Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

File and Folder Properties are messed up


  • Please log in to reply

#1
Kasey21

Kasey21

    Member

  • Member
  • PipPipPip
  • 168 posts
I have had my computer cleaned from 5 Star Support Forums but I was told I still need to post this here:

Basically I had a virus that made every folder on my computer hidden. Then I was told to run RogueKiller. I thought it fixed it at first, but only about half of my folders were changed back to the original state. But also there were some folders that were suppose to remain hidden as they were part of the system operating files that became unhidden.

Here is link to the topic that i posted in the Vista/Windows 7 forum that I was told to post:

http://www.geekstogo...96#entry2009896

I'm also having a problem w/IE 9. I don't use IE9 but there is problem there nonetheless. The problem showed itself a couple days after i had my computer cleaned of malware (because i just happened to get on it to reinstall Firefox, Luckily i had Chrome as well or i would be w/out a browser :G). The problem is that whenever I start Internet Explorer i get the message "Internet Explorer has stopped working" before the homepage is even up, and I am forced to "close the program". I believe one of the tools that I used to clean the malware was responsible it was just the fact that I didn't notice until a few days later due to not use IE.

here is the OTL.Txt:

OTL logfile created on: 5/14/2011 3:08:27 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\kelli\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 37.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.13 Gb Total Space | 87.29 Gb Free Space | 63.19% Space Free | Partition Type: NTFS

Computer Name: KELLI-PC | User Name: kelli | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/12 22:25:54 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\kelli\Desktop\OTL.exe
PRC - [2011/04/26 17:28:31 | 006,707,464 | RH-- | M] (Microsoft Corporation) -- C:\Windows\System32\servicescache.exe
PRC - [2011/04/14 11:25:41 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/03/01 07:11:07 | 000,203,016 | -H-- | M] (Microsoft Corporation) -- C:\Windows\System32\CNGKeyLock.exe
PRC - [2011/01/12 16:41:42 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2011/01/12 16:41:24 | 002,219,184 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2010/08/30 23:35:12 | 001,385,192 | ---- | M] () -- C:\Program Files\SpywareBlaster\spywareblaster.exe
PRC - [2009/10/07 01:47:34 | 000,154,136 | -H-- | M] (Logitech Inc.) -- C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/06 11:54:52 | 000,365,952 | -H-- | M] () -- C:\Program Files\SMINST\BLService.exe


========== Modules (SafeList) ==========

MOD - [2011/05/12 22:25:54 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\kelli\Desktop\OTL.exe
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/04/26 17:28:31 | 006,707,464 | RH-- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\servicescache.exe -- (systemCheck)
SRV - [2011/03/01 07:11:07 | 000,203,016 | -H-- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\CNGKeyLock.exe -- (CNGKeyLock)
SRV - [2011/03/01 07:11:06 | 006,859,016 | RHS- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\sysDriverHardWare.exe -- (MicrosoftHardwareDriver)
SRV - [2011/03/01 07:11:04 | 006,863,112 | RHS- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\sysSecurityCheck.exe -- (SysCacheDriver)
SRV - [2011/01/12 16:44:02 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2011/01/12 16:41:42 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2010/03/02 16:15:44 | 000,536,472 | -H-- | M] (Affinegy, Inc.) [Auto | Stopped] -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe -- (AffinegyService)
SRV - [2009/10/07 01:47:34 | 000,154,136 | -H-- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/06 11:54:52 | 000,365,952 | -H-- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/03/01 07:13:12 | 000,015,496 | -H-- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\system32\Drivers\pcrasys32.sys -- (pcrasys)
DRV - [2011/03/01 07:13:12 | 000,015,496 | -H-- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\system32\Drivers\akerneldrv32.sys -- (akerneldrv)
DRV - [2010/12/21 15:04:06 | 000,137,144 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm)
DRV - [2010/12/21 15:04:06 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/12/21 13:47:38 | 000,134,000 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfw.sys -- (epfw)
DRV - [2010/12/21 13:47:38 | 000,041,336 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfp.sys -- (epfwwfp)
DRV - [2010/12/21 13:47:38 | 000,033,120 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2010/10/24 22:25:38 | 000,054,144 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2010/09/26 20:13:10 | 001,882,624 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/10/07 03:49:38 | 006,756,632 | -H-- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam 120(UVC)
DRV - [2009/10/07 01:46:36 | 000,025,752 | -H-- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009/04/30 23:56:32 | 000,495,768 | -H-- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2009/01/20 06:49:26 | 000,142,848 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/10/03 03:39:28 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/06/29 09:52:26 | 000,112,128 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/01/20 21:23:20 | 002,225,664 | -H-- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2007/10/17 18:36:54 | 000,008,704 | -H-- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/18 19:12:04 | 000,016,768 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...resario&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/?ref=hp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/12 03:57:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/08 06:32:02 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2011/04/17 01:29:01 | 000,000,000 | ---D | M]

[2011/05/12 03:58:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\kelli\AppData\Roaming\Mozilla\Extensions
[2011/05/12 04:13:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\kelli\AppData\Roaming\Mozilla\Firefox\Profiles\tz3d9o0c.default\extensions
[2011/05/12 03:57:35 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/05/08 06:32:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\USERS\KELLI\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TZ3D9O0C.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
[2010/03/14 04:04:25 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/04/14 11:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/05/08 06:31:44 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/08 11:38:46 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [InstaLAN] C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe (Affinegy, Inc.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\kelli\Pictures\thanksgiving20103.jpg
O24 - Desktop BackupWallPaper: C:\Users\kelli\Pictures\thanksgiving20103.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/12 22:25:52 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\kelli\Desktop\OTL.exe
[2011/05/12 03:57:58 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Roaming\Mozilla
[2011/05/10 05:19:36 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2011/05/10 04:57:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
[2011/05/10 04:57:02 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2011/05/08 15:41:52 | 000,000,000 | ---D | C] -- C:\Windows\Options
[2011/05/08 15:41:51 | 000,426,075 | ---- | C] (Atheros) -- C:\Windows\System32\wgapi.dll
[2011/05/08 15:41:51 | 000,413,765 | ---- | C] (Atheros) -- C:\Windows\System32\wcapi.dll
[2011/05/08 15:41:51 | 000,335,964 | ---- | C] (Atheros) -- C:\Windows\System32\wcapiU.dll
[2011/05/08 15:41:51 | 000,311,391 | ---- | C] (Atheros) -- C:\Windows\System32\athcfg20U.dll
[2011/05/08 15:41:51 | 000,299,080 | ---- | C] (Atheros) -- C:\Windows\System32\athcfg20.dll
[2011/05/08 15:41:51 | 000,127,080 | ---- | C] (Atheros Communications, Inc.) -- C:\Windows\System32\athcfg20resU.dll
[2011/05/08 15:41:51 | 000,127,054 | ---- | C] (Atheros Communications, Inc.) -- C:\Windows\System32\athcfg20res.dll
[2011/05/08 15:21:11 | 000,397,312 | ---- | C] (Atheros) -- C:\Windows\System32\athihvs.dll
[2011/05/08 15:21:11 | 000,061,440 | ---- | C] (Atheros) -- C:\Windows\System32\athihvui.dll
[2011/05/08 15:21:11 | 000,000,000 | ---D | C] -- C:\Windows\System32\nn-NO
[2011/05/08 15:20:41 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Roaming\InstallShield
[2011/05/08 13:59:11 | 000,000,000 | RHSD | C] -- C:\Program Files\nortoninstaller
[2011/05/08 11:41:56 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/05/08 11:41:50 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/05/08 11:41:50 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Local\temp
[2011/05/08 11:05:09 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/05/08 06:32:02 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/05/08 06:32:02 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/05/08 06:32:02 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/05/07 02:37:00 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2011/05/07 01:29:55 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Roaming\Malwarebytes
[2011/05/07 01:29:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/05/07 01:29:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/05/07 01:29:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/05/07 01:29:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/05 17:41:58 | 000,465,160 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\Windows NT 5.1.22.exe
[2011/05/01 11:52:58 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2011/05/01 11:52:58 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2011/05/01 11:50:24 | 000,876,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2011/04/25 18:19:10 | 000,076,920 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SMR162.SYS
[2011/04/25 18:19:06 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Local\NPE
[2011/04/25 18:08:52 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Roaming\TeamViewer
[2011/04/25 01:40:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PeerBlock
[2011/04/25 01:39:59 | 000,000,000 | ---D | C] -- C:\Program Files\PeerBlock
[2011/04/22 14:46:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo! Companion
[2011/04/22 14:46:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
[2011/04/22 09:35:32 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Roaming\vlc
[2011/04/22 09:35:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2011/04/22 09:34:51 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2011/04/19 19:51:52 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Local\Western Digital
[2011/04/18 00:14:05 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2011/04/17 08:38:57 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/04/17 07:35:42 | 000,292,864 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2011/04/17 07:35:41 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2011/04/17 07:35:37 | 001,162,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42u.dll
[2011/04/17 07:35:35 | 001,136,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42.dll
[2011/04/17 07:35:31 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dnscacheugc.exe
[2011/04/17 07:35:28 | 002,041,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/04/17 07:16:19 | 000,162,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2011/04/17 07:16:19 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2011/04/17 07:16:19 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2011/04/17 07:16:19 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2011/04/17 07:16:19 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/04/17 07:16:18 | 003,695,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2011/04/17 07:16:18 | 000,434,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/04/17 07:16:18 | 000,367,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/04/17 07:16:18 | 000,353,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2011/04/17 07:16:18 | 000,353,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/04/17 07:16:18 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/04/17 07:16:18 | 000,223,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2011/04/17 07:16:18 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/04/17 07:16:18 | 000,086,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/04/17 07:16:18 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/04/17 07:16:18 | 000,074,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/04/17 07:16:18 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2011/04/17 07:16:18 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/04/17 07:16:17 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/04/17 07:16:17 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/04/17 07:16:17 | 000,580,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/04/17 07:16:17 | 000,420,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/04/17 07:16:17 | 000,227,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/04/17 07:16:17 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2011/04/17 07:16:17 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2011/04/17 07:16:17 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2011/04/17 07:16:17 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/04/17 07:16:17 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2011/04/17 07:16:17 | 000,078,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2011/04/17 07:16:17 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2011/04/17 07:16:17 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/04/17 07:16:16 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/04/17 07:16:16 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/04/17 07:16:16 | 000,130,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2011/04/17 07:16:16 | 000,118,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/04/17 07:16:16 | 000,110,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2011/04/17 07:16:16 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/04/17 07:16:16 | 000,035,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2011/04/17 07:16:16 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/04/17 04:02:38 | 000,000,000 | ---D | C] -- C:\Users\kelli\AppData\Local\MigWiz
[2011/04/17 02:43:55 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/04/17 01:28:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
[2011/04/17 00:46:30 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2011/02/11 18:40:40 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2010/10/19 12:44:49 | 008,007,680 | -H-- | C] ( ) -- C:\Windows\System32\Microsoft.mshtml.dll
[2010/10/19 12:44:45 | 000,126,976 | -H-- | C] ( ) -- C:\Windows\System32\Interop.SHDocVw.dll

========== Files - Modified Within 30 Days ==========

[2011/05/14 02:38:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA1cc0615cf821370.job
[2011/05/14 02:23:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3055264178-2470136505-292888414-1000UA.job
[2011/05/14 02:05:18 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/14 02:05:18 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/14 00:06:22 | 000,044,736 | -H-- | M] () -- C:\Windows\System32\masteraclini.enu
[2011/05/14 00:06:22 | 000,000,177 | RH-- | M] () -- C:\Windows\System32\masteraclbini.enu
[2011/05/14 00:05:20 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/13 22:29:39 | 000,002,042 | ---- | M] () -- C:\Users\kelli\Desktop\Google Chrome.lnk
[2011/05/13 22:29:39 | 000,002,004 | ---- | M] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/05/13 21:38:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore1cc0615ce027850.job
[2011/05/13 05:23:00 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3055264178-2470136505-292888414-1000Core.job
[2011/05/12 22:25:54 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\kelli\Desktop\OTL.exe
[2011/05/12 03:57:36 | 000,000,870 | ---- | M] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/05/12 03:57:36 | 000,000,846 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/05/12 03:52:33 | 000,023,040 | ---- | M] () -- C:\Users\kelli\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/10 05:30:55 | 000,000,284 | -H-- | M] () -- C:\ProgramData\hpqp.ini
[2011/05/10 05:30:33 | 000,003,322 | -H-- | M] () -- C:\Windows\System32\{master}(1)avg.enu
[2011/05/10 04:57:03 | 000,000,812 | ---- | M] () -- C:\Users\kelli\Desktop\SpywareBlaster.lnk
[2011/05/08 16:23:22 | 003,679,992 | -H-- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/05/08 15:50:20 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/05/08 15:50:20 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/05/08 15:35:07 | 000,001,965 | ---- | M] () -- C:\Users\Public\Desktop\HP Help and Support.lnk
[2011/05/08 14:41:44 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/05/08 13:59:11 | 000,000,660 | -HS- | M] () -- C:\Windows\System32\settings.ini
[2011/05/08 11:38:46 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/05/08 06:31:43 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/05/08 06:31:43 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/05/08 06:31:43 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/05/08 06:31:43 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/05/07 01:29:40 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/07 00:31:57 | 000,007,052 | ---- | M] () -- C:\Users\kelli\AppData\Local\d3d9caps.dat
[2011/05/05 18:26:11 | 000,465,160 | -H-- | M] (Microsoft Corporation) -- C:\Windows\System32\Windows NT 5.1.22.exe
[2011/05/02 14:52:50 | 000,000,322 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForkelli.job
[2011/04/26 17:28:31 | 006,707,464 | RH-- | M] (Microsoft Corporation) -- C:\Windows\System32\servicescache.exe
[2011/04/26 04:09:59 | 000,076,920 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SMR162.SYS
[2011/04/26 04:05:52 | 000,000,608 | ---- | M] () -- C:\Users\kelli\AppData\Roaming\SMRResults162.dat
[2011/04/25 18:30:57 | 000,001,972 | ---- | M] () -- C:\Windows\System32\drivers\SMR162.dat
[2011/04/25 01:40:00 | 000,001,752 | ---- | M] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\PeerBlock.lnk
[2011/04/25 01:40:00 | 000,001,728 | ---- | M] () -- C:\Users\kelli\Desktop\PeerBlock.lnk
[2011/04/22 14:46:25 | 000,000,966 | ---- | M] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2011/04/22 14:46:25 | 000,000,942 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2011/04/22 09:35:10 | 000,000,859 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2011/04/18 04:52:04 | 000,000,949 | ---- | M] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2011/04/17 07:22:06 | 000,000,943 | ---- | M] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/04/17 07:16:29 | 000,008,798 | ---- | M] () -- C:\Windows\System32\icrav03.rat
[2011/04/17 07:16:29 | 000,001,988 | ---- | M] () -- C:\Windows\System32\ticrf.rat
[2011/04/17 07:16:19 | 000,162,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2011/04/17 07:16:19 | 000,161,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2011/04/17 07:16:19 | 000,076,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2011/04/17 07:16:19 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2011/04/17 07:16:19 | 000,065,024 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/04/17 07:16:18 | 003,695,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2011/04/17 07:16:18 | 000,434,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/04/17 07:16:18 | 000,367,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/04/17 07:16:18 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2011/04/17 07:16:18 | 000,353,584 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/04/17 07:16:18 | 000,231,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/04/17 07:16:18 | 000,223,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2011/04/17 07:16:18 | 000,176,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/04/17 07:16:18 | 000,086,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/04/17 07:16:18 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/04/17 07:16:18 | 000,074,240 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/04/17 07:16:18 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2011/04/17 07:16:18 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2011/04/17 07:16:18 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/04/17 07:16:17 | 002,382,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/04/17 07:16:17 | 001,427,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/04/17 07:16:17 | 000,580,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/04/17 07:16:17 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/04/17 07:16:17 | 000,227,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/04/17 07:16:17 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2011/04/17 07:16:17 | 000,152,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2011/04/17 07:16:17 | 000,150,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2011/04/17 07:16:17 | 000,142,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/04/17 07:16:17 | 000,101,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2011/04/17 07:16:17 | 000,078,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2011/04/17 07:16:17 | 000,054,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2011/04/17 07:16:17 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/04/17 07:16:16 | 001,797,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/04/17 07:16:16 | 000,716,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/04/17 07:16:16 | 000,130,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2011/04/17 07:16:16 | 000,118,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/04/17 07:16:16 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2011/04/17 07:16:16 | 000,041,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/04/17 07:16:16 | 000,035,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2011/04/17 07:16:16 | 000,010,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/04/17 01:29:07 | 000,001,904 | ---- | M] () -- C:\Users\kelli\Desktop\ESET Smart Security.lnk

========== Files Created - No Company Name ==========

[2011/05/12 03:57:36 | 000,000,870 | ---- | C] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/05/12 03:57:36 | 000,000,858 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/05/12 03:57:36 | 000,000,846 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/05/10 05:19:37 | 000,002,042 | ---- | C] () -- C:\Users\kelli\Desktop\Google Chrome.lnk
[2011/05/10 05:19:37 | 000,002,004 | ---- | C] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/05/10 05:18:25 | 000,000,908 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3055264178-2470136505-292888414-1000UA.job
[2011/05/10 05:18:25 | 000,000,856 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3055264178-2470136505-292888414-1000Core.job
[2011/05/10 04:57:03 | 000,000,812 | ---- | C] () -- C:\Users\kelli\Desktop\SpywareBlaster.lnk
[2011/05/08 15:35:07 | 000,001,965 | ---- | C] () -- C:\Users\Public\Desktop\HP Help and Support.lnk
[2011/05/08 13:59:11 | 000,000,660 | -HS- | C] () -- C:\Windows\System32\settings.ini
[2011/05/07 01:29:40 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/28 21:33:23 | 000,000,886 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA1cc0615cf821370.job
[2011/04/28 21:33:20 | 000,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore1cc0615ce027850.job
[2011/04/25 18:33:47 | 000,000,608 | ---- | C] () -- C:\Users\kelli\AppData\Roaming\SMRResults162.dat
[2011/04/25 18:19:11 | 000,001,972 | ---- | C] () -- C:\Windows\System32\drivers\SMR162.dat
[2011/04/25 01:40:00 | 000,001,752 | ---- | C] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\PeerBlock.lnk
[2011/04/25 01:40:00 | 000,001,728 | ---- | C] () -- C:\Users\kelli\Desktop\PeerBlock.lnk
[2011/04/24 16:06:31 | 000,000,322 | ---- | C] () -- C:\Windows\tasks\HPCeeScheduleForkelli.job
[2011/04/22 14:46:25 | 000,000,966 | ---- | C] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2011/04/22 14:46:25 | 000,000,942 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2011/04/22 09:35:10 | 000,000,859 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2011/04/18 04:52:04 | 000,000,949 | ---- | C] () -- C:\Users\kelli\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2011/04/17 07:16:18 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2011/04/17 01:29:07 | 000,001,904 | ---- | C] () -- C:\Users\kelli\Desktop\ESET Smart Security.lnk
[2011/04/12 22:08:41 | 000,000,128 | -H-- | C] () -- C:\ProgramData\~37412616r
[2011/04/12 22:08:41 | 000,000,096 | -H-- | C] () -- C:\ProgramData\~37412616
[2011/04/12 21:57:31 | 000,000,328 | ---- | C] () -- C:\ProgramData\37412616
[2011/03/25 20:50:58 | 000,000,050 | ---- | C] () -- C:\Users\kelli\AppData\Roaming\wklnhst.dat
[2010/09/29 17:09:26 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/08/25 20:30:02 | 000,439,308 | -H-- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 20:30:00 | 000,982,240 | -H-- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 20:30:00 | 000,092,356 | -H-- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 19:57:00 | 000,000,151 | -H-- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/08/12 09:38:46 | 000,002,478 | ---- | C] () -- C:\Windows\checkip.dat
[2010/06/14 10:08:03 | 000,007,052 | ---- | C] () -- C:\Users\kelli\AppData\Local\d3d9caps.dat
[2010/04/17 15:08:06 | 000,023,040 | ---- | C] () -- C:\Users\kelli\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/15 09:14:33 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/03/15 09:14:33 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2010/03/08 19:06:13 | 000,000,284 | -H-- | C] () -- C:\ProgramData\hpqp.ini
[2010/03/08 18:52:12 | 000,364,032 | RHS- | C] () -- C:\Windows\System32\vshadowamd64.exe
[2010/03/08 18:52:11 | 000,405,504 | RHS- | C] () -- C:\Windows\System32\vshadow.exe
[2010/03/08 18:52:11 | 000,352,256 | RHS- | C] () -- C:\Windows\System32\vshadowXP.exe
[2009/10/07 01:46:36 | 000,025,752 | -H-- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2009/10/07 01:23:08 | 000,013,584 | -H-- | C] () -- C:\Windows\System32\drivers\iKeyLFT2.dll
[2009/08/03 15:07:42 | 000,403,816 | -H-- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | -H-- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/04/30 23:39:36 | 000,082,289 | -H-- | C] () -- C:\Windows\System32\lvcoinst.ini
[2009/04/22 09:10:21 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/07/06 15:29:46 | 000,147,456 | -H-- | C] () -- C:\Windows\System32\igfxCoIn_v1518.dll
[2008/07/06 15:14:06 | 000,147,172 | -H-- | C] () -- C:\Windows\System32\igfcg550.bin
[2008/06/29 09:52:14 | 000,004,608 | -H-- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 003,679,992 | -H-- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | -H-- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | -H-- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | -H-- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 04:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\ProgramData\Temp:5C321E34

< End of report >




I appreciate any and all help :)

Edited by Kasey21, 14 May 2011 - 02:12 AM.

  • 0

Advertisements


#2
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Hello Kasey21,

Some strange services loading there, including a few that are suspect enough to get disabled for now. Let's do that, and add a few scans before we make any other changes.

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

sc config akerneldrv start= disabled

sc config pcrasys start= disabled


Type Exit and press Enter to close the command window.

-----------

Go ahead and reboot, but reboot to Safe Mode with Networking. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

  • 0

#3
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
# Posts: 1
# Joined: 04-November 05

I'm a slow learner. :)
  • 0

#4
Kasey21

Kasey21

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I did what you told me however:
http://www.systemloo...ldrv64_sys.html
http://www.systemloo...asys64_sys.html

I actually saw both of these load up during safe mode as well..as they both appeared at the bottom. the only difference was that instead of 64 it was 32 =P

GMER Log:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-15 07:07:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545016B9A300 rev.PBBOCA0G
Running: wx8p960d.exe; Driver: C:\Users\kelli\AppData\Local\Temp\pgloqpod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

aswMBR Log:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-15 07:09:10
-----------------------------
07:09:10.178 OS Version: Windows 6.0.6002 Service Pack 2
07:09:10.178 Number of processors: 2 586 0x170A
07:09:10.178 ComputerName: KELLI-PC UserName: kelli
07:09:11.520 Initialize success
07:09:29.428 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
07:09:29.428 Disk 0 Vendor: Hitachi_HTS545016B9A300 PBBOCA0G Size: 152627MB BusType: 3
07:09:31.628 Disk 0 MBR read successfully
07:09:31.628 Disk 0 MBR scan
07:09:31.628 Disk 0 unknown MBR code
07:09:33.796 Disk 0 scanning sectors +312573952
07:09:33.921 Disk 0 scanning C:\Windows\system32\drivers
07:09:53.749 Service scanning
07:09:57.056 Disk 0 trace - called modules:
07:09:57.087 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
07:09:57.087 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86c62030]
07:09:57.103 3 CLASSPNP.SYS[8b6078b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85d24b98]
07:09:57.103 Scan finished successfully
07:10:18.412 Disk 0 MBR has been saved successfully to "C:\Users\kelli\Desktop\MBR.dat"
07:10:18.428 The log file has been saved successfully to "C:\Users\kelli\Desktop\aswMBR.txt"

Edited by Kasey21, 15 May 2011 - 06:21 AM.

  • 0

#5
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Very good find, those services. I do a fair bit of checking, but didn't get that. IF your system is a rental, or you are aware of a legit reason those services are in use there, do the following to re-enable them (so this top secret security software will work again).

Just repeat the earlier steps, but this time type the following:

sc config akerneldrv start= boot

sc config pcrasys start= boot


------------

No infection in these last two logs, which is a plus. Though the malware changes don't seem to show yet, based on your reports, let's run a more aggressive scan there.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
  • 1

#6
Kasey21

Kasey21

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
hmm.. well they already boot when the computer reboots so it should be fine.

e/ oh, and it was a rent-to-own =P

ComboFix Log:

ComboFix 11-05-14.03 - kelli 05/15/2011 10:42:26.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1763 [GMT -5:00]
Running from: c:\users\kelli\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\settings.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-15 15:50 . 2011-05-15 15:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-14 22:08 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-10 09:57 . 2011-05-13 15:06 -------- d-----w- c:\program files\SpywareBlaster
2011-05-08 20:41 . 2011-05-08 20:41 -------- d-----w- c:\windows\Options
2011-05-08 20:41 . 2010-09-20 22:13 311391 ----a-w- c:\windows\system32\athcfg20U.dll
2011-05-08 20:41 . 2010-09-20 22:13 127080 ----a-w- c:\windows\system32\athcfg20resU.dll
2011-05-08 20:41 . 2010-09-20 22:12 426075 ----a-w- c:\windows\system32\wgapi.dll
2011-05-08 20:41 . 2010-09-20 22:12 335964 ----a-w- c:\windows\system32\wcapiU.dll
2011-05-08 20:41 . 2010-09-20 22:10 413765 ----a-w- c:\windows\system32\wcapi.dll
2011-05-08 20:41 . 2010-09-20 22:09 299080 ----a-w- c:\windows\system32\athcfg20.dll
2011-05-08 20:41 . 2010-09-20 22:09 127054 ----a-w- c:\windows\system32\athcfg20res.dll
2011-05-08 20:21 . 2011-05-08 20:41 -------- d-----w- c:\windows\system32\nn-NO
2011-05-08 20:21 . 2010-09-11 15:51 61440 ----a-w- c:\windows\system32\athihvui.dll
2011-05-08 20:21 . 2010-09-11 15:51 397312 ----a-w- c:\windows\system32\athihvs.dll
2011-05-08 20:20 . 2011-05-08 20:20 -------- d-----w- c:\users\kelli\AppData\Roaming\InstallShield
2011-05-08 18:59 . 2011-05-08 18:59 -------- d-sh--r- c:\program files\nortoninstaller
2011-05-08 16:41 . 2011-05-15 15:50 -------- d-----w- c:\users\kelli\AppData\Local\temp
2011-05-08 11:32 . 2011-05-08 11:31 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-05-07 07:37 . 2011-05-07 07:48 -------- d-----w- c:\programdata\SecTaskMan
2011-05-07 06:29 . 2011-05-07 06:29 -------- d-----w- c:\users\kelli\AppData\Roaming\Malwarebytes
2011-05-07 06:29 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-07 06:29 . 2011-05-07 06:29 -------- d-----w- c:\programdata\Malwarebytes
2011-05-07 06:29 . 2011-05-07 06:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 22:41 . 2011-05-05 23:26 465160 ---h--w- c:\windows\system32\Windows NT 5.1.22.exe
2011-05-01 16:52 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-01 16:52 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-01 16:50 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-25 23:19 . 2011-04-25 23:30 1972 ----a-w- c:\windows\system32\drivers\SMR162.dat
2011-04-25 23:19 . 2011-04-26 09:09 76920 ----a-w- c:\windows\system32\drivers\SMR162.SYS
2011-04-25 23:19 . 2011-04-25 23:29 -------- d-----w- c:\users\kelli\AppData\Local\NPE
2011-04-25 23:08 . 2011-04-25 23:08 -------- d-----w- c:\users\kelli\AppData\Roaming\TeamViewer
2011-04-25 06:39 . 2011-05-08 04:26 -------- d-----w- c:\program files\PeerBlock
2011-04-22 19:46 . 2011-04-22 19:47 -------- d-----w- c:\programdata\Yahoo! Companion
2011-04-22 14:35 . 2011-04-23 15:06 -------- d-----w- c:\users\kelli\AppData\Roaming\vlc
2011-04-22 14:34 . 2011-04-22 14:34 -------- d-----w- c:\program files\VideoLAN
2011-04-20 00:51 . 2011-04-20 00:51 -------- d-----w- c:\users\kelli\AppData\Local\Western Digital
2011-04-18 05:14 . 2011-04-18 05:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-04-17 12:16 . 2011-04-17 12:16 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-17 09:02 . 2011-04-17 09:03 -------- d-----w- c:\users\kelli\AppData\Local\MigWiz
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-08 11:31 . 2010-07-16 21:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-26 22:28 . 2010-03-08 23:32 6707464 ---h--r- c:\windows\system32\servicescache.exe
2011-03-03 15:40 . 2011-05-01 16:52 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-05-01 16:52 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-05-01 16:52 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-05-01 16:52 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-01 12:13 . 2010-03-08 23:52 1318912 ---h--r- c:\windows\system32\BackupSys.exe
2011-03-01 12:13 . 2010-10-19 17:44 8007680 ---ha-w- c:\windows\system32\Microsoft.mshtml.dll
2011-03-01 12:13 . 2010-10-19 17:44 104712 --sh--r- c:\windows\system32\FireWallDart.exe
2011-03-01 12:13 . 2010-10-19 17:44 126976 ---ha-w- c:\windows\system32\Interop.SHDocVw.dll
2011-03-01 12:13 . 2010-10-19 17:44 256000 ---h--r- c:\windows\system32\SevenZipSharp.dll
2011-03-01 12:13 . 2010-10-19 17:44 726016 ---h--r- c:\windows\system32\7z.dll
2011-03-01 12:13 . 2010-10-19 17:44 200704 ------w- c:\windows\system32\ICSharpCode.SharpZipLib.dll
2011-03-01 12:13 . 2010-12-30 23:23 19080 ---ha-w- c:\windows\system32\drivers\apcmci32.sys
2011-03-01 12:13 . 2010-12-30 23:23 15496 ---ha-w- c:\windows\system32\drivers\pcrasys32.sys
2011-03-01 12:13 . 2010-12-30 23:23 15496 ---ha-w- c:\windows\system32\drivers\akerneldrv32.sys
2011-03-01 12:11 . 2011-01-13 22:36 203016 ---h--w- c:\windows\system32\CNGKeyLock.exe
2011-03-01 12:11 . 2011-03-01 12:11 6859016 --sh--r- c:\windows\system32\sysDriverHardWare.exe
2011-03-01 12:11 . 2010-04-03 10:16 6863112 --sh--r- c:\windows\system32\sysSecurityCheck.exe
2011-02-22 14:13 . 2011-03-23 05:34 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 05:35 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 05:34 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-04-14 16:26 . 2011-05-12 08:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-01-20 21:21 405504 --sh--r- c:\windows\System32\vshadow.exe
2010-01-20 21:21 364032 --sh--r- c:\windows\System32\vshadowamd64.exe
2010-01-20 21:21 352256 --sh--r- c:\windows\System32\vshadowXP.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-03-02 1134488]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^kelli^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\kelli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ---ha-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadManagerService]
2010-07-28 19:56 89600 ---ha-w- c:\program files\Verizon Wireless\dist\servicerunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2008-09-30 23:56 972080 ---ha-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 18:16 2363392 ---ha-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 21:43 6061400 ---ha-w- c:\program files\Logitech\Logitech Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ---ha-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-04-17 18:05 1049896 ---ha-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
R2 MicrosoftHardwareDriver;MicrosoftHardwareDriver;c:\windows\system32\sysDriverHardWare.exe [2011-03-01 6859016]
R2 SysCacheDriver;SysCacheDriver;c:\windows\system32\sysSecurityCheck.exe [2011-03-01 6863112]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 wimmount;wimmount;c:\windows\system32\DRIVERS\wimmount.sys [2010-07-23 19024]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 akerneldrv;akerneldrv;c:\windows\system32\Drivers\akerneldrv32.sys [2011-03-01 15496]
S0 pcrasys;pcrasys;c:\windows\system32\Drivers\pcrasys32.sys [2011-03-01 15496]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-12-21 115008]
S2 CNGKeyLock;CNG Key Isolation Service;c:\windows\system32\CNGKeyLock.exe [2011-03-01 203016]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-12-21 137144]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2011-01-12 810144]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2010-12-21 41336]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 systemCheck;SystemWindows;c:\windows\system32\servicescache.exe [2011-04-26 6707464]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ---ha-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc0615ce027850.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 15:38]
.
2011-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc0615cf821370.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 15:38]
.
2011-05-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3055264178-2470136505-292888414-1000Core.job
- c:\users\kelli\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-10 02:33]
.
2011-05-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3055264178-2470136505-292888414-1000UA.job
- c:\users\kelli\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-10 02:33]
.
2011-05-02 c:\windows\Tasks\HPCeeScheduleForkelli.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/?ref=hp
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\kelli\AppData\Roaming\Mozilla\Firefox\Profiles\tz3d9o0c.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-lxdvamon - c:\program files\Lexmark X5400 Series\lxdvamon.exe
MSConfigStartUp-lxdvmon - c:\program files\Lexmark X5400 Series\lxdvmon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 10:50
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:3d,aa,8f,d7,f2,03,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bc,98,61,df,8e,3b,7e,4a,b2,a0,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bc,98,61,df,8e,3b,7e,4a,b2,a0,0b,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-15 10:52:52
ComboFix-quarantined-files.txt 2011-05-15 15:52
.
Pre-Run: 94,179,889,152 bytes free
Post-Run: 94,013,071,360 bytes free
.
Current=12 Default=12 Failed=11 LastKnownGood=16 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
- - End Of File - - 792F4AA5E6F15F6291D358F373986CE9

Edited by Kasey21, 15 May 2011 - 10:02 AM.

  • 0

#7
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Not much for direct malware hits, though the log shows some questionably permissions restricted Registry settings, which could be what ails things there.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

---------

Then go ahead and run some scans.

Open and update Malwarebytes.

* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

---------------

Disable your antivirus program and click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file to run the scanner.

If you accept the Terms of Use, check the box and click Start. It will take a couple minutes for the scanner to get ready. When the Computer scan settings display shows, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Then click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


Post that log, the C:\ComboFix.txt log and the Malwarebytes log please.
  • 0

#8
Kasey21

Kasey21

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I use ESET Smart Security 4 and do a full system scan every day at 10 am so I didn't do step 3. However if you wish for a log from ESET i can run SYSInspector and attach the log.

ComboFix Log:

ComboFix 11-05-16.01 - kelli 05/16/2011 14:59:15.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1416 [GMT -5:00]
Running from: c:\users\kelli\Desktop\ComboFix.exe
Command switches used :: c:\users\kelli\Desktop\CFScript.txt
AV: ESET Smart Security 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-16 to 2011-05-16 )))))))))))))))))))))))))))))))
.
.
2011-05-16 20:05 . 2011-05-16 20:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-14 22:08 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-10 09:57 . 2011-05-13 15:06 -------- d-----w- c:\program files\SpywareBlaster
2011-05-08 20:41 . 2011-05-08 20:41 -------- d-----w- c:\windows\Options
2011-05-08 20:41 . 2010-09-20 22:13 311391 ----a-w- c:\windows\system32\athcfg20U.dll
2011-05-08 20:41 . 2010-09-20 22:13 127080 ----a-w- c:\windows\system32\athcfg20resU.dll
2011-05-08 20:41 . 2010-09-20 22:12 426075 ----a-w- c:\windows\system32\wgapi.dll
2011-05-08 20:41 . 2010-09-20 22:12 335964 ----a-w- c:\windows\system32\wcapiU.dll
2011-05-08 20:41 . 2010-09-20 22:10 413765 ----a-w- c:\windows\system32\wcapi.dll
2011-05-08 20:41 . 2010-09-20 22:09 299080 ----a-w- c:\windows\system32\athcfg20.dll
2011-05-08 20:41 . 2010-09-20 22:09 127054 ----a-w- c:\windows\system32\athcfg20res.dll
2011-05-08 20:21 . 2011-05-08 20:41 -------- d-----w- c:\windows\system32\nn-NO
2011-05-08 20:21 . 2010-09-11 15:51 61440 ----a-w- c:\windows\system32\athihvui.dll
2011-05-08 20:21 . 2010-09-11 15:51 397312 ----a-w- c:\windows\system32\athihvs.dll
2011-05-08 20:20 . 2011-05-08 20:20 -------- d-----w- c:\users\kelli\AppData\Roaming\InstallShield
2011-05-08 18:59 . 2011-05-08 18:59 -------- d-sh--r- c:\program files\nortoninstaller
2011-05-08 16:41 . 2011-05-16 20:05 -------- d-----w- c:\users\kelli\AppData\Local\temp
2011-05-08 11:32 . 2011-05-08 11:31 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-05-07 07:37 . 2011-05-07 07:48 -------- d-----w- c:\programdata\SecTaskMan
2011-05-07 06:29 . 2011-05-07 06:29 -------- d-----w- c:\users\kelli\AppData\Roaming\Malwarebytes
2011-05-07 06:29 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-07 06:29 . 2011-05-07 06:29 -------- d-----w- c:\programdata\Malwarebytes
2011-05-07 06:29 . 2011-05-07 06:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 22:41 . 2011-05-05 23:26 465160 ---h--w- c:\windows\system32\Windows NT 5.1.22.exe
2011-05-01 16:52 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-01 16:52 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-01 16:50 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-25 23:19 . 2011-04-25 23:30 1972 ----a-w- c:\windows\system32\drivers\SMR162.dat
2011-04-25 23:19 . 2011-04-26 09:09 76920 ----a-w- c:\windows\system32\drivers\SMR162.SYS
2011-04-25 23:19 . 2011-04-25 23:29 -------- d-----w- c:\users\kelli\AppData\Local\NPE
2011-04-25 23:08 . 2011-04-25 23:08 -------- d-----w- c:\users\kelli\AppData\Roaming\TeamViewer
2011-04-25 06:39 . 2011-05-08 04:26 -------- d-----w- c:\program files\PeerBlock
2011-04-22 19:46 . 2011-04-22 19:47 -------- d-----w- c:\programdata\Yahoo! Companion
2011-04-22 14:35 . 2011-04-23 15:06 -------- d-----w- c:\users\kelli\AppData\Roaming\vlc
2011-04-22 14:34 . 2011-04-22 14:34 -------- d-----w- c:\program files\VideoLAN
2011-04-20 00:51 . 2011-04-20 00:51 -------- d-----w- c:\users\kelli\AppData\Local\Western Digital
2011-04-18 05:14 . 2011-04-18 05:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-04-17 12:16 . 2011-04-17 12:16 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-17 09:02 . 2011-04-17 09:03 -------- d-----w- c:\users\kelli\AppData\Local\MigWiz
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-08 11:31 . 2010-07-16 21:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-26 22:28 . 2010-03-08 23:32 6707464 ---h--r- c:\windows\system32\servicescache.exe
2011-03-03 15:40 . 2011-05-01 16:52 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-05-01 16:52 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-05-01 16:52 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-05-01 16:52 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-01 12:13 . 2010-03-08 23:52 1318912 ---h--r- c:\windows\system32\BackupSys.exe
2011-03-01 12:13 . 2010-10-19 17:44 8007680 ---ha-w- c:\windows\system32\Microsoft.mshtml.dll
2011-03-01 12:13 . 2010-10-19 17:44 104712 --sh--r- c:\windows\system32\FireWallDart.exe
2011-03-01 12:13 . 2010-10-19 17:44 126976 ---ha-w- c:\windows\system32\Interop.SHDocVw.dll
2011-03-01 12:13 . 2010-10-19 17:44 256000 ---h--r- c:\windows\system32\SevenZipSharp.dll
2011-03-01 12:13 . 2010-10-19 17:44 726016 ---h--r- c:\windows\system32\7z.dll
2011-03-01 12:13 . 2010-10-19 17:44 200704 ------w- c:\windows\system32\ICSharpCode.SharpZipLib.dll
2011-03-01 12:13 . 2010-12-30 23:23 19080 ---ha-w- c:\windows\system32\drivers\apcmci32.sys
2011-03-01 12:13 . 2010-12-30 23:23 15496 ---ha-w- c:\windows\system32\drivers\pcrasys32.sys
2011-03-01 12:13 . 2010-12-30 23:23 15496 ---ha-w- c:\windows\system32\drivers\akerneldrv32.sys
2011-03-01 12:11 . 2011-01-13 22:36 203016 ---h--w- c:\windows\system32\CNGKeyLock.exe
2011-03-01 12:11 . 2011-03-01 12:11 6859016 --sh--r- c:\windows\system32\sysDriverHardWare.exe
2011-03-01 12:11 . 2010-04-03 10:16 6863112 --sh--r- c:\windows\system32\sysSecurityCheck.exe
2011-02-22 14:13 . 2011-03-23 05:34 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 05:35 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 05:34 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-04-14 16:26 . 2011-05-12 08:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-01-20 21:21 405504 --sh--r- c:\windows\System32\vshadow.exe
2010-01-20 21:21 364032 --sh--r- c:\windows\System32\vshadowamd64.exe
2010-01-20 21:21 352256 --sh--r- c:\windows\System32\vshadowXP.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-03-02 1134488]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^kelli^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\kelli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ---ha-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadManagerService]
2010-07-28 19:56 89600 ---ha-w- c:\program files\Verizon Wireless\dist\servicerunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2008-09-30 23:56 972080 ---ha-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 18:16 2363392 ---ha-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 21:43 6061400 ---ha-w- c:\program files\Logitech\Logitech Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ---ha-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-04-17 18:05 1049896 ---ha-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
R2 MicrosoftHardwareDriver;MicrosoftHardwareDriver;c:\windows\system32\sysDriverHardWare.exe [2011-03-01 6859016]
R2 SysCacheDriver;SysCacheDriver;c:\windows\system32\sysSecurityCheck.exe [2011-03-01 6863112]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 wimmount;wimmount;c:\windows\system32\DRIVERS\wimmount.sys [2010-07-23 19024]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 akerneldrv;akerneldrv;c:\windows\system32\Drivers\akerneldrv32.sys [2011-03-01 15496]
S0 pcrasys;pcrasys;c:\windows\system32\Drivers\pcrasys32.sys [2011-03-01 15496]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-12-21 115008]
S2 CNGKeyLock;CNG Key Isolation Service;c:\windows\system32\CNGKeyLock.exe [2011-03-01 203016]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-12-21 137144]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2011-01-12 810144]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2010-12-21 41336]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 systemCheck;SystemWindows;c:\windows\system32\servicescache.exe [2011-04-26 6707464]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ---ha-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc0615ce027850.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 15:38]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc0615cf821370.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 15:38]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3055264178-2470136505-292888414-1000Core.job
- c:\users\kelli\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-10 02:33]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3055264178-2470136505-292888414-1000UA.job
- c:\users\kelli\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-10 02:33]
.
2011-05-15 c:\windows\Tasks\HPCeeScheduleForkelli.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/?ref=hp
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\kelli\AppData\Roaming\Mozilla\Firefox\Profiles\tz3d9o0c.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-16 15:05
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-16 15:08:14
ComboFix-quarantined-files.txt 2011-05-16 20:08
ComboFix2.txt 2011-05-15 15:52
.
Pre-Run: 95,205,552,128 bytes free
Post-Run: 94,929,051,648 bytes free
.
Current=12 Default=12 Failed=11 LastKnownGood=16 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
- - End Of File - - 2A4BF327B0BA462DA14DB56582F2CE91


MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6593

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

5/16/2011 3:13:53 PM
mbam-log-2011-05-16 (15-13-53).txt

Scan type: Quick scan
Objects scanned: 153926
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


If you suggest that the ESET online scanner would still be better to run I will do it.
  • 0

#9
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Yes, if you would please, the Eset online scanner is different from the installed one. So run it, and let's confirm no malware is there. Also post back on what issues are still there we need to address please.
  • 0

#10
Kasey21

Kasey21

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
All problems persist, however I don't believe an infection is causing my problems. The hidden folders folders was caused by a virus yes, but i got my computer cleaned at 5 star support forums and the settings left by the virus remained. I then ran RogueKiller to fix the hidden folders but it fixed about half of them while messing up some other ones. lol. Ofc, I just saw that my start menu was fixed and no longer hidden and didn't do a thorough check so I told them it fixed the problem :unsure: . And then I noticed IE messed up a few days later which was probably caused by one of the tools used to clean my computer. However, I am told I still have to post this here since my computer wasn't cleaned here :) .

But it does look like I had some adware =P

ESET Log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=a9592c87665f7c49b9928f3934532b09
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-17 01:19:35
# local_time=2011-05-16 08:19:35 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776638 100 95 20394724 142197142 0 0
# compatibility_mode=8201 39157181 100 97 0 10638464 0 0
# scanned=212068
# found=2
# cleaned=2
# scan_time=5560
# nod_component=V3 Build:0x30000000
C:\System Volume Information\SystemRestore\FRStaging{66C60756-B635-4274-A272-0191C020F32A}\Program Files\MyWebSearch\bar\2.bin\M3TPINST.DLL a variant of Win32/Toolbar.MyWebSearch.I application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\SystemRestore\FRStaging{76653D9A-CB8E-49BE-BC43-848621006A1B}\Program Files\MyWebSearch\bar\2.bin\M3TPINST.DLL a variant of Win32/Toolbar.MyWebSearch.I application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  • 0

Advertisements


#11
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Well, the adware is more remnants held harmless in System Restore, now removed. I am more than pleased to help you correct things here, but wonder why 5 Star refers folks elsewhere for repairs. Do you have a link to that previous thread?

The logs show some atypical IE start pages, so let's just change those.

REGEDIT4

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"
Open Notepad (Start Search, type Notepad then click the notepad file that shows in the display), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Close all programs, especially Internet Explorer. Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.

------------

Do you know why your DNS server lookup settings are this:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

That suggests a router's IP address, but usually the router has the job of sending on DNS server lookup requests (this setting suggests the router IS the DNS server).

----------------

Navigate to the following file, and see if you can ID it. If not, please go here, press NEW TOPIC (right hand side, just at the top of the forum thread list), fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the following files on your computer.

c:\windows\system32\Windows NT 5.1.22.exe

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

--------------

Help me out with the hidden files issue. What files are hidden - should be unhidden. Or vice versa, unhidden and should be hidden. If it is a boatload, just give me an idea of what files are involved.
  • 0

#12
Kasey21

Kasey21

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Here is the link to my thread in 5 Star: http://www.5starsupp...showtopic=40488
Oh, and they didn't refer me here =P ... It was someone on this forum who referred me here since I posted this in the Vista/Windows 7 forum and didn't have my computer cleaned here. In my fist post there is a link to where i was told to come here from. And I appreciate all the help so far :)

I did the Registry fix (It changed the start page from facebook to google) but it still gets the not responding every time I start it.

I have no idea why it is like that.

I don't quite understand this. I don't have the file so how am I suppose to upload it?

As for the folder problems. It is mainly my Program Files that are hidden. Ofc new programs that I download won't be hidden but everything that was on there was hidden. I believe some of the files in the program files folders are still unhidden though. Also It is not giving me permission to make some of these files unhidden manually. Like it wouldn't even allow me to make C:\Program Files\ ESET unhidden (not including the subfolders/files)

As for files that are suppose to be hidden as they are operating system files I have, C:\Documents and Settings\, C:\ProgramData\Desktop, C:\ProgramData\Favorites, etc. These folders don't have the usual "folder" icon and have a "folder shortcut" icon. These folders I also don't have access to. There are some folders that I am unsure about. Since at first I thought that all the folders I don't have access to are the operating system files but then again I didn't even have permission to change ESET to non-hidden. So I have other folders I don't have access to that I'm unsure if they are operating system files or just that I don't have access to it because of a problem. Here are some of those folders: C:\MSOCache\, C:\PCRA\, etc.
  • 0

#13
Kasey21

Kasey21

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I have also just noticed that not only am I not getting permission to change some files from hidden to non-hidden but also I can't access some files while installing updates. Here is an example:

Posted Image


Basically the computer is treating me like I'm not an administrator when I am.
  • 0

#14
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Let's try a few different looks at things there. Did your Security Center problem you mentioned at 5 Star get corrected?


Download MS Sysinternal's Junction.zip from here to your desktop, then unzip that. Then in that folder locate the Junction.exe file, and place a copy of that directly on your desktop.

Go to Start - Run, and copy/paste the following command line, and then press OK:

cmd /c "%userprofile%\desktop\junction.exe" -s c:\ >log.txt&log.txt

Once you have accepted the agreement a command window will open. When the scan complete a log.txt will open in Notepad. Paste those contents back here please. This will also be saved as "log.txt" in your current user's folder (example - C:\Users\yourusername).

---------------

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

dir /s /a "c:\*desktop.ini*.*" > find.txt&find.txt

Your drive will be scanned and when finished, Notepad will pop up with some information.

That should be a corker of a log, so instead of you posting it, look through it, and locate some folders where you have a file problem. See if they all contain desktop.ini files.
  • 0

#15
Kasey21

Kasey21

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts

Let's try a few different looks at things there. Did your Security Center problem you mentioned at 5 Star get corrected?


Download MS Sysinternal's Junction.zip from here to your desktop, then unzip that. Then in that folder locate the Junction.exe file, and place a copy of that directly on your desktop.

Go to Start - Run, and copy/paste the following command line, and then press OK:

cmd /c "%userprofile%\desktop\junction.exe" -s c:\ >log.txt&log.txt

Once you have accepted the agreement a command window will open. When the scan complete a log.txt will open in Notepad. Paste those contents back here please. This will also be saved as "log.txt" in your current user's folder (example - C:\Users\yourusername).

---------------

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

dir /s /a "c:\*desktop.ini*.*" > find.txt&find.txt

Your drive will be scanned and when finished, Notepad will pop up with some information.

That should be a corker of a log, so instead of you posting it, look through it, and locate some folders where you have a file problem. See if they all contain desktop.ini files.


On the first step Command Prompt just flashes really fast. I was able to take a s/s in time though:

Posted Image

step 2. everything in the log contained either desktop.ini, Desktop.ini, or DESKTOP.INI.

And yes my security center got fixed once Essentials was uninstalled.

Edited by Kasey21, 19 May 2011 - 10:56 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP