Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help - Please

Started by kennyjspeirs , Jan 27 2008 03:50 PM

  • This topic is locked This topic is locked

#1
kennyjspeirs
Posted 27 January 2008 - 03:50 PM

kennyjspeirs

    Member

  • Member
  • PipPip
  • 11 posts
Hello All,

Sorry if this is not in the correct location.

Today my PC has become infected with something nasty, it has disabled several (all security related) services.

These include AVG antivirus / windows firewall / windows defender / security centre / windows update etc.

You can enable them in services.msc, but will not run properly for example

"C:\Program Files\Grisoft\AVG7\avgw.exe is not a valid Win32 application." is displayed

I've downloaded AVG anti spyware, this installed OK (I think), but when you try to run “Connection to service failed. Please reinstall AVG Anti-Spyware 7.7"

I've downloaded & installed spybot (not used for years) but again "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe is not a valid Win32 application."

I've downloaded & installed HijackThis but again "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe is not a valid Win32 application."

It seems that whatever my pc is infected with is stopping all security related software, other software seems to run OK.

Can anyone suggest any way forward?

Cheers
  • 0

Advertisements

#2
kahdah
Posted 27 January 2008 - 05:12 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello kennyjspeirs

Welcome to G2Go. :)
================
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#3
kennyjspeirs
Posted 28 January 2008 - 01:38 PM

kennyjspeirs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello, thanks for the reply.

Here is the log:


"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["install"]
"AdobeUpdater" = "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" ["Adobe Systems Incorporated"]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"WPCUMI" = "C:\Windows\system32\WpcUmi.exe" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"StartCCC" = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [null data]
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"JMB36X IDE Setup" = "C:\Windows\JM\JMInsIDE.exe" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"" ["Adobe Systems Incorporated"]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"EPGServiceTool" = "C:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe" ["Hauppauge Inc."]
"VirtualCloneDrive" = ""C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"MagicTuneEngine" = "C:\Program Files\MagicTune Premium\MagicTuneEngine.exe" [null data]
"EasyTuneVPro" = "C:\Program Files\Gigabyte\ET5Pro\ETcall.exe" [empty string]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{0563DB41-F538-4B37-A92D-4659049B7766}" = "WLMD Message Handler"
-> {HKLM...CLSID} = "CLSID_WLMCMimeFilter"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Mail\mailcomm.dll" [MS]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"
-> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"LogonHoursAction" = (REG_DWORD) dword:0x00000002
{unrecognized setting}

"DontDisplayLogonHoursWarnings" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Conrol: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\Web\Wallpaper\img35.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Windows\Web\Wallpaper\img35.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\Aurora.scr" [MS]


Startup items in "Kenny" & "All Users" startup folders:
-------------------------------------------------------

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"AutoStart IR" -> shortcut to: "C:\Program Files\WinTV\Ir.exe /QUIET" ["Hauppauge Computer Works"]
"GammaTray" -> shortcut to: "C:\Program Files\MagicTune Premium\GammaTray.exe" [empty string]
"NCProTray" -> shortcut to: "C:\Program Files\SEC\Natural Color Pro\NCProTray.exe" ["Samsung"]
"Start 3DxWare" -> shortcut to: "C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe" ["3Dconnexion, INC"]


Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
"User_Feed_Synchronization-{2743D78A-AC7A-46E9-BF84-F9C2A9BFC502}" -> (HIDDEN!) launches: "C:\Windows\system32\msfeedssync.exe sync" [MS]
"User_Feed_Synchronization-{89264969-2296-49ED-B072-E2C1A4866357}" -> (HIDDEN!) launches: "C:\Windows\system32\msfeedssync.exe sync" [MS]
"{4AF2977B-9479-40D4-A1B1-3997A6A5AB63}" -> launches: "C:\Windows\system32\pcalua.exe -a "C:\Program Files\Grisoft\AVG7\setup.exe" -c /UNINSTALL" [MS]
"{519D0242-3B1C-42DC-9249-EC97302FB0B4}" -> launches: "C:\Windows\system32\pcalua.exe -a D:\atisetup.exe -d D:\" [MS]
"{59EEB338-C724-41AA-B5A2-30AFBB37C3BE}" -> launches: "C:\Windows\system32\pcalua.exe -a "C:\Hauppauge\WinTV CD 4.0\Setup.exe" -d "C:\Hauppauge\WinTV CD 4.0"" [MS]
"{BBFE034E-FACD-43BA-AE2D-F3CCCEAD09FD}" -> launches: "C:\Windows\system32\pcalua.exe -a "C:\Users\Kenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01OQ438Q\motherboard_utility_xr2[1].exe" -d C:\Users\Kenny" [MS]
"{F8B748B0-E4B4-4652-8A16-84FA649382A7}" -> launches: "C:\Windows\system32\pcalua.exe -a C:\Windows\system32\Launch3DxGUI.cpl -c 3DxWare Panel" [MS]

C:\Windows\System32\Tasks\Apple
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]
"Uploader" -> launches: "%windir%\system32\WSqmCons.exe -u" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS]
"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS]
"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
-> {HKLM...CLSID} = "HotStart User Agent"
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
"TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}"
-> {HKLM...CLSID} = "Transient Multi-Monitor Manager"
\InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection
"NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}"
-> {HKLM...CLSID} = "Nap ITask Handler Implementation"
\InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Shell
"CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}"
-> {HKLM...CLSID} = "CrawlStartPages Task Handler"
\InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
-> {HKLM...CLSID} = "GadgetsManager Class"
\InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {HKLM...CLSID} = "MsCtfMonitor task handler"
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar
"Reminders - Kenny" -> launches: "C:\Program Files\Windows Calendar\WinCal.exe /reminder" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Wired
"GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows\Wireless
"GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows Defender
"MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
000000000006\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000007\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Windows\system32\wpclsp.dll [MS], 01 - 08, 19
%SystemRoot%\system32\mswsock.dll [MS], 09 - 18, 20 - 27


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


HOSTS file
----------

C:\Windows\System32\drivers\etc\HOSTS

maps: 2 domain names to IP addresses,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
Ati External Event Utility, Ati External Event Utility, "C:\Windows\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Computer Browser, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
EPGService, EPGService, "C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe" ["Hauppauge Computer Works"]
Human Interface Device Access, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}
Parental Controls, WPCSvc, "C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\System32\wpcsvc.dll" [MS]}
Secure Socket Tunneling Protocol Service, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]}
UGS License Server (ugslmd), UGS License Server (ugslmd), ""C:\Program Files\UGS\UGSLicensing\lmgrd.exe"" ["Macrovision Corporation"]
Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Windows Media Center Receiver Service, ehRecvr, "C:\Windows\ehome\ehRecvr.exe" [MS]
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Epson Inbox Language Monitor\Driver = "EP0SLM00.DLL" ["SEIKO EPSON CORPORATION"]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2008-01-28 19:32:51)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 67 seconds.
---------- (total run time: 124 seconds)
  • 0

#4
kahdah
Posted 28 January 2008 - 05:31 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
PLease download Combo-fix from Here
**Note: In the event you already have Combo-fix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt"

Whatever you do do not rename combofix.
  • 0

#5
kennyjspeirs
Posted 29 January 2008 - 12:04 AM

kennyjspeirs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
When i first run combo-fix, it seemed to deleted several files from C:\Windows\system32\drivers\down..........
However a blank/ empty log file was generated.

This log is from the second time of running when it did generate ok.


ComboFix 08-01-29.2 - Kenny 2008-01-29 5:45:39.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2626 [GMT 0:00]
Running from: C:\Users\Kenny\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\down

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 05:48 . 2008-01-29 05:48 <DIR> d-------- C:\Windows\System32\drivers\down
2008-01-27 21:17 . 2008-01-27 21:17 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-01-27 21:17 . 2008-01-27 21:17 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-01-27 21:15 . 2008-01-27 21:15 <DIR> d-------- C:\Program Files\bla
2008-01-27 20:59 . 2008-01-27 20:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-27 20:44 . 2008-01-29 05:31 <DIR> d-------- C:\ComboFix
2008-01-27 20:31 . 2008-01-27 20:44 <DIR> d-------- C:\Users\Kenny\.housecall6.6
2008-01-27 20:30 . 2008-01-27 20:30 <DIR> d-------- C:\Windows\Sun
2008-01-27 20:01 . 2008-01-27 20:03 <DIR> d-------- C:\Program Files\Grisoft(0)
2008-01-27 19:43 . 2008-01-27 20:01 <DIR> d-------- C:\Users\All Users\Grisoft(2)
2008-01-27 19:43 . 2008-01-27 20:01 <DIR> d-------- C:\ProgramData\Grisoft(2)
2008-01-27 19:32 . 2008-01-27 19:42 <DIR> d-------- C:\Users\All Users\avg7(1)
2008-01-27 19:32 . 2008-01-27 19:42 <DIR> d-------- C:\ProgramData\avg7(1)
2008-01-27 11:52 . 2008-01-27 11:53 376,989,838 --a------ C:\Windows\MEMORY.DMP
2008-01-27 11:50 . 2007-06-08 13:53 1,753,088 --a------ C:\Windows\System32\ExGrid.dll
2008-01-27 11:49 . 2008-01-27 11:49 <DIR> d-------- C:\Program Files\AnswersThatWork
2008-01-20 09:54 . 2008-01-20 09:54 <DIR> d-------- C:\Users\Chloe\AppData\Roaming\3Dconnexion
2008-01-19 08:26 . 2008-01-19 08:26 <DIR> d-------- C:\Users\Sarah\AppData\Roaming\3Dconnexion
2008-01-19 03:00 . 2007-12-12 02:15 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-01-18 19:41 . 2008-01-18 19:41 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2008-01-18 19:38 . 2008-01-18 19:38 54,156 --ah----- C:\Windows\QTFont.qfn
2008-01-18 19:38 . 2008-01-18 19:38 1,409 --a------ C:\Windows\QTFont.for
2008-01-18 19:33 . 2008-01-18 19:33 <DIR> d-------- C:\Users\Kenny\AppData\Roaming\3Dconnexion
2008-01-18 19:31 . 2008-01-18 19:31 <DIR> d-------- C:\Program Files\3Dconnexion
2008-01-10 20:07 . 2008-01-10 20:07 <DIR> d-------- C:\Program Files\eMule
2008-01-09 21:36 . 2008-01-09 21:36 <DIR> d-------- C:\Users\Kenny\AppData\Roaming\eMule

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 05:48 30,008 ----a-w C:\Windows\system32\drivers\ET5Drv.sys
2008-01-29 05:48 --------- d-----w C:\Program Files\WinTV
2008-01-29 05:22 24,944 ----a-w C:\Windows\system32\drivers\GVTDrv.sys
2008-01-28 04:24 --------- d-----w C:\Users\Sarah\AppData\Roaming\AVG7
2008-01-28 04:24 --------- d-----w C:\Users\Chloe\AppData\Roaming\AVG7
2008-01-28 04:24 --------- d-----w C:\ProgramData\avg7
2008-01-27 20:38 --------- d-----w C:\ProgramData\Grisoft
2008-01-27 15:40 --------- d-----w C:\Users\Kenny\AppData\Roaming\AVG7
2008-01-27 15:40 --------- d-----w C:\ProgramData\FLEXnet
2008-01-27 15:40 --------- d-----w C:\Program Files\Common Files\Real
2008-01-19 15:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 15:58 --------- d-----w C:\Program Files\Google
2008-01-10 20:08 --------- d-----w C:\ProgramData\eMule
2007-12-28 11:04 --------- d-----w C:\Program Files\Dora The Explorer
2007-12-27 20:58 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-27 20:22 --------- d-----w C:\Program Files\Codemasters
2007-12-27 09:11 --------- d-----w C:\ProgramData\WindowsSearch
2007-12-26 21:23 --------- d-----w C:\Program Files\Gigabyte
2007-12-26 20:43 --------- d-----w C:\ProgramData\Office Genuine Advantage
2007-12-25 23:04 --------- d-----w C:\Program Files\MagicTune Premium
2007-12-25 23:01 --------- d-----w C:\Users\Kenny\AppData\Roaming\InstallShield
2007-12-25 22:21 --------- d-----w C:\Program Files\SEC
2007-12-25 21:06 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2007-12-22 20:01 174 --sha-w C:\Program Files\desktop.ini
2007-12-22 19:49 --------- d-----w C:\Program Files\Windows Sidebar
2007-12-22 19:49 --------- d-----w C:\Program Files\Windows Photo Gallery
2007-12-22 19:49 --------- d-----w C:\Program Files\Windows Mail
2007-12-22 19:49 --------- d-----w C:\Program Files\Windows Journal
2007-12-22 19:49 --------- d-----w C:\Program Files\Windows Defender
2007-12-22 19:49 --------- d-----w C:\Program Files\Windows Collaboration
2007-12-22 19:49 --------- d-----w C:\Program Files\Windows Calendar
2007-12-22 19:19 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2007-12-22 19:19 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2007-12-22 17:38 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2007-12-20 21:03 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-20 19:47 55,304 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2007-12-13 17:44 --------- d-----w C:\Users\Chloe\AppData\Roaming\Talkback
2007-12-11 22:32 --------- d-----w C:\Users\Kenny\AppData\Roaming\dvdcss
2007-12-06 20:08 --------- d-----w C:\Users\Kenny\AppData\Roaming\Talkback
2007-12-06 11:16 --------- d-----w C:\Users\Sarah\AppData\Roaming\Talkback
2007-12-03 22:45 --------- d-----w C:\Program Files\Java
2007-12-03 22:35 --------- d-----w C:\Program Files\Canon
2007-12-03 22:29 --------- d-----w C:\Users\Kenny\AppData\Roaming\ZoomBrowser EX
2007-12-03 22:17 --------- d-----w C:\ProgramData\ZoomBrowser
2007-12-01 08:07 --------- d-----w C:\Program Files\QuickTime
2007-12-01 08:06 --------- d-----w C:\ProgramData\Apple Computer
2007-11-30 12:19 986,680 ----a-w C:\Windows\System32\winload.exe
2007-11-30 12:19 926,776 ----a-w C:\Windows\System32\winresume.exe
2007-11-30 12:17 891,448 ----a-w C:\Windows\system32\drivers\tcpip.sys
2007-11-30 12:17 614,968 ----a-w C:\Windows\System32\ci.dll
2007-11-30 12:17 529,464 ----a-w C:\Windows\system32\drivers\ndis.sys
2007-11-30 12:17 504,376 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2007-11-30 12:17 440,888 ----a-w C:\Windows\system32\drivers\ksecdd.sys
2007-11-30 12:17 376,376 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2007-11-30 12:17 3,599,928 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-11-30 12:17 3,547,192 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-11-30 12:17 294,456 ----a-w C:\Windows\system32\drivers\volmgrx.sys
2007-11-30 12:17 266,808 ----a-w C:\Windows\system32\drivers\acpi.sys
2007-11-30 12:17 247,352 ----a-w C:\Windows\System32\clfs.sys
2007-11-30 12:17 227,896 ----a-w C:\Windows\system32\drivers\volsnap.sys
2007-11-30 12:17 223,288 ----a-w C:\Windows\system32\drivers\netio.sys
2007-11-30 12:17 192,056 ----a-w C:\Windows\system32\drivers\fltMgr.sys
2007-11-30 12:17 181,304 ----a-w C:\Windows\system32\drivers\msiscsi.sys
2007-11-30 12:17 177,208 ----a-w C:\Windows\System32\halmacpi.dll
2007-11-30 12:17 163,384 ----a-w C:\Windows\system32\drivers\msrpc.sys
2007-11-30 12:17 1,082,424 ----a-w C:\Windows\system32\drivers\ntfs.sys
2007-11-30 12:16 94,776 ----a-w C:\Windows\System32\MigAutoPlay.exe
2007-11-30 12:16 151,096 ----a-w C:\Windows\system32\drivers\pci.sys
2007-11-30 12:16 143,416 ----a-w C:\Windows\system32\drivers\ecache.sys
2007-11-30 12:16 142,904 ----a-w C:\Windows\system32\drivers\scsiport.sys
2007-11-30 12:16 141,880 ----a-w C:\Windows\System32\halacpi.dll
2007-11-30 12:16 127,544 ----a-w C:\Windows\system32\drivers\Classpnp.sys
2007-11-30 12:16 123,960 ----a-w C:\Windows\system32\drivers\Storport.sys
2007-11-30 12:16 110,136 ----a-w C:\Windows\system32\drivers\ataport.sys
2007-11-30 12:16 101,432 ----a-w C:\Windows\system32\drivers\FWPKCLNT.SYS
2007-11-30 12:15 58,936 ----a-w C:\Windows\system32\drivers\fileinfo.sys
2007-11-30 12:15 57,400 ----a-w C:\Windows\system32\drivers\mountmgr.sys
2007-11-30 12:15 56,376 ----a-w C:\Windows\system32\drivers\partmgr.sys
2007-11-30 12:15 55,352 ----a-w C:\Windows\system32\drivers\disk.sys
2007-11-30 12:15 54,328 ----a-w C:\Windows\system32\drivers\termdd.sys
2007-11-30 12:15 52,792 ----a-w C:\Windows\system32\drivers\volmgr.sys
2007-11-30 12:15 51,768 ----a-w C:\Windows\System32\PSHED.DLL
2007-11-30 12:15 49,208 ----a-w C:\Windows\system32\drivers\mup.sys
2007-11-30 12:15 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2007-11-30 12:15 36,408 ----a-w C:\Windows\system32\drivers\crashdmp.sys
2007-11-30 12:15 35,896 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2007-11-30 12:15 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2007-11-30 12:15 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2007-11-30 12:15 31,288 ----a-w C:\Windows\system32\drivers\mssmbios.sys
2007-11-30 12:15 29,240 ----a-w C:\Windows\system32\drivers\Dumpata.sys
2007-11-30 12:15 1,203,792 ----a-w C:\Windows\System32\ntdll.dll
2007-11-30 12:14 24,120 ----a-w C:\Windows\System32\BOOTVID.DLL
2007-11-30 12:14 21,560 ----a-w C:\Windows\System32\kdusb.dll
2007-11-30 12:14 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2007-11-30 12:14 21,048 ----a-w C:\Windows\system32\drivers\spldr.sys
2007-11-30 12:14 19,512 ----a-w C:\Windows\System32\kdcom.dll
2007-11-30 12:14 17,976 ----a-w C:\Windows\system32\drivers\wmilib.sys
2007-11-30 12:14 17,976 ----a-w C:\Windows\system32\drivers\intelide.sys
2007-11-30 12:14 16,440 ----a-w C:\Windows\system32\drivers\msisadrv.sys
2007-11-30 12:14 15,288 ----a-w C:\Windows\system32\drivers\swenum.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-11-30 12:07 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2007-11-30 12:07 125952]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2004-02-23 07:08 706155]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 22:06 2321600]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-29 05:30 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-30 12:13 1008184]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 12:35 176128]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-29 05:30 579072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-12 13:33 4186112 C:\Windows\RtHDVCpl.exe]
"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2006-10-31 04:44 36864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-19 08:21 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"EPGServiceTool"="C:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe" [2007-08-01 03:26 675840]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 13:21 94208]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"MagicTuneEngine"="C:\Program Files\MagicTune Premium\MagicTuneEngine.exe" [2007-06-14 11:00 69632]
"EasyTuneVPro"="C:\Program Files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 15:05 20480]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-29 05:20 219136]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2007-10-02 18:51:51 110647]
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [2007-12-25 23:04:00 36864]
NCProTray.lnk - C:\Program Files\SEC\Natural Color Pro\NCProTray.exe [2007-12-25 22:21:06 49220]
Start 3DxWare.lnk - C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe [2007-11-06 18:28:30 118272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-07-29 21:31 9216 C:\Windows\System32\avgwlntf.dll

R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\Windows\system32\drivers\pe3ah4nc.sys [2007-05-18 19:53]
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\Windows\system32\drivers\ps6ah4nc.sys [2007-05-18 19:52]
R2 EPGService;EPGService;C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe [2007-09-05 16:46]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);"C:\Program Files\UGS\UGSLicensing\lmgrd.exe" [2007-02-02 16:02]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-06-27 02:00]
R3 GVTDrv;GVTDrv;C:\Windows\system32\Drivers\GVTDrv.sys [2008-01-29 05:49]
R3 HCW99BDA;Hauppauge Nova-DT Dual DVB-T Tuner;C:\Windows\system32\Drivers\hcw99bda.sys [2007-03-23 11:51]
R3 hcw99rc;Hauppauge Nova-DT IR Driver;C:\Windows\system32\Drivers\hcw99rc.sys [2007-03-23 11:51]
R3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5Pro\markfun.w32 [2007-08-21 11:49]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-22 08:12]
R4 atidgllk;atidgllk;C:\Program Files\Gigabyte\ET5Pro\atidgllk.sys [2006-07-19 12:25]
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\Windows\system32\pr2ah4nc.exe svc []
S3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2007-12-20 19:47]
S3 exfat;exFAT File System Driver;C:\Windows\system32\drivers\exfat.sys [2007-11-30 10:01]
S3 gdrv;gdrv;C:\Windows\gdrv.sys [2007-07-30 16:51]
S3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 14:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e6793df-4001-11dc-a261-001a4d63cfcd}]
\shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af6dc20c-3e49-11dc-93bd-806e6f6e6963}]
\shell\AutoRun\command - D:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d554d764-9808-11dc-9a06-001a4d63cfcd}]
\shell\AutoRun\command - E:\Setup.exe

*Newly Created Service* - MARKFUN_NT
.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 23:23:28 C:\Windows\Tasks\User_Feed_Synchronization-{2743D78A-AC7A-46E9-BF84-F9C2A9BFC502}.job"
- C:\Windows\system32\msfeedssync.exe
"2008-01-29 05:50:00 C:\Windows\Tasks\User_Feed_Synchronization-{89264969-2296-49ED-B072-E2C1A4866357}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 05:48:51
Windows 6.0.6001 Service Pack 1, v.668 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
C:\Program Files\UGS\UGSLicensing\lmgrd.exe
C:\Program Files\UGS\UGSLicensing\lmgrd.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\UGS\UGSLicensing\ugslmd.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\WinTV\EPG Services\System\EPGClient.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Gigabyte\ET5Pro\GUI.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-01-29 5:52:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 05:52:00
ComboFix2.txt 2008-01-29 05:39:26
.
2008-01-25 09:14:42 --- E O F ---
  • 0

#6
kahdah
Posted 29 January 2008 - 03:02 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post that log in your next reply.

(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)
  • 0

#7
kennyjspeirs
Posted 29 January 2008 - 03:02 PM

kennyjspeirs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK the log file, has found and deleted some problems.

Silent Runners.vbs;C:\Documents and Settings\Kenny\Desktop;Probably BATCH.Virus;;
Patch.exe;C:\Documents and Settings\Kenny\Downloads\SlySoft.CloneCD.v5.3.0.1.KeyMaker.and.Patch.Only-DVT\SlySoft.CloneCD.v5.3.0.1.KeyMake;Tool.ASEye.2;;
The_Rise_of_Atlantis-v1_0-dm[1].exe;C:\Downloads;Adware.TryMedia;;
GoogleToolbarNotifier.exe;C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462;Win32.HLLM.Beagle;Deleted.;
Patch.exe;C:\Program Files\SlySoft\CloneCD;Tool.ASEye.2;;
114754.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Trojan.PWS.Nerf;Deleted.;
126782.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
128529.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
143099.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
149074.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
183907160.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
183909750.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
183915132.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Trojan.PWS.Nerf;Deleted.;
183919453.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
189010.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Trojan.PWS.Nerf;Deleted.;
201178.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
234563.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Trojan.PWS.Nerf;Deleted.;
260911.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
261863.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
53523.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
873075.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
876632.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\down;Win32.HLLM.Beagle;Deleted.;
Silent Runners.vbs;C:\Users\Kenny\Desktop;Probably BATCH.Virus;;
Patch.exe;C:\Users\Kenny\Downloads\SlySoft.CloneCD.v5.3.0.1.KeyMaker.and.Patch.Only-DVT\SlySoft.CloneCD.v5.3.0.1.KeyMaker.and.Patch.Only-;Tool.ASEye.2;;
  • 0

#8
kahdah
Posted 29 January 2008 - 04:48 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Are you able to run any security software (example:Hijackthis or AVG etc...)?
==========================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
kennyjspeirs
Posted 29 January 2008 - 11:30 PM

kennyjspeirs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks for your help!

Still unable to run hijackthis or AVG - not a valid Win32 application error.

KASPERSPY log bellow

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 30, 2008 5:21:13 AM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1, v.668 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/01/2008
Kaspersky Anti-Virus database records: 536353
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 195239
Number of viruses found: 8
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:36:23

Infected Object Name / Virus Name / Last Action
C:\Program Files\UGS\UGSLicensing\ugslicensing.log Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\afd087a1a6f9faca6c8edde3ceb1aa86_f66ac2f4-2f71-4da2-bc63-2d6a0ad92b6f Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_f66ac2f4-2f71-4da2-bc63-2d6a0ad92b6f Object is locked skipped
C:\ProgramData\Microsoft\eHome\logs\eHomeLog00.sqm Object is locked skipped
C:\ProgramData\Microsoft\eHome\logs\eHomeLog01.sqm Object is locked skipped
C:\ProgramData\Microsoft\eHome\logs\eHomeLog02.sqm Object is locked skipped
C:\ProgramData\Microsoft\eHome\logs\eHomeLog06.sqm Object is locked skipped
C:\ProgramData\Microsoft\eHome\logs\~ehshell.exe.684.sqm Object is locked skipped
C:\ProgramData\Microsoft\User Account Pictures\Chloe.dat Object is locked skipped
C:\ProgramData\Microsoft\User Account Pictures\Sarah.dat Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 53513.47.zip/srosa.sys Infected: Trojan-Downloader.Win32.Bagle.iu skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 53513.47.zip/wintems.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 53513.47.zip/mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 53513.47.zip/hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.iv skipped
C:\QooBox\Quarantine\catchme2008-01-29_ 53513.47.zip ZIP: infected - 4 skipped
C:\QooBox\Quarantine\Registry_backups\LEGACY_SROSA.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\QooBox\Quarantine\Registry_backups\services_srosa.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012920080130\index.dat Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012008012920080130\index.dat Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\UsrClass.dat{541465d0-ccce-11dc-b85a-001a4d63cfcd}.TM.blf Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\UsrClass.dat{541465d0-ccce-11dc-b85a-001a4d63cfcd}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows\UsrClass.dat{541465d0-ccce-11dc-b85a-001a4d63cfcd}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows Live Mail\Tiscali.co e2d\Junk E-mail\311A3954-00000005.eml/[From "Volksbanken Raiffeisenbanken AG" <[email protected]>][Date Sun, 11 Feb 2007 06:13:01 +0100 (added by [email protected])]/html Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows Live Mail\Tiscali.co e2d\Junk E-mail\311A3954-00000005.eml Mail: infected - 1 skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows Live Mail\Tiscali.co e2d\Junk E-mail\5B5E7A12-0000000A.eml/[From "Branch Banking and Trust" <[email protected]>][Date Wed, 28 Feb 2007 18:16:33 +0100 (added by [email protected])]/html Infected: Trojan-Spy.HTML.Bankfraud.ra skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows Live Mail\Tiscali.co e2d\Junk E-mail\5B5E7A12-0000000A.eml/[From "Branch Banking and Trust" <[email protected]>][Date Wed, 28 Feb 2007 18:16:33 +0100 (added by [email protected])]/cave.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows Live Mail\Tiscali.co e2d\Junk E-mail\5B5E7A12-0000000A.eml Mail: infected - 2 skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows Live Mail\Yahoo (kenn 182\Inbox\1B0B69CD-00000531.eml/[From "eBay" <[email protected]>][Date Thu, 01 Mar 2007 15:20:52 -0500]/html Infected: Trojan-Spy.HTML.Bayfraud.gw skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows Live Mail\Yahoo (kenn 182\Inbox\1B0B69CD-00000531.eml Mail: infected - 1 skipped
C:\Users\Kenny\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Kenny\AppData\Local\Temp\Low\~DFD069.tmp Object is locked skipped
C:\Users\Kenny\AppData\Local\Temp\Low\~DFD094.tmp Object is locked skipped
C:\Users\Kenny\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Kenny\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Kenny\ntuser.dat Object is locked skipped
C:\Users\Kenny\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Kenny\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Kenny\ntuser.dat{19361ff9-cd16-11dc-b2e6-001a4d63cfcd}.TM.blf Object is locked skipped
C:\Users\Kenny\ntuser.dat{19361ff9-cd16-11dc-b2e6-001a4d63cfcd}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Kenny\ntuser.dat{19361ff9-cd16-11dc-b2e6-001a4d63cfcd}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Public\Recorded TV\TempRec\TempSBE\MSDVRMM_3437329223_14286848_36602 Object is locked skipped
C:\Users\Public\Recorded TV\TempRec\TempSBE\MSDVRMM_3437329223_3900571648_35913 Object is locked skipped
C:\Users\Public\Recorded TV\TempRec\TempSBE\SBEBD65.tmp Object is locked skipped
C:\Users\Public\Recorded TV\TempRec\TempSBE\SBEBD85.tmp Object is locked skipped
C:\Users\Public\Recorded TV\TempRec\{DB2D78CE-FB3C-492D-99DF-7995B83D66CF}.TmpSBE Object is locked skipped
C:\Users\Public\Recorded TV\TempRec\{E7FE4253-48D2-47CF-AB76-08236EDF7F70}.TmpSBE Object is locked skipped
C:\Users\Sarah\AppData\Local\Microsoft\Portable Devices\wpdlog00.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Microsoft\Portable Devices\wpdlog01.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Sqm\iesqmdata0.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sqm\iesqmdata0.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\hsperfdata_Sarah\2828 Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DF276A.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DF2776.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DF3154.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DF3160.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DF5E77.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DF5E7D.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DFD6B5.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DFD6EC.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DFE919.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DFE92F.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DFFA1E.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\Low\~DFFA2D.tmp Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\wmplog00.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\wmplog01.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\wmplog02.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\wmplog03.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\wmplog04.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\wmplog05.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\wmplog06.sqm Object is locked skipped
C:\Users\Sarah\AppData\Local\Temp\wmplog07.sqm Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\MEMORY.DMP Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\S46102081.tmp Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{C0003FBF-50CB-452C-ABF0-C84643A66F36}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\040270F850D5C3C91057DDDA2DA294D8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0DF617D6737A7561E732F853792261C3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\1E2E58C73053C7775EB226DB5E739137.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2A811E5CCC22CC9D7AE2B04EF0402688.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2AA23BB86A5EBD8BC2D820944E55B233.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2CE523184A801AA7361A7039E2D6B41D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2D57A7682ACD19214C258D31A06D008F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\376786241A5443E41378D25CF812FCC1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4A01E0F376B5833EBA98F0D1D5F60CD1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4B471F64BAF831EC7945C820FD5A16E5.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4CB32C0A77CD4D9B0C9618F73F786C32.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5774C77265BE4C55B5C6C9718979E015.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5B5D21CF62E70BACF9D085E6AA6CE143.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\69554D930FCA40B0304B9A43A8036F2D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7851AF96EA828F912853F32DB0D96138.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\96ABB1671705F680578FE240427CBD4F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9A72EE7775E8021F75961342B8AFD1B4.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9CD33F0956942860B50AA1B9330DEFAF.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9E06E4FE97F0CBB8D659894823F805D7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\A80FF2DC09487ECD60AFB147B262BDD7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA6E0E396C238977CA909EFD82299737.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D1A1B12A7DA3F9675C01397A26DBF4B3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DE391013DA56ABA39FFF40A9ABDF052F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E9D8A460B2C986DD5FF19F299F4A27EC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\ACEEventLog.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-MSDT%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MeetingSpace%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\Tasks\User_Feed_Synchronization-{89264969-2296-49ED-B072-E2C1A4866357}.job Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.17052_none_d0fa986c36265c15\dnary.xsd Object is locked skipped

Scan process completed.
  • 0

#10
kahdah
Posted 30 January 2008 - 03:13 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Try to re install any program that gives you that error please they should then work.

After that all I see that needs to go is some e-mails in your junk box and one in your inbox.
For windows live mail.

Inbox>From "eBay" <[email protected]>][Date Thu, 01 Mar 2007 15:20:52 -0500
delete that one and then empty your junk box please.
==================================
Time for some housekeeping
  • Click START then Search then clicsk on RUN
  • Now type Combo-fix /u in the runbox and click OK


    • Posted Image

    [b]The above procedure will    :
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete anything that we used that is left over.
==================================
Let me know if re-installing fixes the issues.
  • 0

#11
kennyjspeirs
Posted 30 January 2008 - 04:09 PM

kennyjspeirs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Kahdah, Thanks for all you help! :)

I deleted the e-mails and reinstalled AVG successfully updated and run a scan (nothing found).

I have manually changed some security services to start automatically (windows security centre / auto updates / defender)

There are however a further 4 services that are currently disabled

Ati HotKey Poller
NetTcpPortSharing
RemoteAccess
Mcx2Svc (Windows Media Center Extender Service)

Should i enable these to start automatically????

Also when i start internet explorer i'm getting an error message i've not seen before.

"Cannot find '::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0}'. Make sure the path or Internet addess is correct."

Otherwise everything else is ok i think?
  • 0

#12
kahdah
Posted 30 January 2008 - 07:00 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Try to launch Internet Explorer from a different shortcut.
By chance is that one in your All Programs menu?
If so then it is a bad shortcut.

Yes you can start all of those services as automatic if you wish.
  • 0

#13
kahdah
Posted 07 February 2009 - 10:10 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP