Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Strange Happenings -7034s, 7024s, 20063, ZA Err [Solved]

Started by 911pchelp , Feb 09 2009 10:56 PM

  • This topic is locked This topic is locked

#16
emeraldnzl
Posted 15 February 2009 - 04:14 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

had problems last night getting FF to stay connected long enough to send all the data ... tried 3 times .... also tried once with IE7 .... same thing today (am using daughters laptop right now). When first started FF, system lost fact that FF was default browser - had to reset.
My PC ( a desktop DELL, WIN XP SP2, 1.6 GHz, 1GB mem) seems to 'drop' the Internet connection after a few minutes (browser only .... Outlook Express works OK).


Might be malware related but it looks like you are using ToniArts EasyCleaner. I am wondering whether it has cleaned some items out of registry that you need.

For now lets continue removing left over bits of ZoneAlarm and Symantec and see what can be done about the other problems once we have dealt with this.

Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
explorer.exe

:files
C:\WINDOWS\system32\ZoneLabs
C:\WINDOWS\system32\vsdatant.sys
C:\WINDOWS\system32\drivers\symlcbrd.sys

:commands
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post together with a new HijackThis log.
  • 0

Advertisements

#17
911pchelp
Posted 15 February 2009 - 05:19 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
OK

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\ZoneLabs\Updates moved successfully.
C:\WINDOWS\system32\ZoneLabs\streamapi moved successfully.
C:\WINDOWS\system32\ZoneLabs\lib\pyd moved successfully.
C:\WINDOWS\system32\ZoneLabs\lib moved successfully.
Folder move failed. C:\WINDOWS\system32\ZoneLabs scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\vsdatant.sys scheduled to be moved on reboot.
C:\WINDOWS\system32\drivers\symlcbrd.sys moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Alan\LOCALS~1\Temp\Perflib_Perfdata_cc.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_78c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7d0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02152009_180114

Files moved on Reboot...
Folder move failed. C:\WINDOWS\system32\ZoneLabs scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\vsdatant.sys scheduled to be moved on reboot.
File C:\DOCUME~1\Alan\LOCALS~1\Temp\Perflib_Perfdata_cc.dat not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_78c.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_7d0.dat moved successfully.


==============================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:38 PM, on 2/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Clipomatic\Clipomatic.exe
E:\processes\nwProcessExplorer\procexp.exe
E:\Program Files\pita210\Pitaschio.exe
C:\Program Files\SpamPal\spampal.exe
E:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\AVG\AVG8\avgcsrvx.exe
H:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.webshots.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.c...ttp://www.yahoo.
com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program
Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Clipomatic] E:\Program
Files\Clipomatic\Clipomatic.exe
O4 - Startup: procexp (2).lnk =
E:\processes\nwProcessExplorer\procexp.exe
O4 - Startup: Shortcut to Pitaschio.exe.lnk = E:\Program
Files\pita210\Pitaschio.exe
O4 - Startup: SpamPl.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm529YYUS
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} -
http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft
SmartIssue) - http://supportcenter...oad/tgctlsi.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} -
http://community.web...wsaxcontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros.../en/x86/client/
muweb_site.cab?1139291678343
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
https://www-secure.s...rl/SymAData.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - E:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ,
s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o.
- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner -
C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner -
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
(file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 5132 bytes
  • 0

#18
emeraldnzl
Posted 15 February 2009 - 06:52 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello 911pchelp,

Looks like word wrap in Notepad is turned on. Please turn it off.

To do this, open Notepad, choose Format, then make sure Word Wrap is Un-checked. Word Wrap makes reading your log difficult and will prevent fixes using notepad from working.

After that please re-post that HijackThis log. :)
  • 0

#19
911pchelp
Posted 15 February 2009 - 07:42 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
suspect problem is that I saved the log using EditPad on my PC -put on flash drive - read it on daughter's laptop with Notepad

Better?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:38 PM, on 2/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Clipomatic\Clipomatic.exe
E:\processes\nwProcessExplorer\procexp.exe
E:\Program Files\pita210\Pitaschio.exe
C:\Program Files\SpamPal\spampal.exe
E:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\AVG\AVG8\avgcsrvx.exe
H:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.webshots.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.c...ttp://www.yahoo.
com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program
Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Clipomatic] E:\Program
Files\Clipomatic\Clipomatic.exe
O4 - Startup: procexp (2).lnk =
E:\processes\nwProcessExplorer\procexp.exe
O4 - Startup: Shortcut to Pitaschio.exe.lnk = E:\Program
Files\pita210\Pitaschio.exe
O4 - Startup: SpamPl.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm529YYUS
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} -
http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft
SmartIssue) - http://supportcenter...oad/tgctlsi.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} -
http://community.web...wsaxcontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros.../en/x86/client/
muweb_site.cab?1139291678343
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
https://www-secure.s...rl/SymAData.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - E:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ,
s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o.
- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner -
C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner -
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
(file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 5132 bytes
  • 0

#20
emeraldnzl
Posted 15 February 2009 - 07:55 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

Better?


Well not really but thank you for the attempt. We can have a good look at a HijackThis log down the track.

In the meantime, if you wouldn't mind, please save logs to Notepad. :)

That ZoneAlarm one is still there. We will try a diffent approach to get rid of it.

To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
sc stop vsmon
sc delete vsmon
exit

Save it to your desktop as File name: Service.cmd
Save as type: All Files

Once done, double click Service.cmd to run it. A command window will open briefly, then close. This is quite normal.

Now as I understand it you can't run an online scan as you don't have access to the internet from that machine.

So lets download something that can be saved and transferred to the infected computer.

It is a pretty big download at 28mb's but is very useful at detecting\cleaning rootkits or whatever it finds.

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file, name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#21
911pchelp
Posted 16 February 2009 - 12:46 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Sorry taken so long ... am on a weird schedule besides (am handicapped and do better late at night).

The boot time was down to about 3 mins, but still browser/Internet connection problem - OE images seem OK

Here is the Kaspersky report:
Scan
----
Scanned: 659616
Detected: 11
Untreated: 0
Start time: 2/15/2009 11:21:16 PM
Duration: 12:50:51
Finish time: 2/16/2009 12:12:07 PM


Detected
--------
Status Object
------ ------
deleted: virus Email-Worm.Win32.Swen Email message attachment: genericem\Local Folders\MS Security\[From:"MS Corporation Internet Security Center" <[email protected]>][Subject:Message is infected : New Net Update][Time:2003/09/19 08:09:14]/Update45.exe
deleted: adware not-a-virus:AdWare.Win32.SaveNow.z File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0077.BIN//data0001.cab/VVSN.exe
deleted: adware not-a-virus:AdWare.Win32.SaveNow.z File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0078.BIN//data0001.cab
deleted: adware not-a-virus:AdWare.Win32.SaveNow.z File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0079.BIN//data0001.cab
deleted: adware not-a-virus:AdWare.Win32.SaveNow.z File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0080.BIN//data0001.cab/VVSN.exe
deleted: adware not-a-virus:AdWare.Win32.NewDotNet File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0081.BIN
deleted: adware not-a-virus:AdWare.Win32.WebHancer File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0082.BIN/WhAgent.exe
deleted: adware not-a-virus:AdWare.Win32.WebHancer File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0082.BIN/whInstaller.exe
deleted: adware not-a-virus:AdWare.Win32.WebHancer File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0082.BIN/WhSurvey.exe
deleted: adware not-a-virus:AdWare.Win32.WebHancer File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0082.BIN/Webhdll.dll
deleted: adware not-a-virus:AdWare.Win32.WebHancer File: H:\icons\lmping-buddyiconsfree.exe//WiseSFXDropper//WISE0082.BIN/whiehlpr.dll

Edited by 911pchelp, 16 February 2009 - 12:50 PM.

  • 0

#22
emeraldnzl
Posted 16 February 2009 - 01:36 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

Sorry taken so long ... am on a weird schedule besides (am handicapped and do better late at night).


No problem. :)

Moving on now

You may have used Malwarebytes before. If you have, and still have it on your machine, please update and run. Post the scan report back here.

If you do not have Malwarebytes please download from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Please download random's system information tool (RSIT) by random/random from here.
  • It is important that is saved to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
So when you return please post
  • MBAM log
  • the two RSIT logs - log.txt and info.txt

Note: Unless otherwise instructed always post the logs in the forum. It is likely these reports will not fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine. :)
  • 0

#23
911pchelp
Posted 16 February 2009 - 01:52 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
PROBLEM

Tried to run MalwareBytes' AntiMalware but got 2 messages:

vbAccelerastor SGrid ll Control
Run-time error'0'

MalwareBytes' AntiMalware
Run-time error '440'
Automation Error

Should I uninstall and re-install? Ran it previously OK.

Edited by 911pchelp, 16 February 2009 - 01:58 PM.

  • 0

#24
emeraldnzl
Posted 16 February 2009 - 02:33 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
I would guess it's a corrupt file somewhere. Whether it is you machine or something to do with Malwarebytes I don't know.

I think first thing is to try uninstalling then downloading the latest version and see whether that works.
  • 0

#25
911pchelp
Posted 16 February 2009 - 04:19 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Had 'trouble' uninstalling MalwareBytes ... wasn't in Add/Remov list. Went ahead and installed latest anyway. Couldn't update because browser/Internet so went ahead and scanned. Then rebooted and reinstalled (hurriiedly) - update worked because FF/Internet works for a few mins - then scanned again and nothing was found.

Sorry if the files are not formatted correctly. On my PC, have .txt files go to EditPad automatically - so that's how they were saved originally. (Opened them with notepad after - word wrap off - and saved them).

mbam:
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

2/16/2009 4:07:38 PM
mbam-log-2009-02-16 (16-07-38).txt

Scan type: Quick Scan
Objects scanned: 66886
Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-
7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f31a5d11-
bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted
successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss
(Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Log:
Logfile of random's system information tool 1.05 (written by random/random)
Run by Alan at 2009-02-16 16:44:16
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 2 GB (25%) free of 10 GB
Total RAM: 1023 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:41 PM, on 2/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Clipomatic\Clipomatic.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
E:\processes\nwProcessExplorer\procexp.exe
E:\Program Files\pita210\Pitaschio.exe
C:\Program Files\SpamPal\spampal.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
E:\Program Files\Password Safe\pwsafe.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alan\Desktop\RSIT.exe
H:\Program Files\HijackThis\Alan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.webshots.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.c....yahoo.com/ext/
search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file
missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9}
- C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Clipomatic] E:\Program Files\Clipomatic\Clipomatic.exe
O4 - Startup: procexp (2).lnk = E:\processes\nwProcessExplorer\procexp.exe
O4 - Startup: Shortcut to Pitaschio.exe.lnk = E:\Program
Files\pita210\Pitaschio.exe
O4 - Startup: SpamPl.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm529YYUS
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} -
http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
http://supportcenter...oad/tgctlsi.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} -
http://community.web...wsaxcontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...client/muweb_si
te.cab?1139291678343
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
https://www-secure.s...rl/SymAData.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - E:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o.
- C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner -
C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems,
Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 5229 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GlaryInitialize.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-2052111302-725345543-10
04.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-02-08 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll
[2009-02-12 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-12 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-02-08 1601304]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-12
148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Clipomatic"=E:\Program Files\Clipomatic\Clipomatic.exe [1999-05-15 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupfolder\C:^Documents and Settings^Alan^Start
Menu^Programs^Startup^pitadll.dll]
[]

C:\Documents and Settings\Alan\Start Menu\Programs\Startup
procexp (2).lnk - E:\processes\nwProcessExplorer\procexp.exe
Shortcut to Pitaschio.exe.lnk - E:\Program Files\pita210\Pitaschio.exe
SpamPl.lnk - C:\Program Files\SpamPal\spampal.exe
Webshots.lnk - E:\Program Files\Webshots\Launcher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-02-08 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObject
DelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExec
uteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG
Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG
Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGro
up]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG
Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG
Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGro
up]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\fi
rewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2r
es.dll,-22019"
"E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="E:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"E:\Program Files\Yahoo!\Messenger\YServer.exe"="E:\Program
Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program
Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program
Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\fi
rewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2r
es.dll,-22019"

======File associations======

.js - edit - "E:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2009-02-16 16:44:16 ----D---- C:\rsit
2009-02-15 23:09:53 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-14 16:32:03 ----D---- C:\Documents and Settings\All Users\Application
Data\NortonInstaller
2009-02-14 02:16:44 ----SHD---- C:\RECYCLER
2009-02-14 00:46:59 ----A---- C:\ComboFix.txt
2009-02-14 00:41:45 ----A---- C:\Boot.bak
2009-02-14 00:41:36 ----RASHD---- C:\cmdcons
2009-02-14 00:40:07 ----A---- C:\WINDOWS\zip.exe
2009-02-14 00:40:07 ----A---- C:\WINDOWS\VFIND.exe
2009-02-14 00:40:07 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-02-14 00:40:07 ----A---- C:\WINDOWS\SWSC.exe
2009-02-14 00:40:07 ----A---- C:\WINDOWS\SWREG.exe
2009-02-14 00:40:07 ----A---- C:\WINDOWS\sed.exe
2009-02-14 00:40:07 ----A---- C:\WINDOWS\NIRCMD.exe
2009-02-14 00:40:07 ----A---- C:\WINDOWS\grep.exe
2009-02-14 00:40:07 ----A---- C:\WINDOWS\fdsv.exe
2009-02-14 00:40:01 ----D---- C:\Qoobox
2009-02-12 21:58:05 ----A---- C:\WINDOWS\system32\javaws.exe
2009-02-12 21:58:05 ----A---- C:\WINDOWS\system32\javaw.exe
2009-02-12 21:58:05 ----A---- C:\WINDOWS\system32\java.exe
2009-01-27 18:38:22 ----A---- C:\WINDOWS\system32\avgrsstx.dll

======List of files/folders modified in the last 1 months======

2009-02-16 16:44:35 ----D---- C:\WINDOWS\Prefetch
2009-02-16 16:40:22 ----D---- C:\Program Files\Mozilla Firefox
2009-02-16 16:36:55 ----D---- C:\WINDOWS\Temp
2009-02-16 16:35:45 ----D---- C:\WINDOWS\system32\drivers
2009-02-16 16:34:27 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-16 13:14:35 ----D---- C:\WINDOWS
2009-02-15 23:15:59 ----HD---- C:\WINDOWS\inf
2009-02-15 23:12:18 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-15 18:01:17 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-02-14 23:59:38 ----D---- C:\WINDOWS\Internet Logs
2009-02-14 23:42:26 ----D---- C:\WINDOWS\system32\Restore
2009-02-14 00:47:06 ----D---- C:\WINDOWS\system32
2009-02-14 00:44:16 ----A---- C:\WINDOWS\system.ini
2009-02-14 00:43:28 ----D---- C:\WINDOWS\AppPatch
2009-02-14 00:43:23 ----D---- C:\Program Files\Common Files
2009-02-14 00:41:45 ----RASH---- C:\boot.ini
2009-02-14 00:40:01 ----D---- C:\WINDOWS\ERDNT
2009-02-12 23:04:57 ----D---- C:\Documents and Settings\All Users\Application
Data\Spybot - Search & Destroy
2009-02-12 21:58:36 ----SHD---- C:\WINDOWS\Installer
2009-02-12 21:57:35 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-02-11 21:38:11 ----D---- C:\PRParser
2009-02-11 17:31:36 ----HD---- C:\$AVG8.VAULT$
2009-02-11 16:32:49 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-02-11 16:03:24 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-02-11 15:51:23 ----D---- C:\WINDOWS\system32\NtmsData
2009-02-09 22:48:25 ----D---- C:\WINDOWS\system32\LogFiles
2009-02-09 15:21:17 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-02-08 22:50:28 ----SD---- C:\Documents and Settings\Alan\Application
Data\Microsoft
2009-02-08 22:50:12 ----D---- C:\Documents and Settings\All Users\Application
Data\avg8
2009-02-08 18:57:35 ----D---- C:\WINDOWS\WinSxS
2009-02-07 17:28:36 ----D---- C:\WINDOWS\system32\config
2009-02-07 15:26:33 ----D---- C:\WINDOWS\system32\wbem
2009-02-07 15:26:32 ----D---- C:\WINDOWS\Registration
2009-02-07 15:09:04 ----SD---- C:\WINDOWS\Tasks
2009-02-06 19:12:41 ----A---- C:\WINDOWS\win.ini
2009-02-03 18:50:46 ----SHD---- C:\System Volume Information
2009-01-27 17:00:02 ----AC---- C:\WINDOWS\system32\wpa.bak
2009-01-21 14:24:15 ----RD---- C:\Program Files
2009-01-21 12:38:11 ----D---- C:\WINDOWS\network diagnostic
2009-01-17 23:13:28 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-01-17 23:13:28 ----D---- C:\WINDOWS\system32\CatRoot

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand,
4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86;
C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-02-08 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;
C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-02-08 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys
[2009-02-08 107272]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys
[2004-08-03 14848]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-11-13 353680]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment;
C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 Rcfilter;Rcfilter; C:\WINDOWS\System32\drivers\Rcfilter.sys [2004-09-30
32128]
R2 SBKUPNT;SBKUPNT; \??\C:\WINDOWS\system32\Drivers\SBKUPNT.SYS []
R3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM);
C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 FETNDISB;Dynex DX-E101 PCI Fast Ethernet Adapter Driver Service;
C:\WINDOWS\system32\DRIVERS\dxe1015b.sys [2005-12-29 43008]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys
[2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17
12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 usbccgp;Microsoft USB Generic Parent Driver;
C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;
C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver;
C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
[2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;
C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\E:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys []
S1 AvgArCln;Avg Anti-Rootkit Clean Driver;
C:\WINDOWS\System32\DRIVERS\AvgArCln.sys []
S1 AvgAsCln;AVG Anti-Spyware Clean Driver;
C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys []
S1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys []
S1 SASDIFSV;SASDIFSV; \??\E:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL; \??\E:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
S2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 exdisk;Express Disk Service; C:\WINDOWS\system32\DRIVERS\exdisk.sys []
S3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\System32\Drivers\itchfltr.sys
[2002-07-09 11008]
S3 L8042Kbd;Logitech SetPoint Keyboard Driver;
C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys []
S3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;
C:\WINDOWS\System32\Drivers\L8042mou.sys []
S3 LCcfltr;Logitech USB Filter Driver; C:\WINDOWS\system32\drivers\lccfltr.sys
[2002-07-09 13724]
S3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver;
C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2007-04-11 34832]
S3 LHidFlt2;Logitech HID/USB Mouse Filter Driver;
C:\WINDOWS\system32\DRIVERS\LHidFlt2.sys []
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;
C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2005-05-20 25600]
S3 LHidUsb;Logitech USB Receiver device driver;
C:\WINDOWS\system32\drivers\LHidUsb.Sys [2002-07-09 40716]
S3 LHidUsbK;Logitech SetPoint USB Receiver device driver;
C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2005-05-20 36480]
S3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver;
C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2007-04-11 36112]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver;
C:\WINDOWS\System32\Drivers\LMouKE.sys []
S3 LUsbFilt;Logitech SetPoint KMDF USB Filter;
C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2007-04-11 28688]
S3 mxInsMon;mxInsMon; \??\E:\PROGRA~1\ALADDI~1\SPRING~1\mxInsMon.sys []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver;
C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SASENUM;SASENUM; \??\E:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 usbprint;Microsoft USB PRINTER Class;
C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys
[2004-08-03 15104]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02
492000]
S3 Wdm1;USB Bridge Cable Driver; C:\WINDOWS\System32\Drivers\usbbc.sys
[2001-01-07 15576]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto,
3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-02-08
903960]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-02-08
298264]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program
Files\Java\jre6\bin\jqs.exe [2009-02-12 152984]
R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2006-11-20 33280]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework;
C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; E:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\guard.exe []
S2 Creative Service for CDROM Access;Creative Service for CDROM Access;
C:\WINDOWS\system32\CTsvcCDA.exe []
S2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-service []
S3 aspnet_state;ASP.NET State Service;
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24
33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service
v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
[2007-10-24 70144]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe []
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2004-08-04
8704]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program
Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

INFO:
info.txt logfile of random's system information tool 1.05 2009-02-16 16:44:45

======Uninstall list======

-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9 /remove
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove
-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132
C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint-->MsiExec.exe
/X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
ABF Magnifying Tools-->"E:\Program Files\ABF software\ABF Magnifying
Tools\Uninstall.exe" "E:\Program Files\ABF software\ABF Magnifying
Tools\install.log"
Add/Remove Pro-->RunDll32 advpack.dll,LaunchINFSection
C:\WINDOWS\INF\ADRMPRO2.INF, DefaultUninstall.ntx86
Adobe Flash Player
ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player
Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Apple Software Update-->MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
ARP++-->MsiExec.exe /X{4BE4ABEF-18FE-457A-9B9A-3C4250220697}
AudibleManager-->E:\Program Files\Bin\Upgrade.exe /Uninstall
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BitMeter-->"E:\Program Files\Codebox\BitMeter\uninstall.exe"
Bulk Rename Utility 2, 5, 4,
3-->C:\DOCUME~1\ALLUSE~1\APPLIC~1\TARMAI~1\{991B1~1\Setup.exe /remove /q0
CCleaner (remove only)-->"E:\Program Files\CCleaner\uninst.exe"
CDDRV_Installer-->MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Clipomatic-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\CLIPOMTC.INF,
DefaultUninstall.ntx86
Compton's Interactive Bible NIV-->C:\WINDOWS\uninst.exe -f"H:\Program
Files\Compton's Home Library\CIBNIV\DeIsL1.isu"
CompuApps SwissKnife V3-->C:\WINDOWS\ISUNINST.EXE -f"e:\program
files\SWISNIFE\SKUninst.ISU" -c"e:\program files\SWISNIFE\SKUNINST.DLL"
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe"
"/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Creative MediaSource 5-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN V Series (R2)-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}\SETUP.EXE" -l0x9 /remove
CSS Tab Designer v2.0-->"E:\Program Files\CSS Tab Designer 2\unins000.exe"
EasyCleaner-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9
EditPlus 2-->E:\Program Files\EditPlus 2\remove.exe
EPSON C88 User's Guide-->C:\Program Files\epson\guide\c88_e\uninstall.exe
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE
/R
Eraser-->"H:\Program Files\Eraser\unins000.exe"
ERUNT 1.1j-->"E:\Program Files\ERUNT\unins000.exe"
e-Sword-->MsiExec.exe /I{4FD27B25-4128-4CDA-A322-F1C8F0D8FEC9}
FastStone Image Viewer 3.2-->E:\Program Files\Faststone Image Viewer\uninst.exe
Files Compare Tool-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program
Files\InstallShield Installation
Information\{E69A76AA-71D9-4939-8EBB-8FC8BE22428D}\Setup.exe"
Foxit Reader-->E:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Free CSS Toolbox 1.0-->"E:\Program Files\Free CSS Toolbox\unins000.exe"
Free Mp3 Wma Converter V 1.6.1-->"E:\Program Files\Free Audio Pack\unins000.exe"
FUJIFILM USB Driver-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program
Files\InstallShield Installation
Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
GdiplusUpgrade-->MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Hallmark Card Studio 2-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program
Files\InstallShield Installation
Information\{1EEDF3E1-C0EA-409B-A772-164EF9AB3BCE}\setup.exe"
Hallmark Christian Card Studio-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program
Files\InstallShield Installation
Information\{91029CA6-FAA2-40BB-829B-974D2DDD5298}\setup.exe"
Hidden Utilities XP-->MsiExec.exe /I{E4E3B247-9A66-45B0-A624-278A0606B896}
HijackThis 2.0.2-->"H:\Program Files\HijackThis\HijackThis.exe" /uninstall
IZArc 3.81-->"E:\Program Files\IZArc\unins000.exe"
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe
/I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1-->MsiExec.exe
/I{3248F0A8-6813-11D6-A77B-00B0D0160010}
KhalInstallWrapper-->MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
K-Lite Mega Codec Pack 1.63-->"E:\Program Files\K-Lite Codec Pack\unins000.exe"
Logitech SetPoint-->C:\Program Files\InstallShield Installation
Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp
-l0x0009 -removeonly
Macromedia Dreamweaver 8-->MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager-->MsiExec.exe
/I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Magnifier Powertoy for Windows XP-->MsiExec.exe
/I{2FBF04DC-404C-4FA4-BA28-99903080D2B9}
Malwarebytes' Anti-Malware-->"E:\Program Files\Malwarebytes'
Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix
(KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe"
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.m
sp"
Microsoft .NET Framework 1.1-->msiexec.exe /X
{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe
/X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Bootvis-->MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Compression Client Pack 1.0 for Windows
XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack
1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft PowerPoint Viewer 97-->C:\Program Files\PowerPoint
Viewer\setup\setup.exe
Microsoft Streets and Trips 2001-->MsiExec.exe
/I{3D719053-5593-11D3-8F25-0060085C1758}
Microsoft User-Mode Driver Framework Feature Pack
1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe
/X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Word 2000 SR-1-->MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Microsoft Works 2001 Setup Launcher-->C:\Program Files\Microsoft Works Suite
2001\Setup\Launcher.exe I:\
Microsoft Works 6.0-->MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe
/I{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}
Moffsoft FreeCalc-->"C:\Program Files\Moffsoft FreeCalc\unins000.exe"
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe
/I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero - Burning Rom-->MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Norton AntiVirus SCSSDist MSI-->MsiExec.exe
/I{541230A3-1D3A-4879-B7E0-E71F90E35548}
Opera 9.23-->MsiExec.exe /X{E9EEE4CB-CB2B-4273-9AF5-7E12022B444B}
Paint Shop Pro 7 Anniversary Edition-->MsiExec.exe
/I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Paint.NET v3.10-->MsiExec.exe /X{5E749AEB-5A19-43BA-BB20-3CBB37539FE4}
Password Safe-->"E:\Program Files\Password Safe\Uninstall.exe"
PC-Linq-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program
Files\InstallShield Installation
Information\{808FAA20-4C3A-11D4-8A57-00201853C903}\Setup.exe"
Personal RecordKeeper-->C:\WINDOWS\iun3401.exe C:\Program Files\Personal
RecordKeeper 5
PrintFolder 1.2-->"E:\Program Files\PrintFolder\unins000.exe"
PRK Manual-->C:\WINDOWS\iun3401.exe c:\program files\Personal RecordKeeper 5
Quicken 2006-->MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
RegScrubXP 3.25-->"E:\Program Files\RegScrubXP\unins000.exe"
Road Runner Medic 5.4-->"C:\WINDOWS\unins000.exe"
Safari-->MsiExec.exe /X{3E719879-9914-4C56-843E-96D0C3FCC3FB}
Sapi-->MsiExec.exe /X{EA9A2BDE-D702-4B64-9C03-588409F82F81}
Security Update for Microsoft .NET Framework 2.0
(KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall
{8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package
{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Snood for Windows version 3.52-W-->"E:\Program Files\Snood\unins000.exe"
SpamPal-->"C:\Program Files\SpamPal\Uninstall.exe" "C:\Program
Files\SpamPal\install.log"
SpeeDefrag 5.2-->"E:\Program Files\SpeeDefrag\unins000.exe"
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe
/I{AC76BA86-7AD7-5464-3428-800000000003}
Spring Cleaning
3.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
/M{DB21E6A3-D0D0-44B0-AB3F-6F3C2C2FC07D}
SUPERAntiSpyware Free Edition-->MsiExec.exe
/X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The Cleaner-->C:\WINDOWS\iun3405.exe e:\Program Files\The Cleaner
The Print Shop Business Card Creator-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program
Files\InstallShield Installation
Information\{BCCBE608-5C44-4507-AE11-55B36AE0E41B}\setup.exe" -l0x9 anything
Tweak UI-->"C:\WINDOWS\system32\mshta.exe"
"res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Ultimate Sudoku-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program
Files\InstallShield Installation
Information\{DB8F7090-0594-4C31-B33F-4740E2A3F4C9}\Setup.exe" -l0x9
UltraExplorer 1.3.2-->"E:\Program Files\UltraExplorer\unins000.exe"
Uniblue Quick Access-->"E:\Program Files\ProcessLibrary\unins000.exe"
Uninstall Startup Inspector-->"C:\Program Files\Startup Inspector for
Windows\unins000.exe"
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media
Player\mtsAxInstaller.exe /u
Webshots Desktop-->E:\PROGRA~1\WEBSHOTS\UNWISE.EXE
E:\PROGRA~1\WEBSHOTS\INSTALL.LOG
Windows Driver Package - Hewlett-Packard Image (12/27/2006
8.0.0.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst32.ex
e /u
C:\WINDOWS\system32\DRVSTORE\hpgt4850_8C48BFFEF3EE4C959122472287DAF892C799F7A0\h
pgt4850.inf
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe
/I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe"
/Uninstall
WinRAR archiver-->E:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
xplorer² lite-->"E:\Program Files\zabkat\xplorer2_lite\Uninstall.exe"
Yahoo! Messenger-->E:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U
E:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
ZENcast Organizer-->RunDll32
C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetu
p "C:\Program Files\InstallShield Installation
Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9 /remove

=====HijackThis Backups=====

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.webshots.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus Free
FW: ZoneAlarm Firewall

System event log

Computer Name: SUNRISE-RAP
Event Code: 4201
Message: The system detected that network adapter
\DEVICE\TCPIP_{F49BD778-4FA3-4DFC-ABB3-C7952D06E28E} was connected to the
network,
and has initiated normal operation over the network adapter.

Record Number: 85787
Source Name: Tcpip
Time Written: 20090207185837.000000-300
Event Type: information
User:

Computer Name: SUNRISE-RAP
Event Code: 4202
Message: The system detected that network adapter
\DEVICE\TCPIP_{F49BD778-4FA3-4DFC-ABB3-C7952D06E28E} was disconnected from the
network,
and the adapter's network configuration has been released. If the network
adapter was not disconnected, this may indicate that it has malfunctioned.
Please contact your vendor for updated drivers.

Record Number: 85786
Source Name: Tcpip
Time Written: 20090207182858.000000-300
Event Type: information
User:

Computer Name: SUNRISE-RAP
Event Code: 7035
Message: The TrueVector Internet Monitor service was successfully sent a start
control.

Record Number: 85785
Source Name: Service Control Manager
Time Written: 20090207182005.000000-300
Event Type: information
User: SUNRISE-RAP\Alan

Computer Name: SUNRISE-RAP
Event Code: 7034
Message: The TrueVector Internet Monitor service terminated unexpectedly. It
has done this 1 time(s).

Record Number: 85784
Source Name: Service Control Manager
Time Written: 20090207182002.000000-300
Event Type: error
User:

Computer Name: SUNRISE-RAP
Event Code: 26
Message: Application popup: dwwin.exe - Application Error : The application
failed to initialize properly (0xc0000142). Click on OK to terminate the
application.

Record Number: 85783
Source Name: Application Popup
Time Written: 20090207181937.000000-300
Event Type: information
User:

Application event log

Computer Name: SUNRISE-RAP
Event Code: 20
Message:
Record Number: 46284
Source Name: Google Update
Time Written: 20090123005113.000000-300
Event Type: error
User: SUNRISE-RAP\Alan

Computer Name: SUNRISE-RAP
Event Code: 20
Message:
Record Number: 46283
Source Name: Google Update
Time Written: 20090122235108.000000-300
Event Type: error
User: SUNRISE-RAP\Alan

Computer Name: SUNRISE-RAP
Event Code: 20
Message:
Record Number: 46282
Source Name: Google Update
Time Written: 20090122225634.000000-300
Event Type: error
User: SUNRISE-RAP\Alan

Computer Name: SUNRISE-RAP
Event Code: 20
Message:
Record Number: 46281
Source Name: Google Update
Time Written: 20090122220241.000000-300
Event Type: error
User: SUNRISE-RAP\Alan

Computer Name: SUNRISE-RAP
Event Code: 20
Message:
Record Number: 46280
Source Name: Google Update
Time Written: 20090122210327.000000-300
Event Type: error
User: SUNRISE-RAP\Alan

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;;"E:\Progra
m Files\Zone Labs\ZoneAlarm\MailFrontier"
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0102
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"tvdumpflags"=8

-----------------EOF-----------------
  • 0

Advertisements

#26
emeraldnzl
Posted 16 February 2009 - 04:36 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.

  • 0

#27
911pchelp
Posted 16 February 2009 - 11:10 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Sorry for the delay !!

SDFix was run successfully (I think)

The RunThis.bat started but soon displayed the following:
SDFix
C:\PROGRA~1\Symantec\S32EVNT1.DLL. An installable
Virtual Device Driver failed DLL initialization. Choose 'Close'
to terminate the application
Close and Ignore buttons were the only options. Close was chosen but the appl only beeped ... so I chose Ignore and the appl continued.
The same thing happened when the appl was finishing (ie after reboot) and I chose Ignore again.

Here is the Report file:
SDFix: Version 1.240
Run by Alan on Mon 02/16/2009 at 11:24 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 23:36:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"E:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="E:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Tue 7 Jun 2005 2,045 ...H. --- "C:\WINDOWS\system32\whlprd32a.dll"
Fri 14 Jul 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 26 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 30 Jan 2007 147,456 ...H. --- "C:\Documents and Settings\Alan\Application Data\Microsoft\Templates\~WRL0442.tmp"
Sun 28 May 2006 65,024 ...H. --- "C:\Documents and Settings\Alan\Application Data\Microsoft\Templates\~WRL2528.tmp"
Mon 24 Sep 2007 165,232 A..H. --- "C:\Documents and Settings\Alan\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"

Finished!
  • 0

#28
emeraldnzl
Posted 17 February 2009 - 12:40 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Lets see if we can fix that "Virtual Device Driver failed DLL initialization" message.

Careful with these instructions because you will be editing your machines registry.

1. Click Start->Run and type Regedit. Click OK
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
3. Delete the VDD value
4. Click Edit->New->Multi-String Value
5. Name the value VDD, press Enter

After that please post a new HijackThis log.
  • 0

#29
911pchelp
Posted 17 February 2009 - 01:00 AM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:15 AM, on 2/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Clipomatic\Clipomatic.exe
E:\processes\nwProcessExplorer\procexp.exe
E:\Program Files\pita210\Pitaschio.exe
C:\Program Files\SpamPal\spampal.exe
E:\PROGRA~1\Webshots\webshots.scr
E:\Program Files\Password Safe\pwsafe.exe
H:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Clipomatic] E:\Program Files\Clipomatic\Clipomatic.exe
O4 - Startup: procexp (2).lnk = E:\processes\nwProcessExplorer\procexp.exe
O4 - Startup: Shortcut to Pitaschio.exe.lnk = E:\Program Files\pita210\Pitaschio.exe
O4 - Startup: SpamPl.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm529YYUS
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://supportcenter...oad/tgctlsi.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - http://community.web...wsaxcontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139291678343
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...rl/SymAData.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 5175 bytes
  • 0

#30
emeraldnzl
Posted 17 February 2009 - 01:24 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello 911pchelp,

Firstly please turn off your security programs so that they won't interfere with the changes we want to make.

Now

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O8 - Extra context menu item: &Search - ?p=ZRxdm529YYUS
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - http://supportcenter...ad/tgctlins.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

Close all windows other than HiJackThis, then click Fix Checked.

Close HiJackThis.

Next

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Driver::
vsmon
gusvc
AVG Anti-Spyware Guard

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP