IPHaction.dll- trojan.proscks.a- win32.dnschanger.haw [RESOLVED]
#16
Posted 16 August 2008 - 09:22 AM
#17
Posted 17 August 2008 - 06:23 AM
- Please go to VirSCAN.org FREE on-line scan service
- Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- C:\Documents and Settings\NORT\Application Data\netstat.bat
- Click on the Upload button
- Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
- Paste the contents of the Clipboard in your next reply.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back on the forum.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\WINDOWS\system32\dwbin.exe
C:\WINDOWS\system32\wmoptimizer.dll
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\new2.exe
NetSvc::
wmosvr
WMOptimizer
Driver::
WMOptimizer
Ias
Sysrst::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
So when you come back please post
- VirSCAN report
- SDFix report
- ComboFix text
- a new HijackThis log
#18
Posted 17 August 2008 - 04:56 PM
File Name : netstat.bat
File Size : 106 byte
File Type : ASCII text, with no line terminators
MD5 : e052d52ce6484bcca9d91457ec7e4efe
SHA1 : 821818ea5fa87e44eea058065190775fa57
Scanner results : All Scanners reported not find malware!
Time : 2008/08/17 14:48:08 (PDT)
SDFix: Version 1.216
Run by NORT on 2008-08-17 at 15:04
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\TFTP2820 - Deleted
C:\WINDOWS\system32\rtl60.bpl - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 15:11:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 18 Aug 2001 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Wed 4 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Wed 4 Aug 2004 1,028,096 ..SH. --- "C:\WINDOWS\system32\mfc42.dll"
Wed 4 Aug 2004 343,040 A.SH. --- "C:\WINDOWS\system32\msvcrt.dll"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Wed 4 Aug 2004 413,696 A.SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Wed 4 Aug 2004 54,784 ..SH. --- "C:\WINDOWS\system32\msvcirt.dll"
Tue 12 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT2.tmp"
Fri 15 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Finished!
ComboFix 08-08-15.04 - NORT 2008-08-17 15:19:30.7 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.310 [GMT -7:00]
Running from: C:\Documents and Settings\NORT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NORT\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\dwbin.exe
C:\WINDOWS\system32\new2.exe
C:\WINDOWS\system32\wmoptimizer.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\NORT\Application Data\macromedia\Flash Player\#SharedObjects\ZYNBGGM5\interclick.com
C:\Documents and Settings\NORT\Application Data\macromedia\Flash Player\#SharedObjects\ZYNBGGM5\interclick.com\ud.sol
C:\Documents and Settings\NORT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\NORT\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\NORT\Cookies\[email protected][2].txt
C:\Documents and Settings\NORT\Cookies\nort@ebay[1].txt
C:\Documents and Settings\NORT\Cookies\[email protected][1].txt
C:\Documents and Settings\NORT\Cookies\nort@live[2].txt
C:\Documents and Settings\NORT\Cookies\nort@msn[1].txt
C:\Documents and Settings\NORT\Cookies\nort@realmedia[2].txt
C:\Documents and Settings\NORT\Cookies\nort@revsci[1].txt
C:\WINDOWS\system32\new2.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IAS
-------\Legacy_WMOPTIMIZER
-------\Service_Ias
((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.
2008-08-17 15:00 . 2008-08-17 15:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-17 14:56 . 2008-08-15 21:15 <DIR> d-------- C:\SDFix
2008-08-16 16:40 . 2008-08-16 16:40 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-15 09:41 . 2008-08-15 09:41 <DIR> d-------- C:\_OTMoveIt
2008-08-14 06:54 . 2008-05-01 07:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 18:15 . 2008-08-13 18:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-13 16:16 . 2008-08-13 16:16 <DIR> d-------- C:\Documents and Settings\NORT\Application Data\Malwarebytes
2008-08-13 16:15 . 2008-08-13 16:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 21:15 . 2008-08-12 21:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-12 03:40 . 2008-08-12 03:40 746 --a------ C:\WINDOWS\win.ini
2008-08-11 11:36 . 2008-08-11 11:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-11 03:06 . 2008-08-11 03:06 106 --a------ C:\Documents and Settings\NORT\Application Data\netstat.bat
2008-08-10 21:25 . 2008-07-18 01:26 68,912 --a------ C:\WINDOWS\system32\drivers\sbapifs.sys
2008-08-10 21:25 . 2008-07-18 01:26 13,360 --a------ C:\WINDOWS\system32\drivers\sbaphd.sys
2008-08-10 21:16 . 2008-08-10 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-08-10 21:13 . 2008-04-28 14:48 202,160 --a------ C:\WINDOWS\system32\drivers\sbtis.sys
2008-08-10 15:51 . 2008-08-10 15:51 58 ---hs---- C:\WINDOWS\system32\User.ini
2008-08-08 21:43 . 2008-08-08 21:43 0 --a------ C:\CWSDPMI.SWP
2008-08-08 21:37 . 2008-05-06 16:49 428,904 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-08-08 21:37 . 2006-07-24 18:51 9,341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2008-07-24 18:55 . 2008-03-21 13:57 14,640 --------- C:\WINDOWS\system32\spmsgXP_2k3.dll
2008-07-24 18:55 . 2008-07-24 18:55 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-07-24 18:55 . 2008-07-24 18:55 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-07-21 22:01 . 2008-07-21 22:01 59,176 --a------ C:\WINDOWS\system32\sbbd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 22:08 47,360 ----a-w C:\Documents and Settings\NORT\Application Data\pcouffin.sys
2008-08-09 05:24 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-08-09 05:24 4,224 ----a-w C:\WINDOWS\system32\dllcache\beep.sys
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-30 20:17 --------- d-----w C:\Program Files\DVDFab 5
2008-06-24 17:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-17 02:21 29,696 ----a-w C:\WINDOWS\system32\iolobtdfg.exe
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 23:55 8,704 ----a-w C:\WINDOWS\system32\smrgdf.exe
2006-10-27 18:03 81,920 ----a-w C:\Documents and Settings\NORT\Application Data\ezpinst.exe
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 07:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
.
((((((((((((((((((((((((((((( snapshot@2008-08-16_ 6.40.57.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-17 22:01:06 8,290,304 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-08-17 22:01:06 557,056 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-17 22:00:56 8,290,304 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-08-17 22:00:56 557,056 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-07-19 14:43:08 1,163,960 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-07-19 14:30:54 94,392 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-07-19 14:32:16 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-07-19 14:37:42 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-01-17 16:34:02 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
+ 2008-07-19 14:37:22 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-07-19 14:33:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-07-19 14:35:18 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-07-19 14:32:36 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2008-08-17 22:23:04 16,384 ----a-w C:\WINDOWS\temp\Perflib_Perfdata_5b8.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\_OTMoveIt\MovedFiles\08152008_094116\WINDOWS\system32\sobicyt.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002578.exe
C:\_OTMoveIt\MovedFiles\08152008_094116\WINDOWS\system32\tdxdowkc.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002579.exe
2004-08-04 00:56 25600 C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2004-08-04 00:56 25600 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP7\A0001268.dll
2004-08-04 00:56 25600 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001502.dll
C:\Documents and Settings\NORT\Application Data\inst.exe
2008-08-11 15:08 87608 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001445.exe
C:\kmd.exe
2004-08-04 00:56 388608 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001439.exe
2008-08-17 15:23 188600 C:\Program Files\Alwil Software\Avast4\DATA\aswar0.dll
2008-08-16 19:17 188600 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002560.dll
2008-08-17 15:09 188600 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP11\A0002725.dll
2008-08-17 15:23 391216 C:\Program Files\Alwil Software\Avast4\DATA\clnr0.dll
2008-08-16 19:17 391216 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002558.dll
2008-08-17 15:09 391216 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP11\A0002723.dll
2008-08-17 15:23 9080 C:\Program Files\Alwil Software\Avast4\DATA\exts0.dll
2008-08-16 19:17 9080 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002559.dll
2008-08-17 15:09 9080 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP11\A0002724.dll
C:\Program Files\Common Files\Authentium\AntiVirus\csav.exe
2007-07-09 12:53 136456 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001119.exe
C:\Program Files\Common Files\Authentium\AntiVirus\Css-Dvp.sys
2007-07-09 12:01 834448 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001125.sys
C:\Program Files\Common Files\Authentium\AntiVirus\css3rde.dll
2007-07-09 12:54 161032 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001121.dll
C:\Program Files\Common Files\Authentium\AntiVirus\css3rdem.dll
2007-07-09 12:54 161032 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001118.dll
C:\Program Files\Common Files\Authentium\AntiVirus\csscan32.dll
2007-07-09 12:54 750856 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001120.dll
C:\Program Files\Common Files\Authentium\AntiVirus\defvn.dll
2008-08-09 13:41 8664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001123.dll
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
2007-07-09 12:54 177416 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP7\A0001258.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpmgr.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001127.exeC:\WINDOWS\inf\_000000_.tmp.dll
2008-06-20 10:55 926 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001128.dll
C:\Program Files\Common Files\Authentium\AntiVirus\odapi.dll
2007-07-09 12:54 353544 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001122.dll
2008-05-01 07:30 331776 C:\Program Files\Common Files\System\msadc\msadce.dll
2004-08-04 00:56 331776 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001191.dll
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
2007-06-11 01:25 6731312 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000008.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgasc64.sys
2007-05-30 04:10 14072 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000014.sys
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgascln.sys
2007-05-30 04:10 10872 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000009.sys
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
2007-05-30 04:29 144944 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000013.dll
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context64.dll
2007-05-30 04:29 261680 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000016.dll
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll
2007-06-07 02:49 448048 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000024.dll
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2007-05-30 04:31 312880 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000011.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
2007-05-30 04:10 11000 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000012.sys
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard64.sys
2007-05-30 04:10 12024 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000015.sys
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
2007-05-30 04:29 79408 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000025.dll
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook64.dll
2007-05-30 04:29 126512 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000017.dll
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
2008-02-04 20:59 475893 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000018.exe
2008-06-23 02:20 625664 C:\Program Files\Internet Explorer\iexplore.exe
2008-04-22 00:40 625664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001156.EXE
2008-06-23 02:20 625664 C:\Program Files\Internet Explorer\iexplore.exe
2008-04-22 00:40 625664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001224.exe
C:\Program Files\LimeWire\.NetworkShare\LimeWireWin4.8.1.exe
2006-11-29 18:31 2314920 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000069.exe
C:\Program Files\LimeWire\GenericWindowsUtils.dll
2005-03-09 11:49 12279 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000070.dll
C:\Program Files\LimeWire\LimeWire.exe
2005-03-09 11:49 81920 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000071.exe
C:\Program Files\LimeWire\LimeWire20.dll
2005-03-09 11:49 32768 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000073.dll
C:\Program Files\LimeWire\uninstall.exe
2008-01-09 18:44 109826 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000079.exe
C:\Program Files\LimeWire\WindowsV5PlusUtils.dll
2005-03-09 11:49 12808 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000077.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
2008-07-30 20:07 61048 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002616.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
2008-07-30 20:07 1187448 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002614.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
2008-07-30 20:07 73336 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002619.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
2008-07-30 20:07 110200 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002608.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
2008-07-30 20:07 372344 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002609.exe
C:\Program Files\Malwarebytes' Anti-Malware\SSUBTMR6.DLL
2008-07-30 20:07 44664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002611.DLL
C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe
2008-08-13 16:15 688760 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002617.exe
C:\Program Files\Malwarebytes' Anti-Malware\ZLIB.DLL
2008-07-30 20:07 77944 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002612.DLL
C:\Program Files\Sunbelt Software\VIPRE\Definitions\libRar.dll
2008-08-08 04:26 271656 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000035.dll
C:\Program Files\Sunbelt Software\VIPRE\Definitions\libZip.dll
2008-08-08 04:26 218408 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000036.dll
C:\Program Files\Sunbelt Software\VIPRE\Definitions\remediation.dll
2008-08-08 04:27 267560 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000041.dll
C:\Program Files\Sunbelt Software\VIPRE\Definitions\vcore.dll
2008-08-08 04:27 1008936 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000044.dll
C:\Program Files\Sunbelt Software\VIPRE\Drivers\amd64\sbapifs.sys
2008-07-18 01:26 62000 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001343.sys
C:\Program Files\Sunbelt Software\VIPRE\Drivers\amd64\SBTIS.sys
2008-04-28 14:48 81968 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001342.sys
C:\Program Files\Sunbelt Software\VIPRE\Drivers\i386\sbaphd.sys
2008-07-18 01:26 13360 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001377.sys
C:\Program Files\Sunbelt Software\VIPRE\Drivers\i386\sbapifs.sys
2008-07-18 01:26 68912 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001376.sys
C:\Program Files\Sunbelt Software\VIPRE\Drivers\i386\sbapifsl.sys
2008-07-18 01:26 77488 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001375.sys
C:\Program Files\Sunbelt Software\VIPRE\Drivers\i386\SBTIS.sys
2008-04-28 14:48 202160 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001374.sys
C:\Program Files\Sunbelt Software\VIPRE\Eraser.dll
2007-09-19 13:40 634880 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001337.dll
C:\Program Files\Sunbelt Software\VIPRE\MIMEPP.DLL
2008-05-12 22:33 212992 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001338.DLL
C:\Program Files\Sunbelt Software\VIPRE\oecom.dll
2007-11-06 18:08 503808 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001367.dll
C:\Program Files\Sunbelt Software\VIPRE\oehook.dll
2007-11-06 18:08 106496 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001354.dll
C:\Program Files\Sunbelt Software\VIPRE\oestore.dll
2007-11-06 18:08 327680 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001344.dll
C:\Program Files\Sunbelt Software\VIPRE\SBAMCreateRestore.exe
2008-07-21 22:02 439592 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001323.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMOutlook.dll
2008-07-21 22:02 345384 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001327.dll
C:\Program Files\Sunbelt Software\VIPRE\SBAMRes.dll
2008-07-21 22:02 3622184 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001352.dll
C:\Program Files\Sunbelt Software\VIPRE\SBAMSafeModeUI.exe
2008-07-21 22:02 804136 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001324.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMScanShellExt.dll
2008-07-21 22:02 234792 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001339.dll
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
2008-07-21 22:01 849192 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001325.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvcPS.dll
2008-07-21 22:01 79144 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001340.dll
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
2008-07-21 22:02 935208 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001351.exe
C:\Program Files\Sunbelt Software\VIPRE\sbamui.exe
2008-07-21 22:02 1996072 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001334.exe
C:\Program Files\Sunbelt Software\VIPRE\sbamwsc.exe
2008-07-21 22:02 435496 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001336.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAP.DLL
2008-07-21 22:01 554280 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001364.DLL
C:\Program Files\Sunbelt Software\VIPRE\SBArva.dll
2008-07-21 22:02 206120 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001362.dll
C:\Program Files\Sunbelt Software\VIPRE\SBFE.DLL
2008-07-21 22:02 238888 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001361.DLL
C:\Program Files\Sunbelt Software\VIPRE\SBRC.EXE
2008-07-21 22:01 197928 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001341.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBRE.dll
2008-07-21 22:01 242984 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001360.dll
C:\Program Files\Sunbelt Software\VIPRE\SBSDKXML.DLL
2008-07-21 22:01 636200 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001353.DLL
C:\Program Files\Sunbelt Software\VIPRE\SBTE.DLL
2008-07-21 22:01 1142568 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001359.DLL
C:\Program Files\Sunbelt Software\VIPRE\SBTIS.DLL
2008-07-21 22:02 83240 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001349.DLL
C:\Program Files\Sunbelt Software\VIPRE\SBTISinstaller.exe
2008-07-21 22:02 58664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001333.exe
C:\Program Files\Sunbelt Software\VIPRE\SpursDownload.dll
2008-07-21 22:01 140584 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001345.dll
C:\Program Files\Sunbelt Software\VIPRE\unrar.dll
2005-12-22 17:28 160768 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001347.dll
C:\Program Files\Sunbelt Software\VIPRE\VIPRE.DLL
2008-06-05 11:26 271656 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001348.DLL
C:\Program Files\Viewpoint\Common\ViewpointService.exe
2007-01-04 13:38 24652 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001091.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
2007-01-05 08:32 254022 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001101.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
2007-09-02 14:16 217158 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001097.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
2007-09-02 14:17 36864 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001109.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
2007-09-02 14:16 122927 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001112.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
2007-11-12 14:21 204868 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001107.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
2007-10-05 22:46 1282120 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001108.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
2007-11-12 14:21 774210 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001106.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
2007-09-02 14:16 643116 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001111.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
2007-09-02 14:16 41024 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001113.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ZoomView.dll
2007-09-02 14:16 208941 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001110.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\VMgr_Win\Exec.exe
2007-09-02 14:16 256248 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001102.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
2007-01-18 07:53 98304 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001099.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo.dll
2007-12-08 21:00 647234 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001104.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll
2007-12-08 21:00 770115 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001103.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\WaveletReader.dll
2007-12-08 21:00 53298 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001105.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
2007-01-05 08:31 180293 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP4\A0001095.dll
C:\SDFix\attrib.exe
2001-08-18 05:00 11264 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002670.exe
C:\SDFix\backupreg\AppInit_DLLs.reg
2008-08-17 15:01 74 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002662.reg
C:\SDFix\backupreg\bat_shell_open.reg
2008-08-17 15:01 204 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002655.reg
C:\SDFix\backupreg\BHO.reg
2008-08-17 15:01 888 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002644.reg
C:\SDFix\backupreg\com_shell_open.reg
2008-08-17 15:01 204 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002656.reg
C:\SDFix\backupreg\ControlPanel_Load.reg
2008-08-17 15:01 29804 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002661.reg
C:\SDFix\backupreg\Drivers32.reg
2008-08-17 15:01 3370 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002640.reg
C:\SDFix\backupreg\exe_shell_open.reg
2008-08-17 15:01 204 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002651.reg
C:\SDFix\backupreg\HKCU_SOFTWARE_Policy.reg
2008-08-17 15:01 5068 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002658.reg
C:\SDFix\backupreg\HKCU_WINDOWS_Policy.reg
2008-08-17 15:01 2464 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002660.reg
C:\SDFix\backupreg\HKCURun.reg
2008-08-17 15:01 312 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002649.reg
C:\SDFix\backupreg\HKCURunServices.reg
2008-08-17 15:01 228 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002650.reg
C:\SDFix\backupreg\HKLM_SOFTWARE_Policy.reg
2008-08-17 15:01 118774 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002657.reg
C:\SDFix\backupreg\HKLM_WINDOWS_Policy.reg
2008-08-17 15:01 3256 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002659.reg
C:\SDFix\backupreg\HKLMRun.reg
2008-08-17 15:01 2018 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002647.reg
C:\SDFix\backupreg\HKLMRunServices.reg
2008-08-17 15:01 230 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002648.reg
C:\SDFix\backupreg\IEDesktop.reg
2008-08-17 15:01 4676 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002646.reg
C:\SDFix\backupreg\IEMain.reg
2008-08-17 15:01 6436 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002645.reg
C:\SDFix\backupreg\Installed_Components.reg
2008-08-17 15:01 33834 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002643.reg
C:\SDFix\backupreg\pif_shell_open.reg
2008-08-17 15:01 204 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002654.reg
C:\SDFix\backupreg\reg_shell_open.reg
2008-08-17 15:01 222 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002653.reg
C:\SDFix\backupreg\SecurityProviders.reg
2008-08-17 15:01 8002 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002642.reg
C:\SDFix\backupreg\SharedTaskScheduler.reg
2008-08-17 15:01 546 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002665.reg
C:\SDFix\backupreg\ShellServiceObjectDelayLoad.reg
2008-08-17 15:01 816 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002666.reg
C:\SDFix\backupreg\SubSystems.reg
2008-08-17 15:01 4846 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002641.reg
C:\SDFix\backupreg\txt_shell_open.reg
2008-08-17 15:01 668 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002652.reg
C:\SDFix\backupreg\Winlogon.reg
2008-08-17 15:01 29912 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002663.reg
C:\SDFix\backupreg\WinlogonNotify.reg
2008-08-17 15:01 19344 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002664.reg
C:\SDFix\dummy.exe
2008-08-07 16:27 6656 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002667.exe
C:\SDFix\Find.exe
2001-08-18 05:00 9216 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002668.exe
C:\SDFix\findstr.exe
2004-08-04 00:56 27136 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002669.exe
C:\SDFix\regedit.exe
2004-08-04 00:56 146432 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002671.exe
C:\SDFix\userinfix.reg
2008-08-17 15:05 169 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002672.reg
C:\WINDOWS\_000000_.tmp.dll
2008-03-20 18:06 9452 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0000022.dll
C:\WINDOWS\_000005_.tmp.dll
2008-04-11 12:18 12431 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001130.dll
2008-06-24 10:04 12431 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001205.dll
C:\WINDOWS\_000048_.tmp.dll
2008-06-26 11:16 32215 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001134.dll
C:\WINDOWS\CDProxyServ.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001507.exe
C:\WINDOWS\inf\_000000_.tmp.dll
2008-04-11 12:07 871 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001133.dll
2008-06-23 11:21 926 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001203.dll
C:\WINDOWS\system32\$sys$caj.dll
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002573.dll
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001506.exe
C:\WINDOWS\system32\$sys$filesystem\oct.sys
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002590.sys
C:\WINDOWS\system32\_000004_.tmp.dll
2007-11-30 05:39 17272 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001129.dll
2007-11-30 05:39 17272 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001204.dll
C:\WINDOWS\system32\_reproxy.dll
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP9\A0001444.dll
2008-06-23 09:57 124928 C:\WINDOWS\system32\advpack.dll
2008-04-22 21:16 124928 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001155.dll
2008-04-22 21:16 124928 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001223.dll
C:\WINDOWS\system32\AFinding.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000003.exe
2001-08-18 05:00 34816 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP7\A0001255.exe
C:\WINDOWS\system32\beauty.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002576.exe
C:\WINDOWS\system32\cfexfst.sys
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002577.sys
C:\WINDOWS\system32\comsa32.sys
2001-08-18 05:00 7 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000002.sys
2001-08-18 05:00 11 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP7\A0001254.sys
2008-06-23 09:57 124928 C:\WINDOWS\system32\dllcache\advpack.dll
2008-04-22 21:16 124928 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001187.dll
2008-06-23 09:57 347136 C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-04-22 21:16 347136 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001186.dll
2008-06-23 09:57 214528 C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-04-22 21:16 214528 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001185.dll
2008-06-23 09:57 133120 C:\WINDOWS\system32\dllcache\extmgr.dll
2008-04-22 21:16 133120 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001184.dll
2008-06-23 09:57 63488 C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 21:16 63488 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001183.dll
2008-06-23 02:20 70656 C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 00:39 70656 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001182.exe
2008-06-23 09:57 153088 C:\WINDOWS\system32\dllcache\ieakeng.dll
2008-04-22 21:16 153088 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001181.dll
2008-06-23 09:57 230400 C:\WINDOWS\system32\dllcache\ieaksie.dll
2008-04-22 21:16 230400 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001180.dll
2008-06-20 22:23 161792 C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-19 22:07 161792 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001179.dll
2008-06-23 09:57 383488 C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 21:16 383488 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001178.dll
2008-06-23 09:57 384512 C:\WINDOWS\system32\dllcache\iedkcs32.dll
2008-04-22 21:16 384512 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001177.dll
2008-06-23 09:57 6066176 C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 21:16 6066176 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001176.dll
2008-06-23 09:57 44544 C:\WINDOWS\system32\dllcache\iernonce.dll
2008-04-22 21:16 44544 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001175.dll
2008-06-23 09:57 267776 C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 21:16 267776 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001174.dll
2008-06-23 02:20 13824 C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-22 00:39 13824 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001173.exe
2008-06-23 02:20 625664 C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 00:40 625664 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001172.exe
2008-04-11 11:50 683520 C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 23:15 683520 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001132.dll
2008-06-23 09:57 27648 C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-04-22 21:16 27648 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001170.dll
2008-06-23 09:57 459264 C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 21:16 459264 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001169.dll
2008-06-23 09:57 52224 C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 21:16 52224 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001168.dll
2008-06-24 10:57 3592192 C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-23 22:16 3591680 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001167.dll
2008-06-23 09:57 477696 C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-04-22 21:16 478208 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001166.dll
2008-06-23 09:57 193024 C:\WINDOWS\system32\dllcache\msrating.dll
2008-04-22 21:16 193024 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001165.dll
2008-06-23 09:57 671232 C:\WINDOWS\system32\dllcache\mstime.dll
2008-04-22 21:16 671232 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001164.dll
2008-06-23 09:57 102912 C:\WINDOWS\system32\dllcache\occache.dll
2008-04-22 21:16 102912 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001163.dll
2008-06-23 09:57 44544 C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-04-22 21:16 44544 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001162.dll
2008-06-23 09:57 105984 C:\WINDOWS\system32\dllcache\url.dll
2008-04-22 21:16 105984 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001161.dll
2008-06-23 09:57 1159680 C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-22 21:16 1159680 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001160.dll
2008-06-23 09:57 233472 C:\WINDOWS\system32\dllcache\webcheck.dll
2008-04-22 21:16 233472 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001159.dll
2008-06-23 09:57 826368 C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-22 21:16 826368 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP5\A0001158.dll
C:\WINDOWS\system32\downer.exe
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002574.exe
C:\WINDOWS\system32\drivers\$sys$cor.sys
{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002571.sys
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-30 04:10 10872 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP2\A0000007.sys
C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 20:07 17144 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002607.sys
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 20:07 38472 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP10\A0002613.sys
2008-07-18 01:26 13360 C:\WINDOWS\system32\drivers\sbaphd.sys
2008-07-18 01:26 13360 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001294.sys
2008-07-18 01:26 13360 {8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP8\A0001314.sys
C:\WINDOWS\system32\dwbin.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:31, on 2008-08-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Unknown owner - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
--
End of file - 5132 bytes
#19
Posted 18 August 2008 - 02:09 PM
Getting there. Next move.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\WINDOWS\_000000_.tmp.dll
C:\WINDOWS\_000005_.tmp.dll
C:\WINDOWS\_000048_.tmp.dll
C:\WINDOWS\inf\_000000_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\AFinding.exe
C:\WINDOWS\system32\beauty.exe
C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\dwbin.exe
Driver::
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Unknown owner - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (file missing)
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Lastly
Kaspersky only works if you are using Internet Explorer.
Please do an online scan with Kaspersky WebScanner.
Click on the Kaspersky Online Scanner button. A box will come up, click Accept, this will allow it to install an ActiveX component and download its latest anti-virus database. (Note: It may take a couple of minutes)
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
* Scan Options:
Scan Archives
Scan Mail Bases - Click OK
- Now under select a target to scan:
Select My Computer - This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button: - Save the file to your desktop.
So when you come back please post
- ComboFix report
- Kaspersky scan results
#20
Posted 18 August 2008 - 07:36 PM
#21
Posted 18 August 2008 - 08:39 PM
Thanks for the update.
Please proceed with the instructions in my last post.
We need to cover that ground to ensure those ones aren't left.
The Kaspersky scan will also help us identify what else might be there.
regards
emeraldnzl
#22
Posted 19 August 2008 - 04:08 PM
ComboFix 08-08-18.01 - NORT 2008-08-18 19:51:12.9 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.286 [GMT -7:00]
Running from: C:\Documents and Settings\NORT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NORT\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\_000000_.tmp.dll
C:\WINDOWS\_000005_.tmp.dll
C:\WINDOWS\_000048_.tmp.dll
C:\WINDOWS\inf\_000000_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\AFinding.exe
C:\WINDOWS\system32\beauty.exe
C:\WINDOWS\system32\cfexfst.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\downer.exe
C:\WINDOWS\system32\dwbin.exe
.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 19, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 19, 2008 03:54:19
Records in database: 1108566
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
G:\
Scan statistics:
Files scanned: 74927
Threat name: 3
Infected objects: 2
Suspicious objects: 1
Duration of the scan: 01:57:14
File name / Threat name / Threats count
C:\Documents and Settings\NORT\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\NORT\Local Settings\temp\Av-test.txt Infected: EICAR-Test-File 1
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP3\A0001063.exe Infected: Trojan.Win32.Agent.zaz 1
The selected area was scanned.
#23
Posted 20 August 2008 - 06:59 PM
Much better now.
Vipre keeps trying to install itself when I click on certain icons...and my wastebasket wont empty
I am not sure which version of Vipre you had. Below is a link I found to Sunbelt that has instructions for manual removal of Vipre 3.
http://beta.sunbelt-...opic.php?t=7702
If that doesn't work you could always do a search of your computer for Vipre and delete any associated folders/files you find.
Now
Please right Click Start > Explore and navigate to C:\Documents and Settings\NORT\Local Settings\Application Data\Microsoft\Outlook\archive.pst and delete.
Next
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
That should take care of your waste basket.
Lastly in this post
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
Driver::
CD_Proxy
dvpapi
ioloFileInfoList
ioloSystemService
SBAMSvc
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
So when you come back please post
- ComboFix text
- a new HijackThis log
- and tell me how your computer is running now
#24
Posted 22 August 2008 - 08:39 AM
ComboFix 08-08-21.02 - NORT 2008-08-22 7:26:01.10 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -7:00]
Running from: C:\Documents and Settings\NORT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NORT\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:47, on 2008-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
--
End of file - 5485 bytes
#25
Posted 22 August 2008 - 01:58 PM
Pretty much there now. Just a few bits and pieces.
We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.
@echo off sc stop $sys$DRMServer sc stop CD_Proxy sc stop dvpapi sc stop ioloFileInfoList sc stop ioloSystemService sc delete $sys$DRMServer sc delete CD_Proxy sc delete dvpapi sc delete ioloFileInfoList sc delete ioloSystemService exit
Save it to your desktop as File name: Service.cmd
Save as type: All Files
Once done, double click Service.cmd to run it. A command window will open briefly, then close. This is quite normal.
Please post a fresh HijackThis log.
#26
Posted 22 August 2008 - 04:22 PM
Scan saved at 15:14, on 2008-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
--
End of file - 4954 bytes
#27
Posted 23 August 2008 - 01:17 PM
Congratulations you look clean to me.
You might try the Tech people if your corrupt file persists. Tell them you have been here and have a clearance from malware.
We have a couple of last steps to perform and then you're all set.
Follow these steps to uninstall Combofix and tools used in the removal of malware
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
- Make sure you have an Internet Connection.
- Double-click OTMoveIt2.exe to run it.
- Click on the CleanUp! button
- A list of tool components used in the Cleanup of malware will be downloaded.
- If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
- Click Yes to beging the Cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Now that you are clean here are some things I think are worth having a look at:
-------------------------------------------------------------------------------------------------------------------
Check your Adobe Acrobat Reader; it may be out of date. Older versions are vunerable to attack.
Please go to the link below to update.
http://www.adobe.com.../readstep2.html
---------------------------------------------------------------------------------------------------------------------
Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program which works well with XP:--------------------------------------------------------------------------------------------------------------------
A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.
I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.
To bolster your security go to Secunia.com to ensure essential programs are up to date.
---------------------------------------------------------------------------------------------------------------------
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (Note: this as an added benefit!) that I have seen. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.
Firefox may be downloaded from Here
-----------------------------------------------------------------------------------------------------------------------
To help protect your computer in the future here are some free programs you can look at:
- SUPERAntiSpyware Free for Home Users to detect and remove spyware.
- IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting - Microsoft Windows Update
weekly, and be aware of what emails you open and websites you visit.
To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?
Have a safe and happy computing day!
#28
Posted 26 August 2008 - 03:25 PM
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users