Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unable to connect to internet after AVG removed trojans [RESOLVED]

Started by pearce15 , Oct 16 2008 10:25 PM

  • This topic is locked This topic is locked

#1
pearce15
Posted 16 October 2008 - 10:25 PM

pearce15

    Member

  • Member
  • PipPip
  • 65 posts
After booting my pc on 14 Oct, I got many prompts by AVG warning me of new trojans found that required deletion. I did not take down the exact name of the trojan and I was desperately trying to close the boxes that kept jumping out of my screen. There were no less than 10 boxes altogether and with them came the warning that in doing so might alter certain registries in my system, I think. After clicking on OK the last time. I tried to browse the internet using firefox and explorer. Both could not move beyond my bookmarked pages. There was a browsing problem but my connection was still ongoing and I could still access my mails thru outlook and use online messenging.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:28 PM, on 10/17/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\cryptainersrv.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Microsoft Hardware\Keyboard\type32.exe
E:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Plaxo\3.7.0.49\PlaxoHelper_en.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Misc installers\Protection tools\Eraser\Eraser.exe
E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\PROGRA~1\AVG\AVG8\avgscanx.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....y...=us&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelliType] "E:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] E:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] E:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe E:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "E:\DOCUME~1\Chris\LOCALS~1\Temp\IXP002.TMP\"
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] E:\Program Files\Plaxo\3.7.0.49\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Eraser] C:\Misc installers\Protection tools\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199678078437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - E:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 9206 bytes


AC3Filter (remove only)
Ad-Aware 2007
Adobe Acrobat 6.0 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Fireworks CS3
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Center 2.1
Adobe Help Viewer CS3
Adobe Illustrator CS2
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Photoshop Elements 5.0
Adobe Photoshop Lightroom
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Mobile Device Support
Apple Software Update
ArcSoft TotalMedia Backup
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HydraVision
Avanquest update
AVG Free 8.0
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
Canon i9950
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.1
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Plus
Canon Utilities Easy-PrintToolBox
Canon Utilities EOS Utility
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
CD to MP3 Ripper
CD-LabelPrint
Comic Life
Cryptainer LE
eMusic - 50 Free MP3 offer
Eraser
Eraser
ffdshow (remove only)
floAt's Mobile Agent 2
FLV Player 1.3.3
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Instant Wireless USB Adapter
Internet Explorer Q832894
iTunes
Java™ 6 Update 3
LimeWire 4.16.6
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8 Plugin
Magic ISO Maker v5.4 (build 0239)
Memorex Button Manager
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.3)
Nero OEM
NeroVision Express
Panda ActiveScan
PDF Settings
PhotoScape
Plaxo Toolbar for Windows
Portrait Professional 6.5
PowerDVD
QuickTime
Realtek AC'97 Audio
Remove Hidden Data Tool
Replay Converter 2.20
Replay Media Catcher
Replay Media Catcher
RescuePRO 3.3
Shockwave
SnagIt 7
Sony Ericsson Media Manager 1.0
Sony Ericsson PC Suite
Sony Ericsson PC Suite 3.209.00
Soundslides
Spybot - Search & Destroy
SpywareBlaster v3.5.1
SUPERAntiSpyware Free Edition
SWF & FLV Toolbox 3.5 (build 3.5.16.242)
U.R.Celeb 2.06
Update Service
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinPatrol 2007
WinRAR archiver
YouSendIt Application Plug-in SDK
YouSendIt Plug-in for Photoshop
ZoneAlarm
  • 0

Advertisements

#2
emeraldnzl
Posted 19 October 2008 - 05:08 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello pearce15,

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
pearce15
Posted 19 October 2008 - 08:44 PM

pearce15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
Hi emeraldnzl,

I followed the steps as advised, altho it detected that I din hv the windows recovery console installed, it wasnt able to download the files after which it continued with its other processes.

Here's the log:

ComboFix 08-10-19.03 - Chris 2008-10-20 10:37:26.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.634 [GMT 8:00]
Running from: E:\Documents and Settings\Chris\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://etwnfisdkms.info
.
((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.

2008-10-06 11:48 . 2008-10-06 11:48 <DIR> d-------- E:\Documents and Settings\Chris\Application Data\EBookSys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 01:22 17,169,985 ------w E:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-30 06:47 97,928 ----a-w E:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-29 15:50 --------- d-----w E:\Program Files\RescuePRO
2008-08-29 15:49 286,720 ----a-w E:\WINDOWS\iun507.exe
2008-08-19 02:50 189,016 ----a-w E:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2008-05-04 15:50 4 --sh--r E:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2007-10-13 18:43 18,040,176 ----a-w E:\Program Files\Install_Messenger_nous.exe
2003-11-04 18:54 5,406,945 ------w E:\Program Files\Setupligh.exe
2005-06-26 22:32 616,448 --sha-r E:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r E:\WINDOWS\system32\cygz.dll
2005-07-14 19:31 27,648 --sha-w E:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"PlaxoUpdate"="E:\Program Files\Plaxo\3.7.0.49\PlaxoHelper_en.exe" [2007-12-20 283207]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-05 1576176]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 1460560]
"Eraser"="C:\Misc installers\Protection tools\Eraser\Eraser.exe" [2007-12-23 916240]
"Sony Ericsson PC Suite"="E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="E:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"ATIPTA"="E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-01 335872]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"Easy-PrintToolBox"="E:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"ZoneAlarm Client"="E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 919016]
"WinPatrol"="E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-25 316728]
"AVG8_TRAY"="E:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-02 1234712]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 E:\WINDOWS\SOUNDMAN.EXE]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Acrobat Assistant.lnk - E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "E:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Misc installers\\Limewire\\LimeWire.exe"=
"E:\\Program Files\\uTorrent\\uTorrent.exe"=
"E:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"E:\\Program Files\\MSN Messenger\\MSNMSGR.EXE"=

R1 AvgLdx86;AVG AVI Loader Driver x86;E:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8emc;AVG8 E-mail Scanner;E:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 875288]
R2 avg8wd;AVG8 WatchDog;E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG8 Network Redirector;E:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 76040]
R2 ssoftnt4;ssoftnt4;E:\WINDOWS\system32\Drivers\ssoftnt4.sys [2007-07-13 100728]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;E:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-20 72576]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};E:\WINDOWS\TEMP\86.tmp [ ]
S3 ggflt;SEMC USB Flash Driver Filter;E:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-02-27 13352]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-POINTER - point32.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\0g2wi5w8.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.facebook.com/index.php?
FF -: plugin - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll
FF -: plugin - E:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - E:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 10:39:50
Windows 5.1.2600 Service Pack 2, v.2096 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\E:\WINDOWS\TEMP\86.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-10-20 10:40:41
ComboFix-quarantined-files.txt 2008-10-20 02:40:40

Pre-Run: 3,645,276,160 bytes free
Post-Run: 4,344,528,896 bytes free

122
  • 0

#4
emeraldnzl
Posted 20 October 2008 - 01:59 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello pearce15,

Looks like that ComboFix log got cut off. Please post the rest.

Thank you.

emeraldnzl
  • 0

#5
emeraldnzl
Posted 20 October 2008 - 03:02 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello pearce15,

Disregard that last post. My mistake. Usually the log finishes with

-- E O F --

For some reason it didn't this time, everything else seems to be there though. :)

In any event, moving on.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::
File::
E:\WINDOWS\TEMP\86.tmp
Driver::
{DEF85C80-216A-43ab-AF70-1665EDBE2780}


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

You have had Norton Antivirus on your computer at some stage. It has not been properly removed.

Go here Norton Removal Tool to remove left over bits of the Norton AntiVirus Program. Choose the link for the version you had and then download and run the removal progam.

Finally in this post

Kaspersky works with Internet Explorer and Firefox 3. It uses Java Runtime Environment (JRE) Java 1.6.0_7

If your version of Java does not comply please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Now go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste that information in your next post.

So when you return please post
  • ComboFix text
  • Kaspersky scan results
  • and a new HijackThis log
  • 0

#6
pearce15
Posted 20 October 2008 - 05:02 AM

pearce15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
Hi, I only hv the ComboFix text and HijackThis log in this reply. As I am unable to browse the web using the infected pc, I cant conduct a Kaspersky scan.

ComboFix 08-10-19.03 - Chris 2008-10-20 18:42:59.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.640 [GMT 8:00]
Running from: E:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Chris\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
E:\WINDOWS\TEMP\86.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{DEF85C80-216A-43AB-AF70-1665EDBE2780}
-------\Service_{DEF85C80-216A-43ab-AF70-1665EDBE2780}


((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.

2008-10-06 11:48 . 2008-10-06 11:48 <DIR> d-------- E:\Documents and Settings\Chris\Application Data\EBookSys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 10:46 20,490,904 ----a-w E:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-30 06:47 97,928 ----a-w E:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-29 15:50 --------- d-----w E:\Program Files\RescuePRO
2008-08-29 15:49 286,720 ----a-w E:\WINDOWS\iun507.exe
2008-08-19 02:50 189,016 ----a-w E:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2008-05-04 15:50 4 --sh--r E:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2007-10-13 18:43 18,040,176 ----a-w E:\Program Files\Install_Messenger_nous.exe
2003-11-04 18:54 5,406,945 ------w E:\Program Files\Setupligh.exe
2005-06-26 22:32 616,448 --sha-r E:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r E:\WINDOWS\system32\cygz.dll
2005-07-14 19:31 27,648 --sha-w E:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-10-20_10.40.07.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 00:00:00 163,328 ----a-w E:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2005-10-20 12:02:28 163,328 ----a-w E:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"PlaxoUpdate"="E:\Program Files\Plaxo\3.7.0.49\PlaxoHelper_en.exe" [2007-12-20 283207]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-05 1576176]
"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 1460560]
"Eraser"="C:\Misc installers\Protection tools\Eraser\Eraser.exe" [2007-12-23 916240]
"Sony Ericsson PC Suite"="E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="E:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"ATIPTA"="E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-01 335872]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"Easy-PrintToolBox"="E:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"ZoneAlarm Client"="E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 919016]
"WinPatrol"="E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-25 316728]
"AVG8_TRAY"="E:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-02 1234712]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 E:\WINDOWS\SOUNDMAN.EXE]
"POINTER"="point32.exe" [BU]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Acrobat Assistant.lnk - E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "E:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Misc installers\\Limewire\\LimeWire.exe"=
"E:\\Program Files\\uTorrent\\uTorrent.exe"=
"E:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"E:\\Program Files\\MSN Messenger\\MSNMSGR.EXE"=

R1 AvgLdx86;AVG AVI Loader Driver x86;E:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8emc;AVG8 E-mail Scanner;E:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 875288]
R2 avg8wd;AVG8 WatchDog;E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG8 Network Redirector;E:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 76040]
R2 ssoftnt4;ssoftnt4;E:\WINDOWS\system32\Drivers\ssoftnt4.sys [2007-07-13 100728]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;E:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-20 72576]
S3 ggflt;SEMC USB Flash Driver Filter;E:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-02-27 13352]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 18:46:52
Windows 5.1.2600 Service Pack 2, v.2096 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
E:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
E:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
E:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
E:\PROGRAM FILES\ADOBE\PHOTOSHOP ELEMENTS 5.0\PHOTOSHOPELEMENTSFILEAGENT.EXE
E:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
E:\PROGRAM FILES\AVG\AVG8\AVGWDSVC.EXE
E:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE
E:\WINDOWS\SYSTEM32\CRYPTAINERSRV.EXE
E:\WINDOWS\SYSTEM32\WDFMGR.EXE
E:\PROGRAM FILES\CANON\CAL\CALMAIN.EXE
E:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
E:\PROGRAM FILES\AVG\AVG8\AVGRSX.EXE
E:\PROGRAM FILES\AVG\AVG8\AVGRSX.EXE
.
**************************************************************************
.
Completion time: 2008-10-20 18:49:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-20 10:49:26
ComboFix2.txt 2008-10-20 02:40:44

Pre-Run: 4,277,157,888 bytes free
Post-Run: 4,329,062,400 bytes free

137

--------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:20 PM, on 10/20/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\cryptainersrv.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\Microsoft Hardware\Keyboard\type32.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Plaxo\3.7.0.49\PlaxoHelper_en.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Misc installers\Protection tools\Eraser\Eraser.exe
E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\explorer.exe
E:\Program Files\AVG\AVG8\avgrsx.exe
E:\Program Files\AVG\AVG8\avgrsx.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Outlook Express\msimn.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....y...=us&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelliType] "E:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] E:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] E:\Program Files\Plaxo\3.7.0.49\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Eraser] C:\Misc installers\Protection tools\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199678078437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - E:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 9038 bytes
  • 0

#7
emeraldnzl
Posted 20 October 2008 - 02:14 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello pearce15,

As I am unable to browse the web using the infected pc, I cant conduct a Kaspersky scan.


No problem, we will move on then. :)

Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line.

It is important you carry out instructions exactly in the order they appear.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Next

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
explorer.exe
:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
:commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Lastly in this post

  • Download random's system information tool (RSIT) by random/random from here.
  • It is important that is saved to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
So when you return please post
  • SDFix report
  • OTMoveIt3 log
  • the two RSIT logs - log.txt and info.txt
Note: It is likely the reports will not fit on one post. Just use as many posts as you need, that's fine.
  • 0

#8
pearce15
Posted 20 October 2008 - 10:07 PM

pearce15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
Hi there, here are my logs...


SDFix: Version 1.236
Run by Chris on Tue 10/21/2008 at 11:28 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: E:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

E:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
E:\WINDOWS\Temp\ed47fa.$ - Deleted
E:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 11:34:52
Windows 5.1.2600 Service Pack 2, v.2096 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Misc installers\\Limewire\\LimeWire.exe"="C:\\Misc installers\\Limewire\\LimeWire.exe:*:Enabled:LimeWire"
"E:\\Program Files\\uTorrent\\uTorrent.exe"="E:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"E:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"="E:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.0"
"E:\\Program Files\\AVG\\AVG8\\avgupd.exe"="E:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"E:\\Program Files\\AVG\\AVG8\\avgemc.exe"="E:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"E:\\Program Files\\MSN Messenger\\MSNMSGR.EXE"="E:\\Program Files\\MSN Messenger\\MSNMSGR.EXE:*:Disabled:Messenger"
"E:\\Documents and Settings\\Chris\\Local Settings\\temp\\7zS3.tmp\\SymNRT.exe"="E:\\Documents and Settings\\Chris\\Local Settings\\temp\\7zS3.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - E:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 27 Jun 2005 616,448 A.SHR --- "E:\WINDOWS\system32\cygwin1.dll"
Wed 22 Jun 2005 45,568 A.SHR --- "E:\WINDOWS\system32\cygz.dll"
Fri 15 Jul 2005 27,648 A.SH. --- "E:\WINDOWS\system32\AVSredirect.dll"
Sat 26 Jan 2008 145,920 ..SHR --- "E:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Tue 21 Oct 2008 247,022 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\74a19a19cc31989be4bb0df6ac36d839\BIT34.tmp"
Tue 21 Oct 2008 102,501 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\f1717a50ad70787e0b2e37537d202992\BITD.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\f040a43a7788e207ef67f26bf9f0471f\BITE.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\adc42e4e6905251cac80b18a8dccd42a\BITF.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT10.tmp"
Mon 20 Oct 2008 787,256 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\BIT19.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\ca6c24ab62fe8433c5d63bb11a2e5a2c\BIT1E.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\b79f0480d592be3a8c6db381ffc0c693\BIT1F.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\d378d94379aa314a2f8a03df7faef1bc\BIT20.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\BIT21.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\50d0c9ff929a7477233edd0771ffdb01\BIT22.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\e7d26e5776f9930c6ad9dff351940707\BIT23.tmp"
Mon 20 Oct 2008 498,032 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\30176d767e46d7fcf2d00c8f50c9758e\BIT25.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da652794a86c37dbd177bef9d\BIT26.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\d8816d09f86abbe0c321ddc90d5c0948\BIT27.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\6f0fd10fc234123bcdf54ebca4b84cbd\BIT28.tmp"
Mon 20 Oct 2008 608,056 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\ee52836d5c671146809a1dc54498be1f\BIT6.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\42df613d6760e7a0359ba7b514e72ced\BIT32.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a7556514a051f797f4\BIT35.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\1fb659e25c21839251d560da33cbcfad\BIT39.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\080070f6461c8001578e5e4cd4bb024b\BIT4A.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\495213e4cb2a90b1fa5505a5fab8e00b\BIT43.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\a4a9ccd1806461c53ce89bdd6f4591bf\BIT3F.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\e3c3121982c8a4d0c1605cfbcb9bb7c8\BIT47.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\582374c56f566bb2a83a59d0c2cd7d87\BIT37.tmp"
Sat 6 Aug 2005 490,736 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\c23140ab2b4cffaee396a230df8b1229\BIT4E.tmp"
Wed 18 Jun 2008 605,224 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\0044c05f784f01d2208480e0d7e7d170\BIT4D.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\55b5c397ff94db07e8c1c336efaf0a7b\BIT48.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\bfdbfe4c90f141b4fcdce2ba0d6b7ac3\BIT38.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\109fef93c24da62cf8f31668d6ba9060\BIT42.tmp"
Wed 23 Jul 2008 246,663 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\c24a38d765ba62d5f7156bc4440273fb\BIT4C.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\ede23652b16ac5041616fd3bd72c6048\BIT45.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\4cc8107fde988bba1481bb736cc96c29\BIT41.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\ac396c0c2d53942a12157d0ad3c4135a\BIT46.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\BIT3A.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\8a37f70e90784c333642cb76a8881df8\BIT49.tmp"
Fri 23 May 2008 528,424 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\ed896a1895e7ec4d8633ba04cd3f1df6\BIT4B.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT40.tmp"
Mon 20 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\1d8773e3b9bba05290b442f31de09a2e\download\BIT16.tmp"
Sat 3 Jun 2006 454,148 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\962449eaea2a809dd7a3a95c81a023bd\download\BIT52.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\ed6cff8bccff865b52b93292e144ada6\download\BIT63.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\05dc5f0b39a115d1962503e7297cdba7\download\BIT65.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\aebb83db003f77a45671fd2c1557da38\download\BIT67.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\5652d934eec8bfa4dc68c4e256a23d5e\download\BIT36.tmp"
Wed 23 Jul 2008 763,414 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\b5a0d96b7c12dd2c0335206a1ae160ae\download\BIT4F.tmp"
Sat 29 Jul 2006 155,863 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\1230492412c0d92c55a03b0de671f167\download\BIT61.tmp"
Sat 6 Aug 2005 1,429,022 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\00766461b1b00d8469999536d8f8d6e4\download\BIT62.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\download\BIT64.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\download\BIT66.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\d037d9bbbbdf880e477c3840b38c3180\download\BIT44.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a955690dc00fbe64\download\BIT68.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\71346ae154833814462aa3a4477d3137\download\BIT69.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\download\BIT6A.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\d1c98689cdcd0ea9312780ffc77a2cbe\download\BIT6B.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\612ce0df709f1f49b2994166ec93f292\download\BIT6C.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\download\BIT6D.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\4387300ca1dcf29784a47c30e67cb637\download\BIT6E.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\c87932aedce288373d0b6a6c23f00c8a\download\BIT6F.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\download\BIT70.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\8205df9ffac774969e61b38f516f1b94\download\BIT71.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\32e99364da67a7850c38a7a4e067a1ed\download\BIT72.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\download\BIT73.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\download\BIT74.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\download\BIT75.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\d424e8f655073b64c82b6f4f138d5f7e\download\BIT7A.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\0091ab299e899a5920ad91739ad99c67\download\BIT7B.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\8a10de02595aa748279afc6c628f49a8\download\BIT7C.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\37fefde58a963f27982e5f97ce053f7f\download\BIT7D.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\f941c900a413f153861a4032214a1aec\download\BIT7E.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\c9cdbfcd49200c55d94bb81819c80f2b\download\BIT7F.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\download\BIT80.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\208c1a8c52f47d7b2df4baa21f58d3da\download\BIT81.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\86c1313b3b7233a513215d577f5db5c4\download\BIT82.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\d05e90bdbe498b084a93603bc30f3c3c\download\BIT83.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\33831624a2e810dc854ea2f820d0dd53\download\BIT84.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\c1b0851ac9312d2f7e1ab716c11967b5\download\BIT85.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\0a120212db9f8797932f46def01672fc\download\BIT86.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\download\BIT87.tmp"
Tue 21 Oct 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\588786e399909bbe558853aada5a75c8\download\BIT88.tmp"

Finished!


OTMoveIt3.log

��=
  • 0

#9
pearce15
Posted 20 October 2008 - 10:08 PM

pearce15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
RSITlog.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by Chris at 2008-10-21 11:49:33
Microsoft Windows XP Professional Service Pack 2, v.2096
System drive E: has 4 GB (19%) free of 19 GB
Total RAM: 1023 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:46 AM, on 10/21/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\cryptainersrv.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\Microsoft Hardware\Keyboard\type32.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\Program Files\Plaxo\3.7.0.49\PlaxoHelper_en.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Misc installers\Protection tools\Eraser\Eraser.exe
E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Chris\Desktop\RSIT.exe
E:\Program Files\Trend Micro\HijackThis\Chris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....y...=us&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelliType] "E:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] E:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] E:\Program Files\Plaxo\3.7.0.49\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Eraser] C:\Misc installers\Protection tools\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199678078437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - E:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8887 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
HelperObject Class - E:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll [2005-03-09 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - E:\Program Files\AVG\AVG8\avgssie.dll [2008-08-30 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - E:\PROGRA~1\SPYBOT~1\SDHelper.dll [2007-08-31 1122128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-04 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - E:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [2005-03-09 131072]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - E:\WINDOWS\System32\msdxm.ocx [2004-03-12 843802]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-04 2055960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"=E:\Program Files\Microsoft Hardware\Keyboard\type32.exe [2002-03-22 94208]
"SoundMan"=E:\WINDOWS\SOUNDMAN.EXE [2003-08-15 57344]
"ATIPTA"=E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2003-11-01 335872]
"NeroFilterCheck"=E:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"Easy-PrintToolBox"=E:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE [2004-01-14 409600]
"SunJavaUpdateSched"=E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]
"ZoneAlarm Client"=E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2007-11-14 919016]
"WinPatrol"=E:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2008-01-25 316728]
"AVG8_TRAY"=E:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-10-02 1234712]
"QuickTime Task"=E:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]
"POINTER"=point32.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=E:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
"PlaxoUpdate"=E:\Program Files\Plaxo\3.7.0.49\PlaxoHelper_en.exe [2007-12-20 283207]
"SUPERAntiSpyware"=E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-09-05 1576176]
"SpybotSD TeaTimer"=E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2007-08-31 1460560]
"Eraser"=C:\Misc installers\Protection tools\Eraser\Eraser.exe [2007-12-23 916240]
"Sony Ericsson PC Suite"=E:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [2008-02-20 356352]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE
Acrobat Assistant.lnk - E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
E:\WINDOWS\system32\Ati2evxx.dll [2003-10-28 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ip6fw]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ipnat]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Misc installers\Limewire\LimeWire.exe"="C:\Misc installers\Limewire\LimeWire.exe:*:Enabled:LimeWire"
"E:\Program Files\uTorrent\uTorrent.exe"="E:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"E:\Program Files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe"="E:\Program Files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.0"
"E:\Program Files\AVG\AVG8\avgupd.exe"="E:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"E:\Program Files\AVG\AVG8\avgemc.exe"="E:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"E:\Program Files\MSN Messenger\MSNMSGR.EXE"="E:\Program Files\MSN Messenger\MSNMSGR.EXE:*:Disabled:Messenger"
"E:\Documents and Settings\Chris\Local Settings\temp\7zS3.tmp\SymNRT.exe"="E:\Documents and Settings\Chris\Local Settings\temp\7zS3.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - open - "E:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-10-21 11:49:33 ----D---- E:\rsit
2008-10-21 11:46:41 ----D---- E:\WINDOWS\LastGood
2008-10-21 11:38:58 ----D---- E:\_OTMoveIt
2008-10-21 11:25:29 ----D---- E:\WINDOWS\ERUNT
2008-10-21 11:14:58 ----D---- E:\SDFix
2008-10-21 09:43:44 ----D---- E:\WINDOWS\system32\PreInstall
2008-10-21 09:43:42 ----HD---- E:\WINDOWS\$NtUninstallKB898461$
2008-10-20 18:52:01 ----D---- E:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-10-20 10:35:39 ----A---- E:\WINDOWS\zip.exe
2008-10-20 10:35:39 ----A---- E:\WINDOWS\VFIND.exe
2008-10-20 10:35:39 ----A---- E:\WINDOWS\SWXCACLS.exe
2008-10-20 10:35:39 ----A---- E:\WINDOWS\SWSC.exe
2008-10-20 10:35:39 ----A---- E:\WINDOWS\SWREG.exe
2008-10-20 10:35:39 ----A---- E:\WINDOWS\sed.exe
2008-10-20 10:35:39 ----A---- E:\WINDOWS\NIRCMD.exe
2008-10-20 10:35:39 ----A---- E:\WINDOWS\grep.exe
2008-10-20 10:35:39 ----A---- E:\WINDOWS\fdsv.exe
2008-10-20 10:34:31 ----D---- E:\Qoobox
2008-10-16 13:11:26 ----A---- E:\WINDOWS\resetlog.txt
2008-10-06 11:48:17 ----D---- E:\Documents and Settings\Chris\Application Data\EBookSys

======List of files/folders modified in the last 1 months======

2008-10-21 11:43:02 ----A---- E:\WINDOWS\SchedLgU.Txt
2008-10-21 11:27:22 ----A---- E:\WINDOWS\ntbtlog.txt
2008-10-20 18:46:36 ----A---- E:\WINDOWS\system.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; E:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-30 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; E:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-07-04 26824]
R1 intelppm;Intel Processor Driver; E:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-03-12 33792]
R1 SASDIFSV;SASDIFSV; \??\E:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\E:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 vsdatant;vsdatant; E:\WINDOWS\System32\vsdatant.sys [2007-11-14 394952]
R2 AvgTdiX;AVG8 Network Redirector; E:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-04 76040]
R2 ssoftnt4;ssoftnt4; \??\E:\WINDOWS\system32\Drivers\ssoftnt4.sys []
R3 ALCXSENS;Service for WDM 3D Audio Driver; E:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-08-14 404736]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); E:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-08-21 462940]
R3 ati2mtag;ati2mtag; E:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2003-10-28 620032]
R3 GEARAspiWDM;GEARAspiWDM; E:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 hidusb;Microsoft HID Class Driver; E:\WINDOWS\System32\DRIVERS\hidusb.sys [2002-09-20 9600]
R3 IPFilter;Microsoft IntelliPoint Features driver; E:\WINDOWS\System32\DRIVERS\IPFilter.sys [2002-04-12 11136]
R3 mouhid;Mouse HID Driver; E:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; E:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-03-11 20992]
R3 SASENUM;SASENUM; \??\E:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-03-12 26624]
R3 usbhub;USB2 Enabled Hub; E:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-03-12 57600]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver; E:\WINDOWS\System32\DRIVERS\netusbxp.sys [2002-02-20 72576]
R3 USBSTOR;USB Mass Storage Driver; E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-03-12 26624]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; E:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-03-12 20480]
S1 KLIF;KLIF; E:\WINDOWS\system32\DRIVERS\klif.sys [2007-07-19 127768]
S3 catchme;catchme; \??\E:\DOCUME~1\Chris\LOCALS~1\Temp\catchme.sys []
S3 GAGPDrv;GAGPDrv; E:\WINDOWS\system32\drivers\GAGPDrv.sys []
S3 ggflt;SEMC USB Flash Driver Filter; E:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-02-27 13352]
S3 ggsemc;SEMC USB Flash Driver; E:\WINDOWS\system32\DRIVERS\ggsemc.sys [2008-02-27 20520]
S3 gmer;gmer; E:\WINDOWS\System32\DRIVERS\gmer.sys [2008-01-07 70001]
S3 GMSIPCI;GMSIPCI; \??\H:\INSTALL\GMSIPCI.SYS []
S3 GVCplDrv;GVCplDrv; E:\WINDOWS\system32\drivers\GVCplDrv.sys [2003-09-30 22880]
S3 k750bus;Sony Ericsson 750 driver (WDM); E:\WINDOWS\system32\DRIVERS\k750bus.sys [2005-02-11 55216]
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter; E:\WINDOWS\system32\DRIVERS\k750mdfl.sys [2005-02-11 6576]
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers; E:\WINDOWS\system32\DRIVERS\k750mdm.sys [2005-02-11 89872]
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers; E:\WINDOWS\system32\DRIVERS\k750mgmt.sys [2005-02-11 81728]
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers; E:\WINDOWS\system32\DRIVERS\k750obex.sys [2005-02-11 79488]
S3 s117bus;Sony Ericsson Device 117 driver (WDM); E:\WINDOWS\system32\DRIVERS\s117bus.sys [2007-06-25 82984]
S3 s117mdfl;Sony Ericsson Device 117 USB WMC Modem Filter; E:\WINDOWS\system32\DRIVERS\s117mdfl.sys [2007-06-25 14888]
S3 s117mdm;Sony Ericsson Device 117 USB WMC Modem Driver; E:\WINDOWS\system32\DRIVERS\s117mdm.sys [2007-06-25 108456]
S3 s117mgmt;Sony Ericsson Device 117 USB WMC Device Management Drivers (WDM); E:\WINDOWS\system32\DRIVERS\s117mgmt.sys [2007-06-25 100264]
S3 s117nd5;Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (NDIS); E:\WINDOWS\system32\DRIVERS\s117nd5.sys [2007-06-25 22952]
S3 s117obex;Sony Ericsson Device 117 USB WMC OBEX Interface; E:\WINDOWS\system32\DRIVERS\s117obex.sys [2007-06-25 98344]
S3 s117unic;Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (WDM); E:\WINDOWS\system32\DRIVERS\s117unic.sys [2007-06-25 98856]
S3 usbprint;Microsoft USB PRINTER Class; E:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-03-12 25856]
S3 usbscan;USB Scanner Driver; E:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-03-12 15104]
S3 Wdf01000;Wdf01000; E:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; E:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 IntelIde;IntelIde; E:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Ad-Aware 2007 Service; E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe [2007-10-29 587096]
R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400]
R2 Apple Mobile Device;Apple Mobile Device; E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]
R2 Ati HotKey Poller;Ati HotKey Poller; E:\WINDOWS\system32\Ati2evxx.exe [2003-10-28 376832]
R2 avg8emc;AVG8 E-mail Scanner; E:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 875288]
R2 avg8wd;AVG8 WatchDog; E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; E:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 CCALib8;Canon Camera Access Library 8; E:\Program Files\Canon\CAL\CALMAIN.exe [2006-03-30 96341]
R2 ssoftservice;Cryptainer service; E:\WINDOWS\system32\cryptainersrv.exe [2007-01-24 74240]
R2 UMWdf;Windows User Mode Driver Framework; E:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 ATI Smart;ATI Smart; E:\WINDOWS\system32\ati2sgag.exe [2003-10-28 188416]
S2 vsmon;TrueVector Internet Monitor; E:\WINDOWS\system32\ZONELABS\vsmon.exe [2007-11-14 75304]
S3 Adobe LM Service;Adobe LM Service; E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-10-23 72704]
S3 aspnet_state;ASP.NET State Service; E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-10-15 654848]
S3 iPod Service;iPod Service; E:\Program Files\iPod\bin\iPodService.exe [2007-09-26 503608]
S3 Macromedia Licensing Service;Macromedia Licensing Service; E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2007-10-14 68096]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; E:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------

Edited by pearce15, 20 October 2008 - 10:16 PM.

  • 0

#10
pearce15
Posted 20 October 2008 - 10:17 PM

pearce15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
RSITinfo.txt

info.txt logfile of random's system information tool 1.04 2008-10-21 11:49:48

======Uninstall list======

-->MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 E:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only)-->E:\Program Files\AC3Filter\uninstall.exe
Ad-Aware 2007-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 6.0 Professional-->MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Atmosphere Player for Acrobat and Adobe Reader-->E:\WINDOWS\atmoUn.exe
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->E:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings-->MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->E:\Program Files\Common Files\Adobe\Installers\5bc0f8414ec36c555a3e7e5ec2e225e\Setup.exe
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{1BCEA516-B4C5-4B2D-BFA0-AB7910BAD862}
Adobe Extension Manager CS3-->MsiExec.exe /I{D7A53E41-3F32-4A44-989C-53DDEBB2130C}
Adobe Fireworks CS3-->E:\Program Files\Common Files\Adobe\Installers\bbef028176efa5abf0233d3e1747be8\Setup.exe
Adobe Fireworks CS3-->MsiExec.exe /I{E16110F7-1C85-4675-99F4-7938F832C825}
Adobe Flash Player ActiveX-->E:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Center 2.1-->MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS2-->msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->E:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Photoshop Elements 5.0-->msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}
Adobe Photoshop Lightroom-->MsiExec.exe /I{CBCDEDF3-A2E5-4402-8E9E-E2C23DBE1DA8}
Adobe Setup-->MsiExec.exe /I{15C768E2-AB61-4DE3-952F-6B237A834951}
Adobe Setup-->MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Setup-->MsiExec.exe /I{D504303A-717D-414C-BA9F-FE01093E2EF8}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe SVG Viewer 3.0-->E:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fE:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Apple Mobile Device Support-->MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ArcSoft TotalMedia Backup-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{0249E03D-1DB0-4BAE-95F3-C79A7A14E255}\SETUP.EXE" -l0x9
ATI - Software Uninstall Utility-->E:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 E:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HydraVision-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
Avanquest update-->E:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
AVG Free 8.0-->E:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Canon Camera Access Library-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon EOS 5D WIA Driver-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BB3AB664-D92B-4CB5-8B3E-D841841F4E68} /l1033
Canon EOS Kiss_N REBEL_XT 350D WIA Driver-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{33CF7CDF-9805-4500-9CC7-D19D52AD63C4} /l1033
Canon EOS-1D Mark II N WIA Driver-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{35260E0B-A8C2-4D25-97E2-448DE7275C85} /l1033
Canon EOS-1Ds Mark II WIA Driver-->E:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{652C4ADF-0A29-4B02-9211-EE61675847DE}
Canon i9950-->E:\WINDOWS\system32\CNMCP5x.exe "-PRINTERNAMECanon i9950" "-HELPERDLLE:\BJPrinter\CNMWINDOWS\Canon i9950 Installer\Inst2\cnmis.dll" "-RCDLLE:\BJPrinter\CNMWINDOWS\Canon i9950 Installer\Inst2\cnmi0409.dll"
Canon RAW Image Task for ZoomBrowser EX-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Digital Photo Professional 3.1-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities Easy-PhotoPrint Plus-->E:\WINDOWS\ISUNINST.EXE -f"E:\Program Files\Canon\Easy-PhotoPrint Plus\Uninst.isu" -c"E:\Program Files\Canon\Easy-PhotoPrint Plus\EZUNINST.DLL"
Canon Utilities Easy-PhotoPrint-->E:\WINDOWS\ISUNINST.EXE -f"E:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"E:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL"
Canon Utilities Easy-PrintToolBox-->E:\WINDOWS\BJPSUNST.EXE
Canon Utilities EOS Utility-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities Original Data Security Tools-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\Original Data Security Tools\Uninst.ini"
Canon Utilities PhotoStitch-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities Picture Style Editor-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\Picture Style Editor\Uninst.ini"
Canon Utilities WFT-E1/E2/E3 Utility-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\WFT Utility\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"E:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "E:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CD to MP3 Ripper-->C:\MISCIN~1\CD&DVD~1\CDTOMP~1\CDTOMP~1\UNWISE.EXE C:\MISCIN~1\CD&DVD~1\CDTOMP~1\CDTOMP~1\INSTALL.LOG
CD-LabelPrint-->"E:\Program Files\Canon\CD-LabelPrint\Uninstal.exe" Canon.CDLabelPrint.Application
Comic Life-->MsiExec.exe /X{A0FC458F-AA6E-430A-B91C-1D6640B4B149}
Cryptainer LE-->"C:\Misc installers\Protection tools\Cryptainer LE\unins000.exe"
eMusic - 50 Free MP3 offer-->"E:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
Eraser-->"E:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe" REMOVE=TRUE MODIFY=FALSE
Eraser-->E:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe
ffdshow (remove only)-->"E:\Program Files\ffdshow\uninstall.exe"
floAt's Mobile Agent 2-->"E:\Program Files\FMA 2\unins000.exe"
FLV Player 1.3.3-->"E:\Program Files\FLVPlayer\uninstall.exe"
HijackThis 2.0.2-->"E:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915865)-->"E:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Instant Wireless USB Adapter-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{B78823CD-488F-43B4-80D6-FAEADAE40EC4}\Setup.exe" -l0x9
Internet Explorer Q832894-->E:\WINDOWS\ieuninst.exe E:\WINDOWS\INF\Q832894.inf
iTunes-->MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.16.6-->"C:\Misc installers\Limewire\uninstall.exe"
Macromedia Dreamweaver MX 2004-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash 8-->MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash Player 8 Plugin-->MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
Magic ISO Maker v5.4 (build 0239)-->E:\PROGRA~1\MAGICISO\UNWISE.EXE E:\PROGRA~1\MAGICISO\INSTALL.LOG
Memorex Button Manager-->E:\Program Files\Memorex Button Manager\Memorex HDD Button Uninstall.exe
Microsoft .NET Framework 2.0-->E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"E:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"E:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"E:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.3)-->E:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero OEM-->E:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express-->E:\WINDOWS\UNNeroVision.exe /UNINSTALL
Panda ActiveScan-->E:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PhotoScape-->"E:\Program Files\PhotoScape\uninstall.exe"
Plaxo Toolbar for Windows-->E:\Program Files\Plaxo\3.7.1.2\uninstall_en.exe
Portrait Professional 6.5-->"E:\Program Files\Portrait Professional 6\unins000.exe"
PowerDVD-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek AC'97 Audio-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Remove Hidden Data Tool-->MsiExec.exe /X{90F80409-6000-11D3-8CFE-0150048383C9}
Replay Converter 2.20-->E:\WINDOWS\iun6002.exe "C:\Program Files\Replay Converter\irunin.ini"
Replay Media Catcher-->"E:\WINDOWS\Replay Media Catcher\uninstall.exe" "/U:E:\Program Files\Replay Media Catcher\Uninstall\uninstall.xml"
Replay Media Catcher-->E:\PROGRA~1\REPLAY~1\UNWISE.EXE E:\PROGRA~1\REPLAY~1\INSTALL.LOG
RescuePRO 3.3-->E:\WINDOWS\iun507.exe E:\Program Files\RescuePRO\irunin.ini
Shockwave-->E:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE E:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
SnagIt 7-->E:\Program Files\TechSmith\SnagIt 7\SIUNINST.EXE
Sony Ericsson Media Manager 1.0-->MsiExec.exe /X{06AC45D1-CB9B-48CC-B5C8-1A55DEE26AD0}
Sony Ericsson PC Suite 3.209.00-->E:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\Setup.exe -runfromtemp -l0x0009 -removeonly
Sony Ericsson PC Suite-->MsiExec.exe /I{C037D08B-4883-491D-9329-DC5ACA90F797}
Soundslides-->"C:\Program Files\Soundslides\uninstall.exe" \u
Spybot - Search & Destroy-->"E:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1-->"E:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SWF & FLV Toolbox 3.5 (build 3.5.16.242)-->"C:\Misc installers\SWF & FLV Toolbox\unins000.exe"
U.R.Celeb 2.06-->E:\Program Files\U.R.Celeb\uninst.exe
Update for Windows XP (KB898461)-->"E:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update Service-->E:\Program Files\Sony Ericsson\Update Service\uninst.exe
Winamp (remove only)-->"E:\Program Files\Winamp\UninstWA.exe"
Windows Installer 3.1 (KB893803)-->"E:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format Runtime-->"E:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"E:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 2-->E:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinPatrol 2007-->E:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinRAR archiver-->E:\Program Files\WinRAR\uninstall.exe
YouSendIt Application Plug-in SDK-->E:\Program Files\InstallShield Installation Information\{D6F80A9A-D655-4DCE-BC53-AC2A55324F5C}\setup.exe -runfromtemp -l0x0409
YouSendIt Plug-in for Photoshop-->E:\Program Files\InstallShield Installation Information\{33CECB7B-D339-493F-A74D-9188E8341DD6}\setup.exe -runfromtemp -l0x0409
ZoneAlarm-->E:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

=====HijackThis Backups=====

O2 - BHO: (no name) - {48DB7DDF-871C-4B9B-92D1-C61A1457120C} - E:\WINDOWS\system32\msimg3.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {48DB7DDF-871C-4B9B-92D1-C61A1457120C} - E:\WINDOWS\system32\msimg3.dll
O2 - BHO: (no name) - {48DB7DDF-871C-4B9B-92D1-C61A1457120C} - E:\WINDOWS\system32\msimg3.dll
O2 - BHO: (no name) - {48DB7DDF-871C-4B9B-92D1-C61A1457120C} - E:\WINDOWS\system32\msimg3.dll
O2 - BHO: (no name) - {48DB7DDF-871C-4B9B-92D1-C61A1457120C} - E:\WINDOWS\system32\msimg3.dll
O2 - BHO: (no name) - {48DB7DDF-871C-4B9B-92D1-C61A1457120C} - E:\WINDOWS\system32\msimg3.dll
O2 - BHO: (no name) - {48DB7DDF-871C-4B9B-92D1-C61A1457120C} - E:\WINDOWS\system32\msimg3.dll
O2 - BHO: (no name) - {48DB7DDF-871C-4B9B-92D1-C61A1457120C} - E:\WINDOWS\system32\msimg3.dll

======Security center information======

AV: AVG Anti-Virus Free
FW: ZoneAlarm Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;E:\Program Files\ATI Technologies\ATI Control Panel;E:\Program Files\QuickTime\QTSystem;E:\Program
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"tvdumpflags"=8
"CLASSPATH"=.;E:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"QTJAVA"=E:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------
  • 0

Advertisements

#11
pearce15
Posted 20 October 2008 - 10:22 PM

pearce15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
I cant seem to be able to post the log for OTMoveIT3 here. The entire log gets truncated like this...??

��=

Edited by pearce15, 20 October 2008 - 10:25 PM.

  • 0

#12
emeraldnzl
Posted 21 October 2008 - 12:46 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello pearce15,

Don't worry about the OTMoveIt3 report for now.

Download this tool to E:\Windows folder.

http://www2.gmer.net/mbr/mbr.exe

Double click it. It will create a log on your desktop. (mbr.log) Copy and post the contents back here.
  • 0

#13
pearce15
Posted 21 October 2008 - 01:09 AM

pearce15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
BIOS signateure not found
  • 0

#14
pearce15
Posted 21 October 2008 - 01:09 AM

pearce15

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
��=
  • 0

#15
emeraldnzl
Posted 21 October 2008 - 01:53 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hi pearce15,

I am not sure why we have come up with the answer we have with that MBR rootkit search.

I am consulting on this. Might be a little time before I get back to you.

If it is an MBR rootkit and SDFix has found some files which are associated with this type of infection, it is a nasty infection and we want to get it right.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP