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-13 40384]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-2-28 723632]

R2 IconixService;Iconix Update Service;c:\program files\common files\iconix\IconixService.exe [2010-1-17 283992]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-2-12 10384]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-1-28 220128]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2010-12-21 987704]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 AntiVirService;AntiVir Service;c:\program files\avpersonal\AVGUARD.EXE [2005-11-3 208424]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 avgntdw;avgntdw;\??\c:\program files\avpersonal\avgntdw.sys --> c:\program files\avpersonal\AVGNTDW.SYS [?]

S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-1-27 194320]

S3 METROP;Hewlett-Packard ScanJet 5300C/5370C;c:\windows\system32\drivers\hp53pw2k.sys [2003-9-14 131712]

S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2011-01-26 05:56:18 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2001-05-24 17:59:30 162304 ------w- c:\program files\UNWISE.EXE

============= FINISH: 14:45:12.89 ===============

Attach_3.zip

Link to post
Share on other sites

  • Root Admin

Please make sure you fully disable your Avast AV so that even after the system reboots if needed it won't start back up otherwise it can prevent Combofix from running properly.

This will scan for any Malware infections that might be hidden as well and allow us to remove some of these other stubborn programs.

As for the Recovery Console that is a good thing to have and we want to keep it.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Ok, I've run COMBOFIX. Log is pasted below.

When I ran it, I set Comodo FW to Safe Mode, so that it wouldn't interfere with COMBOFIX, and Comodo Defense+ to Disabled. AV and WinPatrol were off, and set not to reload on reboot.

After Combofix ran, I saved the log and then hibernated the computer. When I came back, I couldn't logon to any user, so I restarted, and then it was fine. I turned on AVAST, and I reset the Comodo FW to Custom Policy, and Defense+ to Safe Mode (which is a fairly paranoide setting , despite the name). (Comomdo should perhaps work on their terminology; I believe Safe Mode in FW is a less restrictive setting, while Safe Mode in Defense+ is a more restrictive setting.) And I started WinPatrol, and reset it to load at startup.

I started getting alerts from WinPatrol, the first about a change to the HOSTS file. I looked at the new and old versions via WinPatrol, and found that the new version removed all the entries made by SpyBot Search and Destroy. I figured COMBOFIX might have made the change, but I still wasn't sure I wanted to lose all the SpyBot protections, so I denied the change. And then I updated Spyware Blaster, and let it enable protection for all unprotected items. I am not sure this was the best course to follow -- probably some of the older entries are obsolete by now, so maybe it would have made sense to revert to 127.0.0.1 localhost, and THEN let Spyware Blaster add protection. I can still do that, if you think I should.

WinPatrol also told me a new Windows service had been installed: C:\Windows\system32\cryptsvc.dll. I allowed this change, because when I Googled it, it looked like a legitimate Microsoft file.

Next, when I started Firefox, I was told "Firefox is not your default browser, do you want to make it your default?", so I said yes. Then, while browsing this forum in Firefox, WinPatrol said that a change was detected in one of your file type associations .URL, and I allowed this change. (I was going to attach a screenshot, but I have to make the file size smaller.)

The COMBOFIX log follows. Thank you.

(PS -- I had several Firefox crashes today (on a limited user), every time I tried to open a pdf file. At least one of those times, I got a msg about plugin-container.exe encountering a problem. I disabled the Adobe Acrobat 10.0.0.396 Firefox plug-in for that limited user, and that seemed to solve the problem. But I am not sure what version of Adobe Reader I am using, if I disabled that add-on! That user also has a getPlusPlus for Adobe 16297 plug-in (which I don't think I had seen there earlier!), and when I check the plug-ins for updates, that one gets a question mark, and when I Google it, it seems to me it may be an out-of-date Adobe downloader, so I am disabling it. So I will have to keep trouble-shooting, b/c now I bet I can't open pdf's again. And DARN IT -- now I can't open Adobe Photoshop Elements, either, from that limited user -- I get the msg: Windows cannot find the specified device, path, or file. You may not have the appropriate permissions to access the item." Oy. But I can open it from the admin acct. Permissions seem to be for EVERYONE, so I'm not sure what is wrong.)

**************************** COMBOFIX.LOG ******************************************

ComboFix 11-02-08.02 - TheBoss 02/08/2011 16:38:16.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2060 [GMT -5:00]

Running from: c:\documents and settings\TheBoss\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\patch.exe

c:\windows\system32\Data

c:\windows\system32\ie.ico

.

((((((((((((((((((((((((( Files Created from 2011-01-08 to 2011-02-08 )))))))))))))))))))))))))))))))

.

2011-02-08 01:02 . 2011-02-08 01:02 -------- d-----w- c:\documents and settings\TheBoss\Local Settings\Application Data\Temp

2011-02-05 21:46 . 2011-02-05 21:46 -------- d-----w- c:\program files\Common Files\Adobe AIR

2011-01-26 05:56 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-01-14 01:00 . 2011-01-14 01:00 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-15 17:48 . 2010-08-28 03:48 664 ----a-w- c:\documents and settings\Noah\Local Settings\Application Data\d3d9caps.tmp

2011-01-13 08:47 . 2010-07-01 00:45 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2007-04-12 22:07 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:41 . 2008-04-23 23:13 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:40 . 2007-04-12 22:07 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2007-04-12 22:07 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2007-04-12 22:07 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2007-04-12 22:07 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2007-04-12 22:07 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2008-04-23 23:13 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-12-21 04:44 . 2009-11-04 11:45 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-12-20 23:09 . 2008-11-25 21:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2008-11-25 21:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-10 17:02 . 2010-10-02 22:26 664 ----a-w- c:\documents and settings\Brenna\Local Settings\Application Data\d3d9caps.tmp

2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-18 18:12 . 2002-08-29 10:00 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 23:53 . 2010-04-18 19:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-12 21:34 . 2010-04-11 17:30 73728 ----a-w- c:\windows\system32\javacpl.cpl

2001-05-24 17:59 . 2004-12-10 19:18 162304 ------w- c:\program files\UNWISE.EXE

2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-11-09 21:10 . 2007-11-09 21:10 34384 ------w- c:\program files\mozilla firefox\plugins\logging.dll

2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2007-11-09 21:11 . 2007-11-09 21:11 685648 ------w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SansaDispatch"="c:\documents and settings\TheBoss\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-08-21 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]

"IconixOEAddOn"="c:\program files\Iconix\OEAddOn\OEdmn_6.exe" [2010-03-03 342872]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-03-01 1800464]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\TheBoss\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-12 809488]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-11-07 21:41 72208 ------w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [1/28/2010 4:12 PM 15328]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/23/2008 6:13 PM 294608]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2/28/2010 7:22 PM 134344]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2/28/2010 7:22 PM 25160]

R2 a2AntiDialer;a-squared Anti-Dialer Service;c:\program files\a-squared Anti-Dialer\a2service.exe [6/20/2007 10:16 PM 425080]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/23/2008 6:13 PM 17744]

R2 IconixService;Iconix Update Service;c:\program files\Common Files\Iconix\IconixService.exe [1/17/2010 8:57 PM 283992]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2/12/2009 1:50 AM 10384]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [1/28/2010 4:12 PM 220128]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 avgntdw;avgntdw;\??\c:\program files\AVPersonal\AVGNTDW.SYS --> c:\program files\AVPersonal\AVGNTDW.SYS [?]

S3 METROP;Hewlett-Packard ScanJet 5300C/5370C;c:\windows\system32\drivers\hp53pw2k.sys [9/14/2003 11:57 AM 131712]

S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]

S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [12/21/2010 7:04 AM 987704]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2008-10-24 c:\windows\Tasks\BACKUP.job

- c:\windows\system32\ntbackup.exe [2004-08-04 10:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.google.com

IE: &Google Search

IE: &Translate English Word

IE: Backward Links

IE: Cached Snapshot of Page

IE: Similar Pages

IE: Translate Page into English

Trusted Zone: adobe.com\www

Trusted Zone: bitdefender.com

Trusted Zone: comodo.com

Trusted Zone: eset.com

Trusted Zone: eset.com\www

Trusted Zone: f-secure.com

Trusted Zone: f-secure.com\support

Trusted Zone: html-kit.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: java.com

Trusted Zone: lavasoft.com

Trusted Zone: lavasoft.de\www

Trusted Zone: lavasoftusa.com\www

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: microsoft.com\www

Trusted Zone: osha.gov\osharemote

Trusted Zone: pandasecurity.com\www

Trusted Zone: secunia.com

Trusted Zone: secunia.com\psi

Trusted Zone: sun.com

Trusted Zone: symantec.com\security

Trusted Zone: verizon.net\onlinehelp

Trusted Zone: windowsupdate.com

Trusted Zone: windowsupdate.com\download

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37540.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - ProfilePath - c:\documents and settings\TheBoss\Application Data\Mozilla\Firefox\Profiles\ebtxti7b.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}

FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Windows Defender User Interface - c:\program files\Windows Defender\MSASCui.exe

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-08 16:48

Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:

ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = c:\documents and settings\TheBoss\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_content&?n

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)

c:\windows\system32\wmfhotfix.dll

c:\windows\system32\guard32.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(780)

c:\windows\system32\wmfhotfix.dll

c:\windows\system32\guard32.dll

.

Completion time: 2011-02-08 16:52:52

ComboFix-quarantined-files.txt 2011-02-08 21:52

ComboFix2.txt 2009-02-08 19:06

Pre-Run: 188,471,689,216 bytes free

Post-Run: 188,572,606,464 bytes free

- - End Of File - - F0630883363F1ECC2FA07A9BF05B3F10

Link to post
Share on other sites

  • Root Admin

For now please don't worry about the Adobe software, we'll get that part taken care of soon and get you working again.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Driver::
a2AntiDiale
Lbd
avgntdw
File::
c:\windows\system32\DRIVERS\Lbd.sys
c:\program files\AVPersonal\AVGNTDW.SYS
Folder::
c:\program files\AVPersonal
DDS::
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37540.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Note: You also have a very old backup job running here. Does it still work and do you use it?

2008-10-24 c:\windows\Tasks\BACKUP.job

Once that is done post back the log and also please run a Hijackthis scan and post back it's log as well.

Link to post
Share on other sites

I will run ComboFix and HJT and post back. (I don't think I am using that old backup job.)

But I just wanted to let you know that I had a blue screen this morning, after resuming from hibernation. The message was HAL_INITIALIZATION_FAILED. Tech info Stop: 0x0000005C (0x00002001, 0x00000002, 0x00000002, 0x00000000).

I had the identical error two days ago, on Feb7, but forgot to mention it, b/c I was able to restart w/o a problem.

Today, it was difficult to restart - when I would push the power button in, it would start to come on, then die. It did this a few times, even tho I tried to hold the button in. Then it did restart, but gave me the exact same message. Again, I had a little trouble restarting, with the power button not catching, but then it restarted and Windows resumed.

Seems ominous... I haven't done anything w/ hardware, except that we opened the case on Feb 6, the day before the 1st BSOD, to blow out dust and determine why a fan was getting noisier. I guess it is possible we jostled something -- or that the error has to do with the video card fan, which turned out to be the source of the noise. (I also plugged in and unplugged a DVD burner yesterday. But I didn't do that on Feb 7.) The only software changes I've made have been those advised by you, plus my struggles with Firefox addons/plugins and the installation of Adobe Reader X (which does seem to be installed and working).

(Using Firefox plugins on Win XP confuses me, because I thought that plug-ins (unlike add-ons) had to be installed from the admin acct. But I seem to have different plugi-ns active on different users now; I thought all non-admin users were constrained to set installed on the admin user acct.)

Thanks -- I'll be back later -- unless I can't get the machine on!

Link to post
Share on other sites

  • Root Admin

The HAL error is for Hardware abstraction layer and could potentially be due to software changes it sees or could also be due to hardware errors as in possibly the hard drive or other component starting to fail. The computer you have is rather old and quite possible that all this work has stressed it.

Error Message: STOP: 0x0000005C

Again, let me re-emphasize that you really need to have good, verified backups of all of your important data in case you do experience a severe hardware failure that you cannot recover from.

As for limited user account settings, yes as far as I know some features are per user even in limited but I don't have or know of any list of them for Firefox. There are also infections or fake programs that can run on a limited user account but when you reboot or log them off and logon with your Admin profile they won't be running as everything is only user specific so it's more of an annoyance than a real danger.

The WinPatrol change detection in general is innocuous but giving the full path is probably better because simply using the environment path another program could be called before the correct original one is called. Without deeper research I'd probably not allow the change.

Please go ahead and create and then post the other logs so I can see how it's going.

Link to post
Share on other sites

Yes, this computer is getting on in years... The HD is actually only a few yrs old, much younger than the rest of the computer, but, of course, it could be failing. It isn't making any weird noises, though, so maybe it is something else that is going. I have a recent backup, but thanks for the reminder, I think I will run another in the morning. I've had the same HAL error 3 times today.

Something that may or may not be relevant -- when I check Device Manager, there is a device labeled "Other device" that has a big, yellow question mark next to it. And under it, there are 6 devices labeled "Unknown Device" with question marks. When I right-click those, Properties tells me (for each one):

Device type: Other

Manufacturer: Unknown

Location: on All-in-Wonder 9000

Device status: This device is disabled (Code 22). Check Enable to enable this Device.

Device usage: Do not use this device (disable)

I would have said "AHA!", except that I had noticed these yellow question marks well before these BSOD's started happening. So I don't know that they are related. I don't think they've been there all along since the computer was new, though I'm not 100% sure. If they've been there all along, I wonder if they are due to the fact that the TV tuner part of the card was never installed. Or, if they appeared more recently, could it have something to do with the noisy (possibly failing) fan on the graphics card? (I have emailed AMD/ATI, but have not heard back yet, regarding the possibility of replacing the fan.)

I also checked Windows Update, and the only driver suggested for my machine is an optional audio driver update. I never bothered with this, since my (cheap) speakers are working ok.

Regarding the WinPatrol warning, unfortunately, I had already accepted the change, assuming it was a desired change due to Combofix. I don't know how to go back and undo the change.

So, back to the COMBOFIX and HJT... Sorry it's take me so long to post the logs; the forum was down for emergency maintenance when I tried earlier.

Before running COMBOFIX, I installed multiple security patches for Windows XP from Windows Update, and then restarted. Then I found there was also a cumulative security update for IE8, which I installed. Restarted. Then Adobe Updater offered an update to "address customer issues and security vulnerabilities," so I installed that, and restarted again. Luckily, no BSOD's during all this...

I set Comodo FW into Safe Mode and Comodo Defense+ to Disabled, turned off AV and WinPatrol, and set them not to start on reboot, and closed all programs. Dragged text file to COMBOFIX, as instructed. It started to run, but then said an update was available, did I want it? I wasn't sure what to do, so said "yes" -- I hope this didn't keep it from incorporating the text file. After the update, COMBOFIX ran and rebooted the computer. After the HD light stopped flashing, I logged into the admin acct. COMBOFIX finished and prepared the log, which is pasted below, along with the HJT log.

By the way, I didn't read through the Bleeping Computer HJT tutorial first -- maybe I should have. I just chose "scan system and create logfile," which is not what they suggest. I saved the log (using EditPad Lite, my default text editor), but then I did have a little trouble with EditPad Lite, which I think is now resolved. I didn't realize it, but the log file was saved as a .log file; I opened it again in EditPad Lite and resaved it as a .txt file. (I can re-run HJT, if necessary. )

Here they are:

********************* COMBOFIX LOG (COMBOFIX_log_2.txt) **************************

ComboFix 11-02-09.02 - TheBoss 02/09/2011 13:46:14.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2071 [GMT -5:00]

Running from: c:\documents and settings\TheBoss\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\TheBoss\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::

"c:\program files\AVPersonal\AVGNTDW.SYS"

"c:\windows\system32\DRIVERS\Lbd.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\AVPersonal

c:\program files\AVPersonal\AVGUARD.EXE

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AVGNTDW

-------\Legacy_LBD

-------\Service_avgntdw

-------\Service_Lbd

((((((((((((((((((((((((( Files Created from 2011-01-09 to 2011-02-09 )))))))))))))))))))))))))))))))

.

2011-02-08 01:02 . 2011-02-08 01:02 -------- d-----w- c:\documents and settings\TheBoss\Local Settings\Application Data\Temp

2011-02-05 21:46 . 2011-02-05 21:46 -------- d-----w- c:\program files\Common Files\Adobe AIR

2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2011-01-30 15:45 . 2011-01-30 15:45 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

2011-01-26 05:56 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

2011-01-14 01:00 . 2011-01-14 01:00 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-21 14:44 . 2002-08-29 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-15 17:48 . 2010-08-28 03:48 664 ----a-w- c:\documents and settings\Noah\Local Settings\Application Data\d3d9caps.tmp

2011-01-13 08:47 . 2010-07-01 00:45 38848 ----a-w- c:\windows\avastSS.scr

2011-01-13 08:47 . 2007-04-12 22:07 188216 ----a-w- c:\windows\system32\aswBoot.exe

2011-01-13 08:41 . 2008-04-23 23:13 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-01-13 08:40 . 2007-04-12 22:07 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-01-13 08:40 . 2007-04-12 22:07 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-01-13 08:39 . 2007-04-12 22:07 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-01-13 08:37 . 2007-04-12 22:07 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-01-13 08:37 . 2007-04-12 22:07 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-01-13 08:37 . 2008-04-23 23:13 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-01-07 14:09 . 2002-08-29 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-21 04:44 . 2009-11-04 11:45 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-12-20 23:59 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2002-08-29 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2002-08-29 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:09 . 2008-11-25 21:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2008-11-25 21:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2010-12-10 17:02 . 2010-10-02 22:26 664 ----a-w- c:\documents and settings\Brenna\Local Settings\Application Data\d3d9caps.tmp

2010-12-09 15:15 . 2004-08-04 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42 . 1980-01-01 05:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 1980-01-01 05:00 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-18 18:12 . 2002-08-29 10:00 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 23:53 . 2010-04-18 19:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-12 21:34 . 2010-04-11 17:30 73728 ----a-w- c:\windows\system32\javacpl.cpl

2001-05-24 17:59 . 2004-12-10 19:18 162304 ------w- c:\program files\UNWISE.EXE

2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-11-09 21:10 . 2007-11-09 21:10 34384 ------w- c:\program files\mozilla firefox\plugins\logging.dll

2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2007-11-09 21:11 . 2007-11-09 21:11 685648 ------w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SansaDispatch"="c:\documents and settings\TheBoss\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-08-21 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]

"IconixOEAddOn"="c:\program files\Iconix\OEAddOn\OEdmn_6.exe" [2010-03-03 342872]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-03-01 1800464]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\TheBoss\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-12 809488]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-11-07 21:41 72208 ------w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [1/28/2010 4:12 PM 15328]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/23/2008 6:13 PM 294608]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2/28/2010 7:22 PM 134344]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2/28/2010 7:22 PM 25160]

R2 a2AntiDialer;a-squared Anti-Dialer Service;c:\program files\a-squared Anti-Dialer\a2service.exe [6/20/2007 10:16 PM 425080]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/23/2008 6:13 PM 17744]

R2 IconixService;Iconix Update Service;c:\program files\Common Files\Iconix\IconixService.exe [1/17/2010 8:57 PM 283992]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2/12/2009 1:50 AM 10384]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [1/28/2010 4:12 PM 220128]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 METROP;Hewlett-Packard ScanJet 5300C/5370C;c:\windows\system32\drivers\hp53pw2k.sys [9/14/2003 11:57 AM 131712]

S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]

S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [12/21/2010 7:04 AM 987704]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2008-10-24 c:\windows\Tasks\BACKUP.job

- c:\windows\system32\ntbackup.exe [2004-08-04 10:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.google.com

IE: &Google Search

IE: &Translate English Word

IE: Backward Links

IE: Cached Snapshot of Page

IE: Similar Pages

IE: Translate Page into English

Trusted Zone: adobe.com\www

Trusted Zone: bitdefender.com

Trusted Zone: comodo.com

Trusted Zone: eset.com

Trusted Zone: eset.com\www

Trusted Zone: f-secure.com

Trusted Zone: f-secure.com\support

Trusted Zone: html-kit.com\www

Trusted Zone: intuit.com\ttlc

Trusted Zone: java.com

Trusted Zone: lavasoft.com

Trusted Zone: lavasoft.de\www

Trusted Zone: lavasoftusa.com\www

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: microsoft.com\www

Trusted Zone: osha.gov\osharemote

Trusted Zone: pandasecurity.com\www

Trusted Zone: secunia.com

Trusted Zone: secunia.com\psi

Trusted Zone: sun.com

Trusted Zone: symantec.com\security

Trusted Zone: verizon.net\onlinehelp

Trusted Zone: windowsupdate.com

Trusted Zone: windowsupdate.com\download

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB

FF - ProfilePath - c:\documents and settings\TheBoss\Application Data\Mozilla\Firefox\Profiles\ebtxti7b.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}

FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-09 14:02

Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:

ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = c:\documents and settings\TheBoss\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_content&?n

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3592)

c:\windows\system32\WININET.dll

c:\program files\Iconix\OEAddOn\OEldr_7.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\COMODO\COMODO Internet Security\cmdagent.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\CTsvcCDA.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\System32\MsPMSPSv.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-02-09 14:09:23 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-09 19:09

ComboFix2.txt 2011-02-08 21:52

ComboFix3.txt 2009-02-08 19:06

Pre-Run: 187,925,942,272 bytes free

Post-Run: 187,844,100,096 bytes free

- - End Of File - - C3645CCCBB60947D492FDC4671FBF207

*********************** HJT LOG (hijackthis_log_02-09-11.txt *********************************

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:14:56 PM, on 2/9/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Anti-Dialer\a2service.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Iconix\IconixService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Iconix\OEAddOn\OEdmn_6.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Documents and Settings\TheBoss\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - (no file)

O2 - BHO: (no name) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file)

O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_45.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [iconixOEAddOn] "C:\Program Files\Iconix\OEAddOn\OEdmn_6.exe"

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [sansaDispatch] C:\Documents and Settings\TheBoss\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)

O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_45.dll

O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_45.dll

O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_45.dll

O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_45.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.adobe.com

O15 - Trusted Zone: http://*.bitdefender.com

O15 - Trusted Zone: *.comodo.com

O15 - Trusted Zone: http://www.eset.com

O15 - Trusted Zone: *.eset.com

O15 - Trusted Zone: http://support.f-secure.com

O15 - Trusted Zone: *.f-secure.com

O15 - Trusted Zone: http://www.html-kit.com

O15 - Trusted Zone: *.java.com

O15 - Trusted Zone: http://*.lavasoft.com

O15 - Trusted Zone: http://www.lavasoft.de

O15 - Trusted Zone: http://www.lavasoftusa.com

O15 - Trusted Zone: http://onecare.live.com

O15 - Trusted Zone: http://www.pandasecurity.com

O15 - Trusted Zone: *.secunia.com

O15 - Trusted Zone: *.sun.com

O15 - Trusted Zone: security.symantec.com

O15 - Trusted Zone: http://onlinehelp.verizon.net

O15 - Trusted Zone: http://download.windowsupdate.com

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185414703250

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -

O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: Iconix Update Service (IconixService) - Unknown owner - C:\Program Files\Common Files\Iconix\IconixService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe

O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe

--

End of file - 12420 bytes

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.