1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Explorer 8 Shuts itself down possible Security Problem?

Discussion in 'Malware and Virus Removal Archive' started by SueZee, 2009/11/18.

  1. 2009/11/18
    SueZee

    SueZee Inactive Thread Starter

    Joined:
    2009/11/16
    Messages:
    17
    Likes Received:
    0
    [Active] Explorer 8 Shuts itself down possible Security Problem?

    I was posting in Windows BBS in regards to a problem with my outlook program. In that discussion I mentioned that my Explorer 8 would shut its self down from time to time because of some security error, but I am not able to remember exactly what it said and it hasn't done in the past couple of day. However, Arie suggested I run a diagnostic and then post the error message in this forum so this is it! I sure hope someone can help. Next time Explorer 8 does this, I will be sure to write down what it says. I am using Windows 7 Home Premium. Just upgraded from Vista last week. However, Explorer was shutting itself down before I upgraded operating systems. I downloaded Explorer 8 a few months before I upgraded to Windows 7. Also, before I ran the following DDS file, it said to turn off scripting files, but I don't understand what that means. Hope this is what is needed. I also can't see how to attach a file, so I have just cut and pasted it here. Again Thank you for any help!
    Susan

    DDS (Ver_09-10-26.01) - NTFSx86
    Run by SueZee at 22:46:40.62 on Wed 11/18/2009
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3007.1738 [GMT -6:00]

    AV: F-PROT Antivirus for Windows *On-access scanning disabled* (Outdated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\PSIService.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    C:\Program Files\GetSmile\getsmile.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k secsvcs
    c:\program files\windows defender\MpCmdRun.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\SueZee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HT30EDEE\dds[1].scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Bar = Preserve
    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.google.ca/
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\videod~1\ARCURL~1.DLL
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [GetSmile] c:\program files\getsmile\getsmile.exe
    mRun: [F-PROT Antivirus Tray application] c:\program files\frisk software\f-prot antivirus for windows\FProtTray.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.geni.com/ImageUploader_5_5.cab
    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ============= SERVICES / DRIVERS ===============

    R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2009-8-31 682840]
    R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2009-8-27 75424]
    R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 nvrd32;nvrd32;c:\windows\system32\drivers\nvrd32.sys [2007-10-26 131616]

    =============== Created Last 30 ================

    2009-11-16 23:45:53 0 d-----w- c:\program files\HowTo-Outlook
    2009-11-14 22:07:13 0 d-----w- c:\users\suezee\Tracing
    2009-11-14 21:50:17 0 d-----w- c:\program files\Microsoft
    2009-11-14 21:49:55 0 d-----w- c:\program files\Windows Live SkyDrive
    2009-11-14 21:43:56 0 d-----w- c:\program files\common files\Windows Live
    2009-11-14 06:02:49 0 d-----w- C:\Panasonic Camera Software
    2009-11-12 23:49:13 0 d-----w- c:\users\suezee\appdata\roaming\Avery
    2009-11-11 02:07:39 257024 ----a-w- c:\windows\system32\msv1_0.dll
    2009-11-10 09:05:07 34816 ----a-w- c:\windows\system32\msasn1.dll
    2009-11-10 09:05:03 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2009-11-10 09:05:03 71168 ----a-w- c:\windows\system32\fontsub.dll
    2009-11-10 09:05:03 507568 ----a-w- c:\windows\system32\winload.exe
    2009-11-10 09:05:03 442920 ----a-w- c:\windows\system32\winresume.exe
    2009-11-10 09:05:03 293888 ----a-w- c:\windows\system32\atmfd.dll
    2009-11-10 09:05:03 2613248 ----a-w- c:\windows\explorer.exe
    2009-11-10 09:05:03 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
    2009-11-10 09:05:03 108544 ----a-w- c:\windows\system32\t2embed.dll
    2009-11-10 09:05:02 12625408 ----a-w- c:\windows\system32\wmploc.DLL
    2009-11-10 04:27:18 0 d-----w- c:\windows\Panther
    2009-11-10 04:14:06 0 d--h--w- C:\$WINDOWS.~Q
    2009-11-10 04:08:31 0 d--h--w- C:\$INPLACE.~TR
    2009-11-10 03:54:37 20 --sh--w- c:\users\suezee\ntuser.ini
    2009-11-10 03:54:32 0 d-sh--w- C:\Recovery
    2009-11-10 03:25:43 717892 ----a-w- c:\windows\system32\PerfStringBackup.INI
    2009-11-10 03:22:50 0 d-----w- c:\windows\system32\wbem\Performance
    2009-11-10 03:02:10 21316 ----a-w- c:\windows\system32\emptyregdb.dat
    2009-11-10 02:33:41 0 d-----w- c:\programdata\HP
    2009-11-10 02:32:03 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2009-11-10 02:32:03 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2009-11-10 02:31:17 0 d-----w- c:\windows\system32\RTCOM
    2009-11-10 02:30:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
    2009-11-10 01:03:20 1890 ----a-w- c:\windows\diagwrn.xml
    2009-11-10 01:03:20 1890 ----a-w- c:\windows\diagerr.xml
    2009-11-09 15:18:52 0 d-----w- c:\users\suezee\Email Contacts vcard Nov 2009

    ==================== Find3M ====================

    2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 22:47:11.33 ===============
     
    SueZee,
    #1
  2. 2009/11/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Second part of DDS log is missing.
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/11/19
    SueZee

    SueZee Inactive Thread Starter

    Joined:
    2009/11/16
    Messages:
    17
    Likes Received:
    0
    I'm sorry, I didn't post that part because it says at the top not too, but this is the second part now. My appologies...but I don't know how to attach a file on this message either, so I'm hoping I don't get into trouble for doing it this way....


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-10-26.01)

    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/9/2009 9:54:33 PM
    System Uptime: 11/18/2009 6:56:09 PM (4 hours ago)

    Motherboard: ASUSTek Computer INC. | | NODUSM3
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket AM2 | 2000/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 177 GiB total, 85.967 GiB free.
    D: is FIXED (FAT32) - 9 GiB total, 0.572 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 11/9/2009 9:37:01 PM - Windows Update
    RP2: 11/10/2009 8:00:36 PM - Windows Update
    RP3: 11/12/2009 5:22:46 PM - Windows Update
    RP4: 11/12/2009 5:48:49 PM - Installed Avery Wizard 3.1.
    RP6: 11/13/2009 11:46:09 PM - Removed VideoCam Suite 2
    RP8: 11/14/2009 9:08:18 AM - Installed VideoCam Suite 2
    RP10: 11/14/2009 9:12:20 AM - Configured VideoCam Suite 2
    RP12: 11/14/2009 9:27:36 AM - Removed VideoCam Suite 2
    RP14: 11/14/2009 9:36:06 AM - Installed VideoCam Suite 2
    RP16: 11/14/2009 9:38:10 AM - Configured VideoCam Suite 2
    RP17: 11/14/2009 3:51:49 PM - Installed Windows Live
    RP19: 11/14/2009 3:52:13 PM - Installed DirectX
    RP20: 11/14/2009 3:53:51 PM - Installed Windows Live
    RP22: 11/16/2009 6:53:26 AM - Removed VideoCam Suite 2
    RP23: 11/16/2009 11:25:47 AM - Windows Update
    RP24: 11/16/2009 3:27:21 PM - Removed Windows 7 Upgrade Advisor
    RP25: 11/16/2009 5:45:35 PM - Installed OutlookTools 2

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.1.3
    Adobe Shockwave Player 11.5
    AIO_Scan
    Apple Application Support
    Apple Software Update
    ArcSoft MediaImpression
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Brochures & Flyers
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Funhouse II
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Photo Prints
    ArcSoft Print Creations - Poster Creator
    ArcSoft Print Creations - Quick Photo Book
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    ArcSoft RAW Thumbnail Viewer
    ArcSoft Video Downloader
    Avanquest update
    Avery Wizard 3.1
    BufferChm
    C5200
    c5200_Help
    Cabos
    Cards_Calendar_OrderGift_DoMorePlugout
    Copy
    Corel MediaOne
    Destination Component
    DeviceDiscovery
    DHTML Editing Component
    DocProc
    Enhanced Multimedia Keyboard Solution
    F-PROT Antivirus for Windows
    Fax
    GetSmile v1.952
    GPBaseService
    HP Customer Participation Program 10.0
    HP Driver Diagnostics
    HP Imaging Device Functions 10.0
    HP Photosmart All-In-One Driver Software 10.0 Rel .2
    HP Photosmart Essential
    HP Photosmart Essential 2.5
    HP Photosmart Essential 3.0
    HP Picasso Media Center Add-In
    HP Product Detection
    HP Smart Web Printing
    HP Solution Center 10.0
    HP Update
    HPPhotoSmartDiscLabel_PaperLabel
    HPPhotoSmartDiscLabel_PrintOnDisc
    HPPhotoSmartDiscLabelContent1
    hpphotosmartdisclabelplugin
    HPPhotoSmartPhotobookWebPack1
    HPProductAssistant
    HPSSupply
    IrfanView (remove only)
    Java(TM) 6 Update 13
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    MarketResearch
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Motorola Driver Installation 3.7.0
    Motorola Phone Tools
    Motorola Software Update
    Move Networks Media Player for Internet Explorer
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    NVIDIA Drivers
    OCR Software by I.R.I.S. 10.0
    OcxSetup
    OutlookTools 2
    PanoStandAlone
    PhotoFiltre
    PS_AIO_02_ProductContext
    PS_AIO_02_Software
    PS_AIO_02_Software_Min
    PSSWCORE
    QuickTime
    Realtek High Definition Audio Driver
    Rocket Piano Bonus Software
    Roxio Express Labeler 3
    Scan
    Scrapbook MAX!
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB973704)
    Security Update for Microsoft Office Excel 2007 (KB973593)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB969693)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Shop for HP Supplies
    SmartWebPrintingOC
    Soft Data Fax Modem with SmartCP
    SolutionCenter
    Spelling Dictionaries Support For Adobe Reader 9
    Status
    Toolbox
    TrayApp
    Uniblue RegistryBooster 2009
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 (KB974561)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (kb975960)
    VideoToolkit01
    WebReg
    Winamp
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    Xvid 1.1.3 final uninstall

    ==== Event Viewer Messages From Past Week ========

    11/18/2009 6:58:20 PM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    11/16/2009 11:31:33 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} and APPID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user SUEZEEPUTER\SueZee SID (S-1-5-21-3740838641-1851095210-3320176553-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

    ==== End Of File ===========================
     
    SueZee,
    #3
  5. 2009/11/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You did just fine :)

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    ******************************************************************************************
    Due to a bug in Malwarebytes, you may see in MBAM's log following entries:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit)
    DO NOT remove those entries!
    If you do, your computer will become UN-bootable.
    The issue has been fixed in the latest MBAM update, so, it's EXTREMELY important, you update MBAM before you run it.
    ****************************************************************************************

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #4
  6. 2009/11/21
    SueZee

    SueZee Inactive Thread Starter

    Joined:
    2009/11/16
    Messages:
    17
    Likes Received:
    0
    Wow, when you give a girl a job, you don't fool around. I followed all instructions and only had one problem. In Step 3, you said to download Gmer, I did and it looked like it was scanning and then I got this error message... "Download[1].exe has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available. So, not sure what to do about that?

    Here are the logs from the other scans as you requested.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/20/2009 at 00:09 AM

    Application Version : 4.30.1004

    Core Rules Database Version : 4295
    Trace Rules Database Version: 2166

    Scan type : Complete Scan
    Total Scan Time : 01:12:00

    Memory items scanned : 345
    Memory threats detected : 0
    Registry items scanned : 8099
    Registry threats detected : 0
    File items scanned : 128287
    File threats detected : 0

    Malwarebytes' Anti-Malware 1.41
    Database version: 3205
    Windows 6.1.7600

    11/21/2009 12:18:32 AM
    mbam-log-2009-11-21 (00-18-21).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 235834
    Time elapsed: 1 hour(s), 13 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\ErrorKiller (Rogue.ErrorKiller) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Users\SueZee\AppData\Roaming\ErrorKiller (Rogue.ErrorKiller) -> No action taken.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Log (Rogue.ErrorKiller) -> No action taken.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Registry Backups (Rogue.ErrorKiller) -> No action taken.

    Files Infected:
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP292\A0036035.dll (Rogue.SpyCleaner) -> No action taken.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Log\2008 Feb 13 - 03_30_00 AM_824.log (Rogue.ErrorKiller) -> No action taken.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Registry Backups\2008-02-07_15-27-37.reg (Rogue.ErrorKiller) -> No action taken.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Registry Backups\2008-02-13_19-15-17.reg (Rogue.ErrorKiller) -> No action taken.
    C:\Windows\Tasks\ErrorKiller Scheduled Scan.job (Rogue.ErrorKiller) -> No action taken.
    Malwarebytes' Anti-Malware 1.41
    Database version: 3205
    Windows 6.1.7600

    11/21/2009 12:18:37 AM
    mbam-log-2009-11-21 (00-18-37).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 235834
    Time elapsed: 1 hour(s), 13 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Users\SueZee\AppData\Roaming\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Registry Backups (Rogue.ErrorKiller) -> Quarantined and deleted successfully.

    Files Infected:
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP292\A0036035.dll (Rogue.SpyCleaner) -> Quarantined and deleted successfully.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Log\2008 Feb 13 - 03_30_00 AM_824.log (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Registry Backups\2008-02-07_15-27-37.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
    C:\Users\SueZee\AppData\Roaming\ErrorKiller\Registry Backups\2008-02-13_19-15-17.reg (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
    C:\Windows\Tasks\ErrorKiller Scheduled Scan.job (Rogue.ErrorKiller) -> Quarantined and deleted successfully.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:49:01 AM, on 11/21/2009
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\VIDEOD~1\ARCURL~1.DLL
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O13 - Gopher Prefix:
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
    O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.geni.com/ImageUploader_5_5.cab
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

    --
    End of file - 6271 bytes
     
    SueZee,
    #5
  7. 2009/11/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hahahaha....

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      • Double click on combofix.exe & follow the prompts.
      • When finished, it will produce a report for you.
      • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
      **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

      Make sure, you re-enable your security programs, when you're done with Combofix.

      DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #6

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...