1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Rogue.installer, Adware.popcap

Discussion in 'Malware and Virus Removal Archive' started by cda25, 2009/11/03.

  1. 2009/11/03
    cda25

    cda25 Inactive Thread Starter

    Joined:
    2009/11/01
    Messages:
    13
    Likes Received:
    0
    [Resolved] Rogue.installer, Adware.popcap

    DDS (Ver_09-10-26.01) - NTFSx86
    Run by Bonnie at 23:13:52.36 on Mon 11/02/2009
    Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_16
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1966 [GMT -5:00]

    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k yksvcs
    C:\Windows\System32\WLTRYSVC.EXE
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\LAlarm\LAlarmService.exe
    C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
    C:\Windows\system32\rpcnet.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\LAlarm\LAlarmSub.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Mediafour\XPlay 3\XPlay.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Common Files\AOL\1243376702\ee\aolsoftware.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Users\Bonnie\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Fingerprint Reader Suite\psqltray.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Secunia\PSI\psi.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrospect.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Users\Bonnie\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.ask.com?o=13739&l=dir
    uSearch Bar = Preserve
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Mediafour XPlay Explorer notifications: {4907c0ad-874d-44d9-b13e-7b0a4d8b9d3e} - c:\program files\mediafour\xplay 3\XPBHO.DLL
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [SansaDispatch] c:\users\bonnie\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
    uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    uRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiafa.exe /fu "c:\windows\temp\E_S561F.tmp" /EF "HKCU "
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [LAlarmSubProgram] c:\program files\lalarm\LAlarmSub.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [TheLaptopLock] c:\program files\the laptoplock\LaptopLock.exe /startup
    mRun: [{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}] "c:\program files\mediafour\xplay 3\XPlay.exe "
    mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.5\RetroExpress.exe /h
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe "
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [HostManager] c:\program files\common files\aol\1243376702\ee\AOLSoftware.exe
    mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking10\Ereg.ini
    mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    uPolicies-explorer: NoThumbnailCache = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: DisableCAD = 1 (0x1)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    Trusted Zone: netlibrary.com\www
    Trusted Zone: real.com\rhap-app-4-0
    Trusted Zone: real.com\rhapreg
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: psfus - c:\windows\system32\psqlpwd.dll
    LSA: Notification Packages = scecli psqlpwd

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\bonnie\appdata\roaming\mozilla\firefox\profiles\tv9nvaeb.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\bonnie\appdata\roaming\mozilla\firefox\profiles\tv9nvaeb.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\users\bonnie\appdata\roaming\mozilla\firefox\profiles\tv9nvaeb.default\extensions\oberongamehost@oberongames.com\platform\winnt_x86-msvc\plugins\npOberonGameHost.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

    ============= SERVICES / DRIVERS ===============

    R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2009-4-30 284416]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-2 28552]
    R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2009-8-25 136744]
    R2 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [2009-6-25 100728]
    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
    R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-10-10 235648]
    R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-3-23 7424]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]

    =============== Created Last 30 ================

    2009-11-02 22:32:32 397623805 ----a-w- c:\windows\MEMORY.DMP
    2009-11-02 20:11:38 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2009-11-02 20:07:08 0 d-----w- c:\program files\Panda Security
    2009-11-02 17:27:57 0 d-----w- c:\users\bonnie\appdata\roaming\Malwarebytes
    2009-11-02 17:27:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-11-02 17:27:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-11-02 17:27:51 0 d-----w- c:\programdata\Malwarebytes
    2009-11-02 17:27:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-10-30 17:36:41 0 d-----w- c:\program files\Marvell
    2009-10-30 10:33:11 10249 ----a-w- c:\windows\system32\Config.MPF
    2009-10-30 10:31:34 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2009-10-30 10:31:34 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
    2009-10-30 10:31:34 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2009-10-30 10:31:33 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2009-10-30 10:31:14 0 d-----w- c:\program files\common files\McAfee
    2009-10-30 10:31:14 0 d-----w- C:\mcafee_mcpr
    2009-10-30 10:31:13 0 d-----w- c:\program files\McAfee.com
    2009-10-30 10:31:11 0 d-----w- c:\program files\McAfee
    2009-10-30 10:22:05 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
    2009-10-29 13:02:14 0 d-sh--w- C:\found.001
    2009-10-28 21:13:23 0 d-sh--w- C:\found.000
    2009-10-27 14:59:08 0 d-----w- C:\b85bf47ce69ba1949e
    2009-10-18 09:52:39 3601 ----a-w- c:\users\bonnie\Husband9781415947753.odm
    2009-10-16 10:22:10 332883009 ----a-w- c:\users\bonnie\The_Prince_of_Tides_Uabr.wma
    2009-10-16 09:51:33 0 d-----w- c:\program files\Microsoft
    2009-10-16 09:51:17 0 d-----w- c:\program files\Windows Live SkyDrive
    2009-10-16 09:50:59 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
    2009-10-16 09:50:48 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2009-10-16 09:10:15 465778 ----a-w- c:\users\bonnie\gp.xpi
    2009-10-16 08:42:02 218624 ----a-w- c:\windows\system32\msv1_0.dll
    2009-10-16 08:41:59 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
    2009-10-16 08:41:58 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2009-10-16 08:41:17 60928 ----a-w- c:\windows\system32\msasn1.dll
    2009-10-16 08:41:16 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
    2009-10-16 08:41:14 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
    2009-10-14 13:03:02 3550592 ----a-w- c:\users\bonnie\procexp.exe
    2009-10-12 16:51:48 0 d-----w- c:\program files\LAlarm
    2009-10-12 16:51:11 945323 ----a-w- c:\users\bonnie\LAlarm34.exe
    2009-10-12 16:39:20 0 ----a-w- c:\windows\system32\null
    2009-10-11 15:21:50 0 d-----w- c:\windows\New Folder
    2009-10-11 11:50:45 0 d-----w- c:\program files\Retrospect
    2009-10-11 11:27:26 0 d-----w- c:\windows\pss
    2009-10-09 16:18:35 0 d-----w- c:\program files\MozyHome
    2009-10-09 16:18:22 0 d-----w- c:\programdata\RetroExp
    2009-10-09 13:32:03 0 d-----w- c:\programdata\WindowsSearch
    2009-10-07 22:45:43 670477 ----a-w- C:\Drive_C.xml
    2009-10-07 22:45:43 512 ----a-w- C:\Drive_C.dat
    2009-10-07 22:23:55 0 d-----w- c:\program files\Runtime Software
    2009-10-07 20:21:03 0 d-----w- c:\program files\common files\Software Update Utility
    2009-10-07 20:20:29 0 d-----w- c:\programdata\AIM
    2009-10-07 11:06:07 0 d-----w- c:\program files\Ask.com
    2009-10-07 01:57:18 2421760 ----a-w- c:\windows\system32\wucltux.dll
    2009-10-07 01:57:01 87552 ----a-w- c:\windows\system32\wudriver.dll
    2009-10-07 01:56:55 171608 ----a-w- c:\windows\system32\wuwebv.dll
    2009-10-07 01:56:54 33792 ----a-w- c:\windows\system32\wuapp.exe
    2009-10-06 09:10:13 0 d-----w- c:\program files\JRE
    2009-10-04 11:51:27 0 d-----w- c:\program files\Zone Labs
    2009-10-04 11:50:42 293528 ----a-w- c:\windows\system32\drivers\vsdatant.sys
    2009-10-04 11:49:45 0 d-----w- c:\programdata\CheckPoint
    2009-10-04 11:49:39 0 d-----w- c:\windows\Internet Logs

    ==================== Find3M ====================

    2009-11-03 04:08:59 56680 ----a-w- c:\windows\system32\rpcnet.dll
    2009-11-03 04:08:59 17408 ----a-w- c:\windows\system32\rpcnetp.dll
    2009-11-03 04:08:46 17408 ----a-w- c:\windows\system32\rpcnetp.exe
    2009-10-30 18:34:19 27934 ----a-w- c:\programdata\nvModes.dat
    2009-10-30 17:59:06 51200 ----a-w- c:\windows\inf\infpub.dat
    2009-10-30 17:59:06 143360 ----a-w- c:\windows\inf\infstrng.dat
    2009-10-30 17:59:02 86016 ----a-w- c:\windows\inf\infstor.dat
    2009-10-01 14:29:14 195440 ----a-w- c:\windows\system32\MpSigStub.exe
    2009-09-23 10:27:57 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-09-11 15:43:14 665600 ----a-w- c:\windows\inf\drvindex.dat
    2009-09-11 15:34:26 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2009-09-09 23:34:08 49152 ----a-w- c:\windows\system32\instw32.exe
    2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
    2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
    2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
    2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
    2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
    2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
    2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
    2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
    2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
    2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
    2009-03-26 23:55:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-03-25 00:21:33 76 --sh--r- c:\windows\CT4CET.bin
    2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 23:17:48.16 ===============

    DDS (Ver_09-10-26.01)

    Microsoft® Windows Vistaâ„¢ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/24/2009 12:47:10 AM
    System Uptime: 11/3/2009 12:08:26 AM (-1 hours ago)

    Motherboard: Dell Inc. | | 0D500F
    Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 2001/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 230 GiB total, 165.259 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP334: 10/15/2009 5:11:41 AM - Windows Update
    RP335: 10/16/2009 4:48:09 AM - Windows Update
    RP336: 10/16/2009 5:06:11 AM - Windows Update
    RP337: 10/16/2009 5:22:57 AM - Windows Update
    RP338: 10/16/2009 5:25:49 AM - Installed Adobe Reader 9.2.
    RP339: 10/16/2009 5:42:17 AM - Windows Update
    RP340: 10/17/2009 6:24:14 AM - Windows Update
    RP341: 10/19/2009 7:34:04 AM - Windows Update
    RP342: 10/20/2009 8:01:50 AM - Windows Update
    RP343: 10/20/2009 10:46:48 AM - Windows Update
    RP344: 10/21/2009 8:42:32 AM - Windows Update
    RP345: 10/22/2009 10:28:10 AM - Windows Update
    RP346: 10/23/2009 9:35:48 AM - Windows Update
    RP347: 10/24/2009 10:09:55 AM - Windows Update
    RP348: 10/25/2009 9:34:37 AM - Windows Update
    RP349: 10/26/2009 10:32:35 AM - Windows Update
    RP350: 10/27/2009 10:58:36 AM - Windows Update
    RP351: 10/28/2009 6:03:54 PM - Windows Update
    RP354: 10/29/2009 12:12:30 PM - Windows Update
    RP355: 10/30/2009 1:30:02 PM - Removed Marvell Miniport Driver
    RP356: 10/30/2009 1:37:03 PM - Device Driver Package Install: Marvell Network adapters
    RP357: 10/30/2009 1:52:04 PM - Device Driver Package Install: Intel System devices
    RP358: 10/30/2009 1:58:54 PM - Device Driver Package Install: Intel System devices

    ==== Installed Programs ======================

    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.2
    Advanced Audio FX Engine
    Advanced Video FX Engine
    AOL Uninstaller (Choose which Products to Remove)
    Apple Application Support
    Apple Software Update
    ArcSoft MediaConverter 2.5
    Ask Toolbar
    CCleaner (remove only)
    CDDRV_Installer
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Coupon Printer for Windows
    Cypherix LE
    Dell Driver Download Manager
    Dell Resource CD
    Dell Support Center (Support Software)
    Dell Touchpad
    Dell Webcam Center
    Dell Webcam Manager
    Dell Wireless WLAN Card
    Download Updater (AOL LLC)
    Dragon NaturallySpeaking 10
    Driver Detective
    EPSON Printer Software
    EPSON Scan
    Family Tree Maker 2008
    Fingerprint Reader Suite 5.6
    Garmin Communicator Plugin
    Garmin USB Drivers
    Google Earth
    Google Update Helper
    Google Updater
    GoToAssist 8.0.0.514
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Imikimi Plugin
    Intel® Matrix Storage Manager
    Java(TM) 6 Update 16
    KhalInstallWrapper
    Live! Cam Avatar Creator
    Live! Cam Avatar v1.0
    Logitech SetPoint
    Malwarebytes' Anti-Malware
    ManyCam 2.4 (remove only)
    Marvell Miniport Driver
    McAfee SecurityCenter
    MedalFolders 2.0.0.500
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft IntelliPoint 6.3
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft WSE 3.0
    Mozilla Firefox (3.5.4)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 Parser and SDK
    NVIDIA Drivers
    OpenOffice.org 3.1
    OverDrive Media Console
    Panda ActiveScan 2.0
    QuickBooks Product Listing Service
    QuickBooks Simple Start Edition
    Quicken 2007
    QuickSet
    QuickTime
    RapidTyping
    RegistryFix v8.0
    Retrospect Express HD 2.5
    Rhapsody
    Rhapsody Player Engine
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.06
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    SA52xx Device Manager
    Sansa Updater
    Secunia PSI
    SigmaTel Audio
    SupportSoft Assisted Service
    The LaptopLock 0.94
    TouchChip USB Driver 2.16
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC 9.0 Runtime
    Viewpoint Media Player
    Visual C++ Runtime for Dragon NaturallySpeaking
    Weather Watcher Live
    WIDCOMM Bluetooth Software 6.0.1.3100
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Media Player Firefox Plugin
    WinRAR archiver
    XPlay 3

    ==== End Of File ===========================
     
    cda25,
    #1
  2. 2009/11/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/11/04
    cda25

    cda25 Inactive Thread Starter

    Joined:
    2009/11/01
    Messages:
    13
    Likes Received:
    0
    2 of 4 scans run

    Below are results for the SuperAnti Virus scan and the Malwarebytes scan.

    I was totally unsuccessful in getting the GMER file to run. I attempted to run it as stated, then renamed it several times, tried to run in safe mode, and tried with all start ups removed by way of msconfig. I also tried the GMER file through majorgeeks as above to no avail. The third link gave me a notice of 404 page not found. The results of the above attempts were abrupt shut downs with black screens, blue screen shut downs, and even notices that the renamed GMER file was corrupt. Please inform.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/03/2009 at 11:26 PM

    Application Version : 4.29.1004

    Core Rules Database Version : 4227
    Trace Rules Database Version: 2127

    Scan type : Complete Scan
    Total Scan Time : 01:19:29

    Memory items scanned : 323
    Memory threats detected : 0
    Registry items scanned : 7528
    Registry threats detected : 0
    File items scanned : 146703
    File threats detected : 0


    Malwarebytes' Anti-Malware 1.41
    Database version: 3098
    Windows 6.0.6002 Service Pack 2

    11/4/2009 9:35:52 AM
    mbam-log-2009-11-04 (09-35-52).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 239329
    Time elapsed: 1 hour(s), 17 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    cda25,
    #3
  5. 2009/11/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Skip GMER for now.
     
    broni,
    #4
  6. 2009/11/04
    cda25

    cda25 Inactive Thread Starter

    Joined:
    2009/11/01
    Messages:
    13
    Likes Received:
    0
    Logfile of Trend Micro HijackThis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:55:37 PM, on 11/4/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18828)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Windows\system32\wuauclt.exe
    C:\PROGRA~1\HUGHES~3\HDM.exe
    C:\Windows\system32\wermgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=13739&l=dir
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Mediafour XPlay Explorer notifications - {4907C0AD-874D-44D9-B13E-7B0A4D8B9D3E} - C:\Program Files\Mediafour\XPlay 3\XPBHO.DLL
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: HDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\HughesNet Download Manager\iefdm2.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O8 - Extra context menu item: Download all with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dllink.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O13 - Gopher Prefix:
    O15 - Trusted Zone: www.netlibrary.com
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: GoToAssist - C:\Windows\
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
    O23 - Service: Google Update Service (gupdate1c9c5d01e9960f5) (gupdate1c9c5d01e9960f5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: LAlarm Service (LAlarmService) - LAlarm Systems - C:\Program Files\LAlarm\LAlarmService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: M4iPodWPDService - Mediafour Corporation - C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\rthlpsvc.exe
    O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
    O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
    O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

    --
    End of file - 7829 bytes
     
    cda25,
    #5
  7. 2009/11/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #6
  8. 2009/11/04
    cda25

    cda25 Inactive Thread Starter

    Joined:
    2009/11/01
    Messages:
    13
    Likes Received:
    0
    Requested reports 1

    Requested reports will be in multiple postings due to length.

    I disabled McAfee Security Suite (all sections) so I am confused as to why the report says that resident AV is active. I received a message that the computer was not protected and I had to reopen everything on McAfee when I restarted. McAfee, however, jumped up and quarantined a file during the process.

    I received an error message multiple times during the process that stated a file was corrupt and I needed to run the disk utility.


    ComboFix 09-11-04.02 - Bonnie 11/04/2009 14:11.1.2 - NTFSx86
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1663 [GMT -5:00]
    Running from: c:\users\Public\Pictures\Sample Pictures\ComboFix.exe
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
    C:\install.exe
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\system32\oem17.inf

    .
    ((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
    .

    2009-11-04 17:54 . 2009-11-04 17:54 -------- d-----w- c:\program files\Trend Micro
    2009-11-04 02:50 . 2009-11-04 02:50 117760 ----a-w- c:\users\Bonnie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-11-04 02:47 . 2009-11-04 02:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2009-11-04 02:46 . 2009-11-04 02:46 4096 d-----w- c:\program files\SUPERAntiSpyware
    2009-11-04 02:46 . 2009-11-04 02:46 -------- d-----w- c:\users\Bonnie\AppData\Roaming\SUPERAntiSpyware.com
    2009-11-04 02:44 . 2009-11-04 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-11-03 23:50 . 2009-11-04 19:19 4096 d-----w- c:\users\Bonnie\AppData\Roaming\HughesNet Download Manager
    2009-11-03 23:49 . 2009-11-03 23:49 8192 d-----w- c:\program files\HughesNet Download Manager
    2009-11-03 23:38 . 2009-11-04 00:27 -------- d-----w- c:\users\Bonnie\AppData\Roaming\Motive
    2009-11-03 23:35 . 2009-11-03 23:33 38208 ----a-w- c:\users\Bonnie\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2009-11-03 23:35 . 2009-11-03 23:33 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2009-11-03 23:35 . 2009-11-03 23:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2009-11-03 23:35 . 2009-11-03 23:35 -------- d-----w- c:\program files\HughesNetStatusMeter
    2009-11-03 23:30 . 2009-11-03 23:30 -------- d-----w- c:\program files\HughesNetTools
    2009-11-03 23:30 . 2007-12-10 15:12 85 ----a-w- c:\windows\system32\h53unin.bat
    2009-11-03 23:30 . 2007-12-04 19:17 528384 ----a-w- c:\windows\system32\McciExecute.exe
    2009-11-03 23:30 . 2009-11-04 14:55 -------- d-----w- c:\programdata\Motive
    2009-11-03 23:30 . 2009-11-03 23:30 8192 d-----w- c:\program files\Common Files\Motive
    2009-11-02 20:11 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2009-11-02 20:07 . 2009-11-02 20:07 -------- d-----w- c:\program files\Panda Security
    2009-11-02 17:27 . 2009-11-02 17:27 -------- d-----w- c:\users\Bonnie\AppData\Roaming\Malwarebytes
    2009-11-02 17:27 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-11-02 17:27 . 2009-11-02 17:27 -------- d-----w- c:\programdata\Malwarebytes
    2009-11-02 17:27 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-11-02 17:27 . 2009-11-02 19:08 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-10-30 17:49 . 2009-10-30 17:49 2517528 ----a-w- c:\programdata\PC Drivers HeadQuarters\Driver Detective\Downloads\INF_allOS_9.0.0.1011_PV.exe
    2009-10-30 17:36 . 2009-10-30 17:36 -------- d-----w- c:\program files\Marvell
    2009-10-30 10:31 . 2009-09-16 14:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2009-10-30 10:31 . 2009-09-16 14:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
    2009-10-30 10:31 . 2009-09-16 14:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2009-10-30 10:31 . 2009-07-16 16:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2009-10-30 10:31 . 2009-10-30 10:31 4096 d-----w- c:\program files\Common Files\McAfee
    2009-10-30 10:31 . 2009-10-30 10:31 -------- d-----w- C:\mcafee_mcpr
    2009-10-30 10:31 . 2009-10-30 10:31 -------- d-----w- c:\program files\McAfee.com
    2009-10-30 10:31 . 2009-10-31 11:53 4096 d-----w- c:\program files\McAfee
    2009-10-30 10:22 . 2009-09-16 14:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
    2009-10-29 13:02 . 2009-10-31 14:57 4096 d-----w- C:\found.001
    2009-10-28 21:13 . 2009-10-28 23:01 -------- d-----w- C:\found.000
    2009-10-27 14:59 . 2009-10-27 14:59 4096 d-----w- C:\b85bf47ce69ba1949e
    2009-10-16 09:51 . 2009-10-16 09:51 -------- d-----w- c:\program files\Microsoft
    2009-10-16 09:51 . 2009-10-16 09:51 -------- d-----w- c:\program files\Windows Live SkyDrive
    2009-10-16 09:51 . 2009-10-16 09:51 4096 d-----w- c:\program files\Windows Live
    2009-10-16 09:50 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
    2009-10-16 09:50 . 2009-10-16 09:50 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2009-10-16 09:26 . 2009-10-16 09:27 -------- d-----w- c:\program files\Common Files\Adobe
    2009-10-16 08:42 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
    2009-10-16 08:41 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
    2009-10-16 08:41 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2009-10-16 08:41 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
    2009-10-16 08:41 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
    2009-10-16 08:41 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
    2009-10-14 13:03 . 2009-10-14 13:03 3550592 ----a-w- c:\users\Bonnie\procexp.exe
    2009-10-12 16:51 . 2009-10-12 16:51 8192 d-----w- c:\program files\LAlarm
    2009-10-12 16:51 . 2009-10-12 16:51 945323 ----a-w- c:\users\Bonnie\LAlarm34.exe
    2009-10-11 15:21 . 2009-10-11 15:21 -------- d-----w- c:\windows\New Folder
    2009-10-11 11:50 . 2009-10-11 11:50 -------- d-----w- c:\program files\Retrospect
    2009-10-09 16:18 . 2009-10-11 00:44 4096 d-----w- c:\program files\MozyHome
    2009-10-09 16:18 . 2009-11-04 16:27 4096 d-----w- c:\programdata\RetroExp
    2009-10-09 13:32 . 2009-10-09 13:32 -------- d-----w- c:\programdata\WindowsSearch
    2009-10-07 22:45 . 2009-10-07 22:45 512 ----a-w- C:\Drive_C.dat
    2009-10-07 22:23 . 2009-10-09 16:07 -------- d-----w- c:\program files\Runtime Software
    2009-10-07 21:18 . 2009-10-07 21:18 4096 d-----w- c:\users\Bonnie\AppData\Local\MigWiz
    2009-10-07 20:21 . 2009-10-07 20:21 -------- d-----w- c:\program files\Common Files\Software Update Utility
    2009-10-07 20:20 . 2009-10-07 20:21 -------- d-----w- c:\users\Bonnie\AppData\Roaming\acccore
    2009-10-07 20:20 . 2009-10-07 20:20 -------- d-----w- c:\users\Bonnie\AppData\Local\AIM
    2009-10-07 20:20 . 2009-10-07 20:20 -------- d-----w- c:\programdata\AIM
    2009-10-07 11:06 . 2009-10-07 11:09 4096 d-----w- c:\program files\Ask.com
    2009-10-07 01:57 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
    2009-10-07 01:57 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
    2009-10-07 01:57 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
    2009-10-07 01:57 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
    2009-10-07 01:57 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
    2009-10-07 01:57 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
    2009-10-07 01:57 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
    2009-10-07 01:56 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
    2009-10-07 01:56 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
    2009-10-06 09:10 . 2009-10-06 09:10 -------- d-----w- c:\program files\JRE

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-11-04 16:28 . 2009-03-24 04:40 17408 ----a-w- c:\windows\system32\rpcnetp.exe
    2009-11-04 16:28 . 2009-03-25 12:11 56680 ----a-w- c:\windows\system32\rpcnet.dll
    2009-11-04 16:27 . 2009-03-24 04:44 12 ----a-w- c:\windows\bthservsdp.dat
    2009-11-04 04:31 . 2009-03-24 04:42 17408 ----a-w- c:\windows\system32\rpcnetp.dll
    2009-11-03 19:26 . 2009-04-25 17:58 4096 d-----w- c:\programdata\Google Updater
    2009-11-02 14:33 . 2009-03-25 22:04 3507 ----a-w- c:\programdata\Intuit\QuickBooks 2007\qbbackup.sys
    2009-10-31 13:47 . 2009-04-09 13:01 1 ----a-w- c:\users\Bonnie\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2009-10-30 18:34 . 2009-03-25 01:41 27934 ----a-w- c:\programdata\nvModes.dat
    2009-10-30 18:12 . 2009-05-31 13:57 2096392 ----a-w- c:\programdata\PC Drivers HeadQuarters\Driver Detective\Downloads\R166187.exe
    2009-10-30 10:33 . 2009-03-24 13:08 4096 d-----w- c:\programdata\McAfee
    2009-10-29 17:24 . 2009-05-31 12:22 46149072 ----a-w- c:\programdata\PC Drivers HeadQuarters\Driver Detective\Downloads\R140135.exe
    2009-10-29 14:15 . 2009-09-25 12:17 4096 d-----w- c:\program files\MedalFolders
    2009-10-16 09:17 . 2009-03-25 10:21 4096 d-----w- c:\programdata\NOS
    2009-10-16 08:54 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
    2009-10-09 13:35 . 2009-03-26 19:13 4096 d-----w- c:\program files\RegistryFix7
    2009-10-08 19:20 . 2009-03-25 17:38 4096 d-----w- c:\program files\Common Files\AOL
    2009-10-07 20:20 . 2009-03-25 17:38 -------- d-----w- c:\programdata\AOL
    2009-10-06 15:48 . 2009-03-24 04:58 59544 ----a-w- c:\users\Bonnie\AppData\Local\GDIPFONTCACHEV1.DAT
    2009-10-06 09:10 . 2009-04-09 12:59 4096 d-----w- c:\program files\OpenOffice.org 3
    2009-10-04 11:54 . 2009-07-27 14:02 8192 d-----w- c:\program files\Spybot - Search & Destroy
    2009-10-04 11:51 . 2009-10-04 11:51 -------- d-----w- c:\program files\Zone Labs
    2009-10-04 11:49 . 2009-10-04 11:49 -------- d-----w- c:\programdata\CheckPoint
    2009-10-04 10:39 . 2009-07-27 14:02 4096 d-----w- c:\programdata\Spybot - Search & Destroy
    2009-10-02 21:04 . 2009-04-11 22:31 816392 ----a-w- c:\programdata\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
    2009-10-01 14:29 . 2009-10-02 16:02 195440 ----a-w- c:\windows\system32\MpSigStub.exe
    2009-09-25 14:28 . 2009-03-25 22:28 -------- d-----w- c:\users\Bonnie\AppData\Roaming\U3
    2009-09-23 10:27 . 2009-04-09 22:23 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-09-23 10:27 . 2009-09-23 10:27 -------- d-----w- c:\program files\Java
    2009-09-22 15:05 . 2009-06-21 22:22 4096 d-----w- c:\program files\OverDrive Media Console
    2009-09-22 14:33 . 2009-04-30 09:39 4096 d-----w- c:\program files\BookSmart
    2009-09-22 11:29 . 2009-09-22 11:29 4096 d-----w- c:\program files\QuickTime
    2009-09-22 11:29 . 2009-09-22 11:29 -------- d-----w- c:\programdata\Apple Computer
    2009-09-22 11:26 . 2009-09-22 11:26 -------- d-----w- c:\program files\Common Files\Apple
    2009-09-22 11:26 . 2009-09-22 11:26 4096 d-----w- c:\program files\Apple Software Update
    2009-09-22 11:26 . 2009-09-22 11:26 -------- d-----w- c:\programdata\Apple
    2009-09-22 11:18 . 2009-09-22 11:18 -------- d-----w- c:\program files\NOS
    2009-09-22 11:09 . 2009-09-22 11:09 -------- d-----w- c:\program files\Secunia
    2009-09-16 14:22 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-09-11 16:06 . 2009-04-21 17:15 548792 ----a-w- c:\users\Bonnie\AppData\Roaming\SanDisk\Sansa Updater\SansaUpdater.exe
    2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
    2009-09-11 15:44 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
    2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
    2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
    2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
    2009-09-11 15:44 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
    2009-09-11 15:43 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
    2009-09-11 02:05 . 2009-09-11 02:02 1925024 ----a-w- c:\programdata\NOS\Adobe_Downloads\install_flash_player.exe
    2009-09-09 23:34 . 2008-01-22 01:43 49152 ----a-w- c:\windows\system32\instw32.exe
    2009-09-09 01:36 . 2009-04-23 00:05 4096 d-----w- c:\program files\Microsoft Silverlight
    2009-09-03 15:53 . 2009-09-22 11:50 22848 ----a-w- c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
    2009-09-03 15:53 . 2009-09-22 11:50 30912 ----a-w- c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    2009-09-03 15:53 . 2009-09-22 11:50 19792 ----a-w- c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
    2009-08-29 00:27 . 2009-09-02 20:43 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2009-08-29 00:14 . 2009-09-02 20:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2009-08-27 05:22 . 2009-10-16 09:22 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-08-27 05:17 . 2009-10-16 09:22 71680 ----a-w- c:\windows\system32\iesetup.dll
    2009-08-27 05:17 . 2009-10-16 09:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2009-08-27 03:42 . 2009-10-16 09:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-08-14 16:27 . 2009-09-08 20:51 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2009-08-14 15:53 . 2009-09-08 20:51 17920 ----a-w- c:\windows\system32\netevent.dll
    2009-08-14 13:49 . 2009-09-08 20:51 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
    2009-08-14 13:49 . 2009-09-08 20:51 17920 ----a-w- c:\windows\system32\ROUTE.EXE
    2009-08-14 13:49 . 2009-09-08 20:51 11264 ----a-w- c:\windows\system32\MRINFO.EXE
    2009-08-14 13:49 . 2009-09-08 20:51 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
    2009-08-14 13:49 . 2009-09-08 20:51 19968 ----a-w- c:\windows\system32\ARP.EXE
    2009-08-14 13:49 . 2009-09-08 20:51 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
    2009-08-14 13:49 . 2009-09-08 20:51 10240 ----a-w- c:\windows\system32\finger.exe
    2009-08-14 13:48 . 2009-09-08 20:51 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2009-08-14 13:48 . 2009-09-08 20:51 105984 ----a-w- c:\windows\system32\netiohlp.dll
    2006-06-16 03:33 . 2009-03-25 00:21 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
    2006-05-26 01:43 . 2009-03-25 00:21 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
    2005-09-29 21:41 . 2009-03-25 00:21 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
    2006-06-19 20:10 . 2009-03-25 00:21 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
    2005-02-02 19:19 . 2009-03-25 00:21 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
    2006-04-11 01:35 . 2009-03-25 00:21 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
    2005-11-09 18:10 . 2009-03-25 00:21 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
    2005-11-09 18:42 . 2009-03-25 00:21 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
    2006-01-04 18:22 . 2009-03-25 00:21 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
    2006-01-04 18:21 . 2009-03-25 00:21 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
    2009-03-25 00:21 . 2009-03-25 00:21 76 --sh--r- c:\windows\CT4CET.bin
    2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2009-07-10 21:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440} "= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440} "= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @= "{F2F31467-B1AC-4df0-AE79-FD5FA085E22B} "
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-04-17 06:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @= "{A3E208F7-0E3A-4182-A7A6-B169D5D691AA} "
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-04-17 06:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD "= 1 (0x1)
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoThumbnailCache "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-04-17 06:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli psqlpwd

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
    backup=c:\windows\pss\QuickSet.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^Bonnie^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HughesNetStatusMeter.lnk]
    path=c:\users\Bonnie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HughesNetStatusMeter.lnk
    backup=c:\windows\pss\HughesNetStatusMeter.lnk.Startup
    backupExtension=.Startup

    [HKLM\~\startupfolder\C:^Users^Bonnie^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MedalFolders.lnk]
    backup=c:\windows\pss\MedalFolders.lnk.Startup
    backupExtension=.Startup

    [HKLM\~\startupfolder\C:^Users^Bonnie^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI.lnk]
    backup=c:\windows\pss\Secunia PSI.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2 "=hex(b):b5,9b,26,4a,f7,32,ca,01

    R0 MDFSYSNT;MacDrive file system driver;c:\windows\System32\drivers\MDFSYSNT.SYS [4/30/2009 4:18 PM 284416]
    R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/2/2009 3:11 PM 28552]
    R1 CbFs;CbFs;c:\windows\System32\drivers\cbfs.sys [8/25/2009 5:29 AM 136744]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
    R2 cyphxdrv;cyphxdrv;c:\windows\System32\drivers\cyphxdrv.sys [6/25/2009 1:39 PM 100728]
    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\System32\drivers\ManyCam.sys [1/14/2008 5:06 AM 21632]
    R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [10/10/2007 4:03 PM 235648]
    R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [3/23/2009 10:16 PM 7424]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
    S3 PSI;PSI;c:\windows\System32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
    S3 VtcDrv;VTC Driver V4.00;c:\windows\System32\drivers\vtcdrv_x86.sys [5/13/2009 10:12 AM 18944]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MBR
    *NewlyCreated* - PROCEXP113
    *Deregistered* - kwryrkow
    *Deregistered* - mbr
    *Deregistered* - PROCEXP113

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    getPlusHelper REG_MULTI_SZ getPlusHelper
    yksvcs REG_MULTI_SZ yksvc
    .
    Contents of the 'Scheduled Tasks' folder

    2009-11-04 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 17:58]

    2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 18:02]

    2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 18:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com?o=13739&l=dir
    IE: Download all with HughesNet Download Manager - file://c:\program files\HughesNet Download Manager\dlall.htm
    IE: Download selected with HughesNet Download Manager - file://c:\program files\HughesNet Download Manager\dlselected.htm
    IE: Download video with HughesNet Download Manager - file://c:\program files\HughesNet Download Manager\dlfvideo.htm
    IE: Download with HughesNet Download Manager - file://c:\program files\HughesNet Download Manager\dllink.htm
    Trusted Zone: netlibrary.com\www
    Trusted Zone: real.com\rhap-app-4-0
    Trusted Zone: real.com\rhapreg
    FF - ProfilePath - c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
    FF - component: c:\program files\HughesNet Download Manager\Firefox\Extension\components\vmsfdmff.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\users\Bonnie\AppData\Roaming\Mozilla\Firefox\Profiles\tv9nvaeb.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    .
    - - - - ORPHANS REMOVED - - - -

    ShellIconOverlayIdentifiers-MacDrive Volume Icons - (no file)
    Notify-GoToAssist - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-11-04 14:21
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...
     
    cda25,
    #7
  9. 2009/11/04
    cda25

    cda25 Inactive Thread Starter

    Joined:
    2009/11/01
    Messages:
    13
    Likes Received:
    0
    Requested reports 2

    There are pages and pages of these temp files that seem to be duplicates. If you need all of them please inform and I will send, otherwise, the final posting will be the hihackthis report.

    scanning hidden files ...


    c:\windows\TEMP\MSI70494.LOG 94 bytes
    c:\windows\TEMP\MSI70495.LOG 94 bytes
    c:\windows\TEMP\MSI70496.LOG 94 bytes
    c:\windows\TEMP\MSI70497.LOG 94 bytes
    c:\windows\TEMP\MSI70498.LOG 94 bytes
    c:\windows\TEMP\MSI7049a.LOG 94 bytes
    c:\windows\TEMP\MSI7049b.LOG 94 bytes
    c:\windows\TEMP\MSI7049d.LOG 1490 bytes
    c:\windows\TEMP\MSI7049e.LOG 94 bytes
    c:\windows\TEMP\MSI7049f.LOG 94 bytes
    c:\windows\TEMP\MSI704a1.LOG 94 bytes
    c:\windows\TEMP\MSI704a2.LOG 94 bytes
    c:\windows\TEMP\MSI704a3.LOG 94 bytes
    c:\windows\TEMP\MSI704a5.LOG 94 bytes
    c:\windows\TEMP\MSI704a6.LOG 94 bytes
    c:\windows\TEMP\MSI704a7.LOG 94 bytes
    c:\windows\TEMP\MSI704a8.LOG 94 bytes
    c:\windows\TEMP\MSI704ab.LOG 94 bytes
    c:\windows\TEMP\MSI704ac.LOG 94 bytes
    c:\windows\TEMP\MSI704ad.LOG 94 bytes
    c:\windows\TEMP\MSI704ae.LOG 94 bytes
    c:\windows\TEMP\MSI704af.LOG 94 bytes
    c:\windows\TEMP\MSI704b0.LOG 94 bytes
    c:\windows\TEMP\MSI704b1.LOG 94 bytes
    c:\windows\TEMP\MSI704b2.LOG 94 bytes
    c:\windows\TEMP\MSI704b3.LOG 94 bytes
    c:\windows\TEMP\MSI704b4.LOG 94 bytes
    c:\windows\TEMP\MSI704b5.LOG 94 bytes
    c:\windows\TEMP\MSI704b6.LOG 94 bytes
    c:\windows\TEMP\MSI704b7.LOG 94 bytes
    c:\windows\TEMP\MSI704b8.LOG 94 bytes
    c:\windows\TEMP\MSI704b9.LOG 94 bytes
    c:\windows\TEMP\MSI704ba.LOG 94 bytes
    c:\windows\TEMP\MSI704bb.LOG 94 bytes
    c:\windows\TEMP\MSI704be.LOG 94 bytes
    c:\windows\TEMP\MSI704bf.LOG 94 bytes
    c:\windows\TEMP\MSI704c1.LOG 94 bytes
    c:\windows\TEMP\MSI704c3.LOG 94 bytes
    c:\windows\TEMP\MSI704c4.LOG 94 bytes
    c:\windows\TEMP\MSI704c5.LOG 94 bytes
    c:\windows\TEMP\MSI704c6.LOG 94 bytes
    c:\windows\TEMP\MSI704c7.LOG 94 bytes
    c:\windows\TEMP\MSI704c8.LOG 94 bytes
    c:\windows\TEMP\MSI704ca.LOG 94 bytes
    c:\windows\TEMP\MSI704cb.LOG 94 bytes
    c:\windows\TEMP\MSI704cd.LOG 94 bytes
    c:\windows\TEMP\MSI704ce.LOG 1440 bytes
    c:\windows\TEMP\MSI704cf.LOG 94 bytes
    c:\windows\TEMP\MSI704d1.LOG 94 bytes
    c:\windows\TEMP\MSI704d2.LOG 94 bytes
    c:\windows\TEMP\MSI704d3.LOG 6690 bytes
    c:\windows\TEMP\MSI704d5.LOG 94 bytes
    c:\windows\TEMP\MSI704d6.LOG 94 bytes
    c:\windows\TEMP\MSI704d7.LOG 94 bytes
    c:\windows\TEMP\MSI704d8.LOG 94 bytes
    c:\windows\TEMP\MSI704da.LOG 94 bytes
    c:\windows\TEMP\MSI704db.LOG 94 bytes
    c:\windows\TEMP\MSI704dd.LOG 94 bytes
    c:\windows\TEMP\MSI704df.LOG 94 bytes
    c:\windows\TEMP\MSI704e1.LOG 94 bytes
    c:\windows\TEMP\MSI704e2.LOG 94 bytes
    c:\windows\TEMP\MSI704e3.LOG 94 bytes
    c:\windows\TEMP\MSI704e4.LOG 94 bytes
    c:\windows\TEMP\MSI704e5.LOG 94 bytes
    c:\windows\TEMP\MSI704e7.LOG 94 bytes
    c:\windows\TEMP\MSI704e8.LOG 94 bytes
    c:\windows\TEMP\MSI704ea.LOG 1490 bytes
    c:\windows\TEMP\MSI704eb.LOG 94 bytes
    c:\windows\TEMP\MSI704ee.LOG 94 bytes
    c:\windows\TEMP\MSI704ef.LOG 94 bytes
    c:\windows\TEMP\MSI704f0.LOG 94 bytes
    c:\windows\TEMP\MSI704f2.LOG 94 bytes
    c:\windows\TEMP\MSI704f3.LOG 94 bytes
    c:\windows\TEMP\MSI704f4.LOG 94 bytes
    c:\windows\TEMP\MSI704f5.LOG 94 bytes
    c:\windows\TEMP\MSI704f7.LOG 94 bytes
    c:\windows\TEMP\MSI704f8.LOG 94 bytes
    c:\windows\TEMP\MSI704f9.LOG 94 bytes
    c:\windows\TEMP\MSI704fa.LOG 94 bytes
    c:\windows\TEMP\MSI704fb.LOG 94 bytes
    c:\windows\TEMP\MSI704fc.LOG 94 bytes
    c:\windows\TEMP\MSI704fd.LOG 94 bytes
    c:\windows\TEMP\MSI704fe.LOG 94 bytes
    c:\windows\TEMP\MSI704ff.LOG 94 bytes
    c:\windows\TEMP\MSI70500.LOG 94 bytes
    c:\windows\TEMP\MSI70502.LOG 94 bytes
    c:\windows\TEMP\MSI70503.LOG 94 bytes
    c:\windows\TEMP\MSI70504.LOG 94 bytes
    c:\windows\TEMP\MSI70505.LOG 94 bytes
    c:\windows\TEMP\MSI70506.LOG 94 bytes
    c:\windows\TEMP\MSI70507.LOG 94 bytes
    c:\windows\TEMP\MSI70508.LOG 94 bytes
    c:\windows\TEMP\MSI70509.LOG 94 bytes
    c:\windows\TEMP\MSI7050b.LOG 94 bytes
    c:\windows\TEMP\MSI7050c.LOG 94 bytes
    c:\windows\TEMP\MSI7050e.LOG 94 bytes
    c:\windows\TEMP\MSI70510.LOG 94 bytes
    c:\windows\TEMP\MSI70511.LOG 94 bytes
    c:\windows\TEMP\MSI70512.LOG 94 bytes
    c:\windows\TEMP\MSI70513.LOG 94 bytes
    c:\windows\TEMP\MSI70514.LOG 94 bytes
    c:\windows\TEMP\MSI70515.LOG 94 bytes
    c:\windows\TEMP\MSI70518.LOG 94 bytes
    c:\windows\TEMP\MSI7051a.LOG 94 bytes
    c:\windows\TEMP\MSI7051b.LOG 1440 bytes
    c:\windows\TEMP\MSI7051c.LOG 94 bytes
    c:\windows\TEMP\MSI7051e.LOG 94 bytes
    c:\windows\TEMP\MSI7051f.LOG 94 bytes
    c:\windows\TEMP\MSI70520.LOG 6690 bytes
    c:\windows\TEMP\MSI70521.LOG 94 bytes
    c:\windows\TEMP\MSI70522.LOG 94 bytes
    c:\windows\TEMP\MSI70523.LOG 94 bytes
    c:\windows\TEMP\MSI70524.LOG 94 bytes
    c:\windows\TEMP\MSI70525.LOG 94 bytes
    c:\windows\TEMP\MSI70527.LOG 94 bytes
    c:\windows\TEMP\MSI70528.LOG 94 bytes
    c:\windows\TEMP\MSI7052a.LOG 94 bytes
    c:\windows\TEMP\MSI7052c.LOG 94 bytes
    c:\windows\TEMP\MSI7052e.LOG 94 bytes
    c:\windows\TEMP\MSI70530.LOG 94 bytes
    c:\windows\TEMP\MSI70531.LOG 94 bytes
    c:\windows\TEMP\MSI70532.LOG 94 bytes
    c:\windows\TEMP\MSI70534.LOG 94 bytes
    c:\windows\TEMP\MSI70535.LOG 94 bytes
    c:\windows\TEMP\MSI70537.LOG 1490 bytes
    c:\windows\TEMP\MSI70538.LOG 94 bytes
    c:\windows\TEMP\MSI70539.LOG 94 bytes
    c:\windows\TEMP\MSI7053b.LOG 94 bytes
    c:\windows\TEMP\MSI7053c.LOG 94 bytes
    c:\windows\TEMP\MSI7053d.LOG 94 bytes
    c:\windows\TEMP\MSI7053f.LOG 94 bytes
    c:\windows\TEMP\MSI70540.LOG 94 bytes
    c:\windows\TEMP\MSI70541.LOG 94 bytes
    c:\windows\TEMP\MSI70542.LOG 94 bytes
    c:\windows\TEMP\MSI70544.LOG 94 bytes
    c:\windows\TEMP\MSI70545.LOG 94 bytes
    c:\windows\TEMP\MSI70547.LOG 94 bytes
    c:\windows\TEMP\MSI70548.LOG 94 bytes
    c:\windows\TEMP\MSI70549.LOG 94 bytes
    c:\windows\TEMP\MSI7054a.LOG 94 bytes
    c:\windows\TEMP\MSI7054b.LOG 94 bytes
    c:\windows\TEMP\MSI7054c.LOG 94 bytes
    c:\windows\TEMP\MSI7054d.LOG 94 bytes
    c:\windows\TEMP\MSI7054e.LOG 94 bytes
    c:\windows\TEMP\MSI7054f.LOG 94 bytes
    c:\windows\TEMP\MSI70550.LOG 94 bytes
    c:\windows\TEMP\MSI70551.LOG 94 bytes
    c:\windows\TEMP\MSI70552.LOG 94 bytes
    c:\windows\TEMP\MSI70553.LOG 94 bytes
    c:\windows\TEMP\MSI70554.LOG 94 bytes
    c:\windows\TEMP\MSI70555.LOG 94 bytes
    c:\windows\TEMP\MSI70556.LOG 94 bytes
    c:\windows\TEMP\MSI70558.LOG 94 bytes
    c:\windows\TEMP\MSI7055b.LOG 94 bytes
    c:\windows\TEMP\MSI7055d.LOG 94 bytes
    c:\windows\TEMP\MSI7055e.LOG 94 bytes
    c:\windows\TEMP\MSI7055f.LOG 94 bytes
    c:\windows\TEMP\MSI70560.LOG 94 bytes
    c:\windows\TEMP\MSI70561.LOG 94 bytes
    c:\windows\TEMP\MSI70562.LOG 94 bytes
    c:\windows\TEMP\MSI70564.LOG 94 bytes
    c:\windows\TEMP\MSI70565.LOG 94 bytes
    c:\windows\TEMP\MSI70567.LOG 94 bytes
    c:\windows\TEMP\MSI70568.LOG 1440 bytes
    c:\windows\TEMP\MSI70569.LOG 94 bytes
    c:\windows\TEMP\MSI7056b.LOG 94 bytes
    c:\windows\TEMP\MSI7056c.LOG 94 bytes
    c:\windows\TEMP\MSI7056d.LOG 6690 bytes
    c:\windows\TEMP\MSI7056e.LOG 94 bytes
    c:\windows\TEMP\MSI7056f.LOG 94 bytes
    c:\windows\TEMP\MSI7047a.LOG 94 bytes
    c:\windows\TEMP\MSI70492.LOG 94 bytes
    c:\windows\TEMP\MSI704aa.LOG 94 bytes
    c:\windows\TEMP\MSI704bc.LOG 94 bytes
    c:\windows\TEMP\MSI704d4.LOG 94 bytes
    c:\windows\TEMP\MSI704ec.LOG 94 bytes
    c:\windows\TEMP\MSI70501.LOG 94 bytes
    c:\windows\TEMP\MSI70517.LOG 94 bytes
    c:\windows\TEMP\MSI7052f.LOG 94 bytes
    c:\windows\TEMP\MSI70546.LOG 94 bytes
    c:\windows\TEMP\MSI70559.LOG 94 bytes
    c:\windows\TEMP\MSI70570.LOG 94 bytes
    c:\windows\TEMP\MSI70589.LOG 94 bytes
    c:\windows\TEMP\MSI7059d.LOG 94 bytes
    c:\windows\TEMP\MSI705b4.LOG 94 bytes
    c:\windows\TEMP\MSI705cb.LOG 94 bytes
    c:\windows\TEMP\MSI70571.LOG 94 bytes
    c:\windows\TEMP\MSI70572.LOG 94 bytes
    c:\windows\TEMP\MSI70574.LOG 94 bytes
    c:\windows\TEMP\MSI70575.LOG 94 bytes
    c:\windows\TEMP\MSI70577.LOG 94 bytes
    c:\windows\TEMP\MSI70579.LOG 94 bytes
    c:\windows\TEMP\MSI7057b.LOG 94 bytes
    c:\windows\TEMP\MSI7057c.LOG 94 bytes
    c:\windows\TEMP\MSI7057d.LOG 94 bytes
    c:\windows\TEMP\MSI7057e.LOG 94 bytes
    c:\windows\TEMP\MSI7057f.LOG 94 bytes
    c:\windows\TEMP\MSI70581.LOG 94 bytes
    c:\windows\TEMP\MSI70582.LOG 94 bytes
    c:\windows\TEMP\MSI70584.LOG 1490 bytes
    c:\windows\TEMP\MSI70585.LOG 94 bytes
    c:\windows\TEMP\MSI70586.LOG 94 bytes
    c:\windows\TEMP\MSI70588.LOG 94 bytes
    c:\windows\TEMP\MSI7058a.LOG 94 bytes
    c:\windows\TEMP\MSI7058c.LOG 94 bytes
    c:\windows\TEMP\MSI7058d.LOG 94 bytes
    c:\windows\TEMP\MSI7058e.LOG 94 bytes
    c:\windows\TEMP\MSI7058f.LOG 94 bytes
    c:\windows\TEMP\MSI70591.LOG 94 bytes
    c:\windows\TEMP\MSI70592.LOG 94 bytes
    c:\windows\TEMP\MSI70593.LOG 94 bytes
    c:\windows\TEMP\MSI70594.LOG 94 bytes
    c:\windows\TEMP\MSI70595.LOG 94 bytes
    c:\windows\TEMP\MSI70596.LOG 94 bytes
    c:\windows\TEMP\MSI70597.LOG 94 bytes
    c:\windows\TEMP\MSI70598.LOG 94 bytes
    c:\windows\TEMP\MSI70599.LOG 94 bytes
    c:\windows\TEMP\MSI7059a.LOG 94 bytes
    c:\windows\TEMP\MSI7059b.LOG 94 bytes
    c:\windows\TEMP\MSI7059c.LOG 94 bytes
    c:\windows\TEMP\MSI7059e.LOG 94 bytes
    c:\windows\TEMP\MSI7059f.LOG 94 bytes
    c:\windows\TEMP\MSI705a0.LOG 94 bytes
    c:\windows\TEMP\MSI705a1.LOG 94 bytes
    c:\windows\TEMP\MSI705a2.LOG 94 bytes
    c:\windows\TEMP\MSI705a3.LOG 94 bytes
    c:\windows\TEMP\MSI705a5.LOG 94 bytes
    c:\windows\TEMP\MSI705a6.LOG 94 bytes
    c:\windows\TEMP\MSI705a8.LOG 94 bytes
    c:\windows\TEMP\MSI705aa.LOG 94 bytes
    c:\windows\TEMP\MSI705ab.LOG 94 bytes
    c:\windows\TEMP\MSI705ac.LOG 94 bytes
    c:\windows\TEMP\MSI705ad.LOG 94 bytes
    c:\windows\TEMP\MSI705ae.LOG 94 bytes
    c:\windows\TEMP\MSI705af.LOG 94 bytes
    c:\windows\TEMP\MSI705b1.LOG 94 bytes
    c:\windows\TEMP\MSI705b2.LOG 94 bytes
    c:\windows\TEMP\MSI705b5.LOG 1440 bytes
    c:\windows\TEMP\MSI705b6.LOG 94 bytes
    c:\windows\TEMP\MSI705b8.LOG 94 bytes
    c:\windows\TEMP\MSI705b9.LOG 94 bytes
    c:\windows\TEMP\MSI705ba.LOG 6690 bytes
    c:\windows\TEMP\MSI705bb.LOG 94 bytes
    c:\windows\TEMP\MSI705bc.LOG 94 bytes
    c:\windows\TEMP\MSI705bd.LOG 94 bytes
    c:\windows\TEMP\MSI705be.LOG 94 bytes
    c:\windows\TEMP\MSI705bf.LOG 94 bytes
    c:\windows\TEMP\MSI705c1.LOG 94 bytes
    c:\windows\TEMP\MSI705c2.LOG 94 bytes
    c:\windows\TEMP\MSI705c4.LOG 94 bytes
    c:\windows\TEMP\MSI705c6.LOG 94 bytes
    c:\windows\TEMP\MSI705c8.LOG 94 bytes
    c:\windows\TEMP\MSI705c9.LOG 94 bytes
    c:\windows\TEMP\MSI705ca.LOG 94 bytes
    c:\windows\TEMP\MSI705cc.LOG 94 bytes
    c:\windows\TEMP\MSI705ce.LOG 94 bytes
    c:\windows\TEMP\MSI705cf.LOG 94 bytes
    c:\windows\TEMP\MSI705d1.LOG 1490 bytes
    c:\windows\TEMP\MSI705d2.LOG 94 bytes
    c:\windows\TEMP\MSI705d3.LOG 94 bytes
    c:\windows\TEMP\MSI705d5.LOG 94 bytes
    c:\windows\TEMP\MSI705d6.LOG 94 bytes
    c:\windows\TEMP\MSI705d7.LOG 94 bytes
    c:\windows\TEMP\MSI705d9.LOG 94 bytes
    c:\windows\TEMP\MSI705da.LOG 94 bytes
    c:\windows\TEMP\MSI705db.LOG 94 bytes
    c:\windows\TEMP\MSI705dc.LOG 94 bytes
    c:\windows\TEMP\MSI705de.LOG 94 bytes
    c:\windows\TEMP\MSI705df.LOG 94 bytes
    c:\windows\TEMP\MSI705e0.LOG 94 bytes
    c:\windows\TEMP\MSI705e1.LOG 94 bytes
    c:\windows\TEMP\MSI705e3.LOG 94 bytes
    c:\windows\TEMP\MSI705e4.LOG 94 bytes
    c:\windows\TEMP\MSI705e5.LOG 94 bytes
    c:\windows\TEMP\MSI705e6.LOG 94 bytes
    c:\windows\TEMP\MSI705e7.LOG 94 bytes
    c:\windows\TEMP\MSI705e8.LOG 94 bytes
    c:\windows\TEMP\MSI705e9.LOG 94 bytes
    c:\windows\TEMP\MSI705ea.LOG 94 bytes
    c:\windows\TEMP\MSI705eb.LOG 94 bytes
    c:\windows\TEMP\MSI705ec.LOG 94 bytes
    c:\windows\TEMP\MSI705ed.LOG 94 bytes
    c:\windows\TEMP\MSI705ee.LOG 94 bytes
    c:\windows\TEMP\MSI705ef.LOG 94 bytes
    c:\windows\TEMP\MSI705f0.LOG 94 bytes
    c:\windows\TEMP\MSI705f2.LOG 94 bytes
    c:\windows\TEMP\MSI705f3.LOG 94 bytes
    c:\windows\TEMP\MSI705f5.LOG 94 bytes
    c:\windows\TEMP\MSI705f8.LOG 94 bytes
    c:\windows\TEMP\MSI705f9.LOG 94 bytes
    c:\windows\TEMP\MSI705fa.LOG 94 bytes
    c:\windows\TEMP\MSI705fb.LOG 94 bytes
    c:\windows\TEMP\MSI705fc.LOG 94 bytes
    c:\windows\TEMP\MSI705fe.LOG 94 bytes
    c:\windows\TEMP\MSI705ff.LOG 94 bytes
    c:\windows\TEMP\MSI70601.LOG 94 bytes
    c:\windows\TEMP\MSI70602.LOG 1440 bytes
    c:\windows\TEMP\MSI70603.LOG 94 bytes
    c:\windows\TEMP\MSI70605.LOG 94 bytes
     
    cda25,
    #8
  10. 2009/11/04
    cda25

    cda25 Inactive Thread Starter

    Joined:
    2009/11/01
    Messages:
    13
    Likes Received:
    0
    Requested reports 3 HijackThis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:39:08 PM, on 11/4/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18828)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\wbem\unsecapp.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\HUGHES~3\HDM.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\notepad.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\Explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=13739&l=dir
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Mediafour XPlay Explorer notifications - {4907C0AD-874D-44D9-B13E-7B0A4D8B9D3E} - C:\Program Files\Mediafour\XPlay 3\XPBHO.DLL
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: HDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\HughesNet Download Manager\iefdm2.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O8 - Extra context menu item: Download all with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dllink.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O15 - Trusted Zone: www.netlibrary.com
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
    O23 - Service: Google Update Service (gupdate1c9c5d01e9960f5) (gupdate1c9c5d01e9960f5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: LAlarm Service (LAlarmService) - LAlarm Systems - C:\Program Files\LAlarm\LAlarmService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: M4iPodWPDService - Mediafour Corporation - C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\rthlpsvc.exe
    O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
    O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
    O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

    --
    End of file - 7249 bytes
     
    cda25,
    #9
  11. 2009/11/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Verify your Java version here: http://www.java.com/en/download/installed.jsp
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove.

    ===============================================================

    Uninstall Ask.com through Programs & Features. It may be listed as Ask Toolbar.

    =================================================================

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ( "drive-by-install ") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

    ==============================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    - O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
    broni,
    #10
  12. 2009/11/04
    cda25

    cda25 Inactive Thread Starter

    Joined:
    2009/11/01
    Messages:
    13
    Likes Received:
    0
    hijackthis report

    Ask toolbar would not uninstall!

    I kept getting "cannot find script file C:\users\Bonnie\Appdata\local\temp\Del_AskHPRFF.VBS "

    and

    error 1316 a network error occurred while attempting to read from C:\windows\installer\asktoolbar.msi

    The 02 and 03 ask toolbar items to be checked on HijackThis were not listed also


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:39:24 PM, on 11/4/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18828)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Mediafour\XPlay 3\XPlay.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\LAlarm\LAlarmSub.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\HughesNetTools\1\McciTrayApp_SSR.exe
    C:\Program Files\Common Files\AOL\1243376702\ee\aolsoftware.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Users\Bonnie\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\HughesNet Download Manager\HDM.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Fingerprint Reader Suite\psqltray.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Secunia\PSI\psi.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Dell Support Center\gs_agent\dsc.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=13739&l=dir
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Mediafour XPlay Explorer notifications - {4907C0AD-874D-44D9-B13E-7B0A4D8B9D3E} - C:\Program Files\Mediafour\XPlay 3\XPBHO.DLL
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: HDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\HughesNet Download Manager\iefdm2.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}] "C:\Program Files\Mediafour\XPlay 3\XPlay.exe "
    O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [TheLaptopLock] C:\Program Files\The LaptopLock\LaptopLock.exe /startup
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.5\RetroExpress.exe /h
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [LAlarmSubProgram] C:\Program Files\LAlarm\LAlarmSub.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [HughesNetTools_McciTrayApp] C:\Program Files\HughesNetTools\1\McciTrayApp_SSR.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1243376702\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking10\Ereg.ini
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [SansaDispatch] C:\Users\Bonnie\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
    O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKCU\..\Run: [HughesNet Download Manager] "C:\Program Files\HughesNet Download Manager\HDM.exe" -autorun
    O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\Windows\TEMP\E_S561F.tmp" /EF "HKCU "
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - Startup: HughesNetStatusMeter.lnk = C:\Program Files\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe
    O8 - Extra context menu item: Download all with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with HughesNet Download Manager - file://C:\Program Files\HughesNet Download Manager\dllink.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O15 - Trusted Zone: www.netlibrary.com
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
    O23 - Service: Google Update Service (gupdate1c9c5d01e9960f5) (gupdate1c9c5d01e9960f5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: LAlarm Service (LAlarmService) - LAlarm Systems - C:\Program Files\LAlarm\LAlarmService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: M4iPodWPDService - Mediafour Corporation - C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\rthlpsvc.exe
    O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
    O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
    O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

    --
    End of file - 11759 bytes
     
    cda25,
    #11
  13. 2009/11/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)


    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #12
  14. 2009/11/05
    cda25

    cda25 Inactive Thread Starter

    Joined:
    2009/11/01
    Messages:
    13
    Likes Received:
    0
    Good and bad news

    Good news:

    Computer is starting up much faster and seems to be operating well.
    MS updates are now installing.


    Bad news:
    Operations that remain to fail are scandisk utility and defrag.

    I tell scandisk to run on restart and it does not.

    Defrag analyzes and tells me that I need to defrag but when I click on "defrag now" it returns to "your file system can be improved by defraging" after only a second of attempt at defrag.

    The temporary file cleaner program ran for hours and seemed to delete the files because it stated the # that was deleted, however, there was an error notice on top of the notice to reboot. C:\windows\temp is corrupt and unreadable. Run chkdsk utility.

    Ask.com/dictionary.com is still listed in my program and services list and will not delete. I get error 1316 A network error occurred while attempting to read C:\windows\installer\ask toolbar.msi AND cannot find script file c:\users\bonnie\appdata\local\temp\del_askHPRFF.VBS

    WMI provider host has stopped working and was closed error message is still appearing.
     
    cda25,
    #13
  15. 2009/11/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It's not running anymore, so it's most likely just registry leftover.
    Download and run Add/Remove program cleaner (works with Vista): http://www.intelliadmin.com/blog/addremovecleaner.exe and remove the entry.

    For all other non-malware related issues, you'll need to start new topic in Windows section.
     
    broni,
    #14

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...