Jump to content


Photo

As per instructions from Jacee(Resolved)


  • This topic is locked This topic is locked
17 replies to this topic

#1 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 02 September 2009 - 06:53 PM

I have a problem with problems caused by Windows Antivirus Pro.

http://forums.pcpits...w...172142&st=0

I'm including the 2 log files from DDS.


DDS (Ver_09-07-30.01) - NTFSx86
Run by iamphil at 18:45:28.57 on Wed 09/02/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2738 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Folding@home\Folding@home-gpu\Folding@home.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Folding@home\Folding@home-x86\Folding@home.exe
C:\Documents and Settings\iamphil\Application Data\Folding@home-x86\FahCore_78.exe
C:\Documents and Settings\iamphil\Application Data\Folding@home-gpu\FahCore_11.exe
D:\down\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = forums.pcpitstop.com/index.php?
uInternet Connection Wizard,ShellNext = hxxp://www.pctools.com/en/anti-virus/uninstall/
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
StartupFolder: c:\docume~1\iamphil\startm~1\programs\startup\foldin~1.lnk - c:\docume~1\iamphil\applic~1\microsoft\installer\{4aa947a0-0ba8-4065-b8ee-29c6da9661ee}\_41346D1BD9E98636678C85.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249652376531
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\iamphil\applic~1\mozilla\firefox\profiles\52tptwi0.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.pcpitstop.com/index.php?

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-11 12552]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-8-12 40560]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-11 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-11 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-11 108552]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-9-1 305936]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-8-6 1057024]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]

=============== Created Last 30 ================

2009-09-02 05:21 <DIR> --d----- c:\program files\Enigma Software Group
2009-09-01 23:20 389,120 a------- c:\windows\system32\CF7427.exe
2009-09-01 22:43 <DIR> a-dshr-- C:\cmdcons
2009-09-01 22:41 229,376 a------- c:\windows\PEV.exe
2009-09-01 22:41 161,792 a------- c:\windows\SWREG.exe
2009-09-01 22:41 98,816 a------- c:\windows\sed.exe
2009-09-01 22:41 389,120 a------- c:\windows\system32\CF31127.exe
2009-09-01 22:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 22:17 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-01 22:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-01 22:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IObit
2009-09-01 22:06 <DIR> --d----- c:\program files\IObit
2009-09-01 20:36 <DIR> --d----- c:\documents and settings\iamphil\DoctorWeb
2009-09-01 19:41 <DIR> --d----- c:\program files\Trend Micro
2009-09-01 18:09 7,680 a------- c:\windows\system32\drivers\RKL1A90.tmp.sys
2009-09-01 08:49 352 a---h--- c:\windows\nod32fixtemdono.reg
2009-09-01 08:44 <DIR> --d----- c:\program files\ESET
2009-09-01 08:32 157,712 a------- c:\windows\system32\drivers\tmcomm.sys
2009-09-01 07:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-01 07:41 <DIR> --d----- c:\docume~1\iamphil\applic~1\SUPERAntiSpyware.com
2009-08-31 19:04 <DIR> --d----- c:\program files\a-squared Anti-Malware
2009-08-28 04:34 120 a------- c:\windows\Vrufobunitoba.dat
2009-08-27 18:29 <DIR> --d----- C:\SIERRA
2009-08-27 18:29 <DIR> --d----- c:\program files\WON
2009-08-27 18:29 <DIR> --d----- c:\program files\Sierra On-Line
2009-08-27 18:29 433 a------- c:\windows\SIERRA.INI
2009-08-27 18:29 327,168 a------- c:\windows\IsUninst.exe
2009-08-26 19:44 <DIR> --d----- c:\program files\ieSpell
2009-08-26 16:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure
2009-08-26 16:34 <DIR> --d----- c:\program files\Panda Security
2009-08-26 10:46 <DIR> --d----- c:\docume~1\iamphil\applic~1\Malwarebytes
2009-08-26 10:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-26 08:40 <DIR> --d----- c:\docume~1\iamphil\applic~1\URSoft
2009-08-26 08:40 <DIR> --d----- c:\program files\Your Uninstaller 2008
2009-08-26 07:14 1,013 a------- c:\windows\test.html
2009-08-26 07:13 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-08-26 06:26 <DIR> --d----- c:\windows\Downloaded Installations
2009-08-26 00:45 <DIR> --d----- c:\docume~1\iamphil\applic~1\JLC's Software
2009-08-20 18:38 <DIR> --d----- c:\program files\ffdshow
2009-08-20 18:22 <DIR> --d----- c:\windows\system32\LogFiles
2009-08-19 01:05 <DIR> --d----- c:\program files\Philips
2009-08-18 20:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-18 20:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-15 11:30 42 a------- c:\windows\system32\Jiii_PNUCT.pnc
2009-08-15 11:30 42 a------- c:\windows\system32\AK083E209605E394C.lie
2009-08-13 18:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\redistpart
2009-08-13 18:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\createpart
2009-08-13 18:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\launcher
2009-08-13 18:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\explauncher
2009-08-12 23:23 <DIR> --d----- c:\program files\RivaTuner v2.24
2009-08-12 23:22 <DIR> --d-h--- c:\windows\PIF
2009-08-12 20:01 40,560 a------- c:\windows\system32\drivers\hotcore3.sys
2009-08-12 20:00 <DIR> --d----- c:\program files\Paragon Software
2009-08-12 18:14 <DIR> --d----- c:\docume~1\iamphil\applic~1\MailWasherPro
2009-08-12 18:14 <DIR> --d----- c:\program files\FireTrust
2009-08-12 08:12 <DIR> --d----- c:\program files\VideoLAN
2009-08-12 01:43 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 01:43 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-11 23:22 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-11 23:22 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-08-11 23:22 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-11 23:22 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-11 23:22 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-11 23:22 <DIR> --d----- c:\program files\AVG
2009-08-11 23:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-11 19:11 <DIR> --d----- c:\program files\DAMN NFO Viewer
2009-08-11 18:08 <DIR> --d----- c:\program files\uTorrent
2009-08-11 18:08 <DIR> --d----- c:\docume~1\iamphil\applic~1\uTorrent
2009-08-08 11:18 <DIR> --d----- c:\docume~1\iamphil\applic~1\Goodsol
2009-08-08 11:17 <DIR> --d----- c:\program files\goodsol
2009-08-08 11:15 <DIR> --d----- c:\program files\Mahjong The Endless Journey
2009-08-08 11:14 <DIR> --d----- c:\program files\ReflexiveArcade
2009-08-08 02:15 <DIR> --d----- c:\docume~1\iamphil\applic~1\Auslogics
2009-08-08 02:13 <DIR> --d----- c:\program files\Auslogics
2009-08-08 00:24 <DIR> --d----- c:\docume~1\iamphil\applic~1\Folding@home-gpu
2009-08-08 00:22 <DIR> --d----- c:\program files\Folding@home
2009-08-08 00:22 <DIR> --d----- c:\docume~1\iamphil\applic~1\Folding@home-x86
2009-08-08 00:17 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-08 00:03 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-07 11:44 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 11:44 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 11:44 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 11:44 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 11:44 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-07 11:44 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-07 11:44 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-07 11:20 <DIR> --d----- c:\windows\system32\scripting
2009-08-07 11:20 <DIR> --d----- c:\windows\system32\en
2009-08-07 11:20 <DIR> --d----- c:\windows\l2schemas
2009-08-07 11:20 <DIR> --d----- c:\windows\system32\bits
2009-08-07 11:19 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-07 11:17 <DIR> --d----- c:\windows\network diagnostic
2009-08-07 11:09 701,440 -------- c:\windows\system32\drivers\ati2mtag.sys
2009-08-07 10:55 <DIR> --d----- c:\program files\Microsoft LifeCam
2009-08-07 10:54 <DIR> --d----- c:\windows\RegisteredPackages
2009-08-07 10:54 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-08-07 10:31 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-08-07 10:31 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-08-07 10:30 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-07 10:29 200,819 a------- c:\windows\system32\nvapps.xml
2009-08-07 10:29 <DIR> --d----- c:\windows\nview
2009-08-07 10:29 453,152 a------- c:\windows\system32\nvudisp.exe
2009-08-07 10:29 18,477 a------- c:\windows\system32\nvdisp.nvu
2009-08-07 10:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-08-07 10:27 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-08-07 10:27 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-08-07 10:27 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-08-07 10:27 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-08-07 10:26 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-08-07 10:26 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-08-07 10:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-07 10:23 <DIR> --d----- c:\windows\pss
2009-08-07 10:22 60,032 a------- c:\windows\system32\drivers\usbaudio.sys
2009-08-07 10:21 26,496 a------- c:\windows\system32\drivers\SET6.tmp
2009-08-07 10:21 26,496 -------- c:\windows\system32\drivers\SET7.tmp
2009-08-07 10:21 26,496 a------- c:\windows\system32\drivers\SET4.tmp
2009-08-07 10:21 26,496 -------- c:\windows\system32\drivers\SET5.tmp
2009-08-07 10:21 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-08-07 06:42 <DIR> --d----- c:\windows\system32\PreInstall
2009-08-07 06:42 <DIR> --d-h--- c:\windows\$hf_mig$
2009-08-07 06:39 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-08-07 06:39 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-08-07 06:39 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-08-07 06:39 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-08-07 06:39 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-08-07 06:39 <DIR> --ds---- c:\documents and settings\iamphil\UserData
2009-08-07 06:24 <DIR> --d----- c:\program files\Lavalys
2009-08-07 06:22 499,712 a------- c:\windows\system32\msvcp71.dll
2009-08-07 06:22 348,160 a------- c:\windows\system32\msvcr71.dll
2009-08-07 06:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-08-07 06:19 13,646 a------- c:\windows\system32\wpa.bak
2009-08-06 23:07 115,328 a----r-- c:\windows\system32\drivers\Rtenicxp.sys
2009-08-06 23:07 9,728 a----r-- c:\windows\system32\RtNicProp32.dll
2009-08-06 23:07 <DIR> --d----- c:\windows\OPTIONS
2009-08-06 23:07 <DIR> --d----- c:\program files\Realtek
2009-08-06 23:03 <DIR> --d----- c:\program files\VIA
2009-08-06 23:03 331,184 -------- c:\windows\system32\difxapi.dll
2009-08-06 23:03 5,810 a----r-- c:\windows\system32\drivers\ASACPI.sys
2009-08-06 23:02 28,099 a------- c:\windows\Ascd_tmp.ini
2009-08-06 23:02 10,296 a------- c:\windows\system32\drivers\ASUSHWIO.SYS
2009-08-06 22:59 <DIR> --d----- c:\documents and settings\iamphil
2009-08-06 22:58 <DIR> --ds---- c:\windows\system32\Microsoft
2009-08-06 22:57 8,192 a------- c:\windows\REGLOCS.OLD
2009-08-06 22:54 57,856 ac------ c:\windows\system32\dllcache\EXCH_scripto.dll
2009-08-06 22:53 189,986 ac------ c:\windows\system32\dllcache\c_1361.nls
2009-08-06 22:52 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-08-06 22:52 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-08-06 22:52 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-08-06 22:52 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-08-06 22:52 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-08-06 22:52 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-08-06 22:52 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-08-06 22:52 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-08-06 22:52 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-08-06 22:52 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-08-06 22:52 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-08-06 22:52 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-08-06 22:52 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-08-06 22:52 <DIR> --d----- c:\windows\system32\DirectX
2009-08-06 22:51 <DIR> --d----- c:\program files\common files\MSSoap
2009-08-06 22:50 <DIR> --d----- c:\program files\Online Services
2009-08-06 22:50 <DIR> --d----- c:\program files\Messenger
2009-08-06 22:50 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-08-06 22:49 <DIR> --d----- c:\program files\Windows NT
2009-08-06 21:15 <DIR> --d----- c:\program files\Ulead Systems
2009-08-06 21:10 <DIR> --d----- c:\program files\ASUS
2009-08-06 21:10 <DIR> --d----- c:\program files\AMD
2009-08-06 03:42 <DIR> --d----- c:\program files\common files\ODBC
2009-08-06 03:42 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-08-06 03:41 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-09-01 22:43 56,320 a------- c:\windows\system32\eventlog.dll
2009-08-06 22:50 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 18:56 4,248,840 a------- c:\windows\system32\qtp-mt334.dll
2009-08-04 18:56 248,584 a------- c:\windows\system32\prgiso.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 09:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll

============= FINISH: 18:45:46.76 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/6/2009 10:55:22 PM
System Uptime: 9/2/2009 5:46:34 AM (13 hours ago)

Motherboard: ASUSTeK Computer INC. | | M3A76-CM
Processor: AMD Athlon™ Dual Core Processor 5050e | AM2 | 2600/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 78 GiB total, 70.702 GiB free.
D: is FIXED (NTFS) - 220 GiB total, 218.278 GiB free.
H: is CDROM ()
I: is FIXED (NTFS) - 932 GiB total, 453.954 GiB free.
J: is FIXED (NTFS) - 373 GiB total, 372.511 GiB free.
W: is Removable
X: is Removable
Y: is Removable
Z: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_1002&DEV_4383&SUBSYS_82EA1043&REV_00\3&267A616A&0&A2
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_1002&DEV_4383&SUBSYS_82EA1043&REV_00\3&267A616A&0&A2
Service: HDAudBus

Class GUID:
Description:
Device ID: ROOT\LEGACY_BEEP\XX_KBIWKMUNUSWFNY_XX
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_BEEP\XX_KBIWKMUNUSWFNY_XX
Service: kbiwkmunuswfny

==== System Restore Points ===================

RP1: 9/1/2009 11:17:48 PM - System Checkpoint
RP2: 9/2/2009 5:17:29 AM - Installed Windows XP KB969897.

==== Installed Programs ======================

µTorrent
Adobe Reader 8.1.3
AMD Processor Driver
ASUSUpdate
AusLogics BoostSpeed
Cool & Quiet
ESET NOD32 Antivirus
EVEREST Home Edition v2.20
Folding@home-gpu
Folding@home-x86
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hoyle Mahjong Tiles
ieSpell
ImgBurn
IObit Security 360 RC
Mahjong The Endless Journey
MailWasher Pro
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft LifeCam
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050)
NVIDIA Drivers
NVIDIA PhysX v8.09.04
Opera 9.64
Paragon Partition Manager™ 9.5 Professional
PC Probe II
Platform
Pretty Good Solitaire version 9.1.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver
RivaTuner v2.24
SA30xx Device Manager
SA30xx Media Converter
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VIA Platform Device Manager
VLC media player 0.9.9
WebFldrs XP
Winamp
Windows Defender
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
Your Uninstaller! 2008 Version 6.0

==== Event Viewer Messages From Past Week ========

9/1/2009 9:15:21 PM, error: Service Control Manager [7000] - The Windows Defender service failed to start due to the following error: Access is denied.
9/1/2009 9:15:06 PM, error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
9/1/2009 8:52:15 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
9/1/2009 8:52:15 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/1/2009 8:17:35 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 AsIO AvgLdx86 AvgMfx86 Fips pavboot SASDIFSV SASKUTIL
9/1/2009 7:52:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
9/1/2009 7:52:07 PM, error: Service Control Manager [7024] - The AVG8 WatchDog service terminated with service-specific error 3221684350 (0xC007007E).
9/1/2009 7:52:07 PM, error: Service Control Manager [7001] - The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service which failed to start because of the following error: The service has returned a service-specific error code.
9/1/2009 7:50:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/1/2009 7:41:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/1/2009 7:38:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 AsIO AvgLdx86 AvgMfx86 easdrv Fips SASDIFSV SASKUTIL
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\wmpns.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 9.0.0.4503.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\wmplayer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\wmpband.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\setup_wm.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5146.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\npwmsdrm.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 9.0.0.4503.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\npdsplay.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 3.0.2.629.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\npdrmv2.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 9.0.0.4503.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\mpvis.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\mplayer2.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.4.9.1126.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\migrate.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 9.0.0.4503.
9/1/2009 7:31:51 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\custsat.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 9.0.2600.5512.
9/1/2009 5:28:18 PM, error: Service Control Manager [7024] - The AVG8 WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
9/1/2009 5:28:17 PM, error: Service Control Manager [7031] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/1/2009 10:49:37 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
9/1/2009 10:46:11 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
9/1/2009 10:46:11 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
9/1/2009 10:46:09 PM, error: SRService [104] - The System Restore initialization process failed.
9/1/2009 10:43:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
8/31/2009 6:40:37 PM, error: Service Control Manager [7034] - The AntipyProex service terminated unexpectedly. It has done this 1 time(s).
8/31/2009 3:22:38 PM, information: Windows File Protection [64007] - The protected system file eventlog.dll could not be verified as valid because the file was in use. Use the SFC utility to verify the integrity of the file at a later time.

==== End Of File ===========================


Thanks for any help. :)
Make four wishes for yourself and work towards making them happen.

#2 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,092 posts
  • Gender:Female


Posted 02 September 2009 - 08:47 PM

Hi dickster

I see 2 antivirus
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
......need to get this widdled down to 1 please.



If you have downloaded and used ComboFix, please delete now.

Download a fresh copy

Download Combofix© by sUBs from any of the links below. You must rename it before saving it.


name ComboFix.exe to a ComboFix.com

Save it to your desktop.

Link 1
Link 2



Posted Image


Posted Image
  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingc...opic114351.html

Please leave the flash drive plugged in while completing the following.

Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

Posted Image

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

Edited by Juliet, 03 September 2009 - 05:57 AM.

Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#3 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 03 September 2009 - 02:29 PM

My combofix log as requested. I still can't run HJT to post that log here. I uninstalled AGV but what you see was left behind. I don't have to .exe file to reinstall, and can't get it to stop running.

ComboFix 09-09-02.02 - iamphil 09/03/2009 8:18.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2632 [GMT -7:00]
Running from: c:\documents and settings\iamphil\Desktop\ComboFix.com
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-02 12:21 . 2009-09-02 12:21 -------- d-----w- c:\program files\Enigma Software Group
2009-09-02 05:17 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 05:17 . 2009-09-02 05:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 05:17 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 05:06 . 2009-09-02 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-09-02 05:06 . 2009-09-02 05:06 -------- d-----w- c:\program files\IObit
2009-09-02 04:14 . 2009-09-02 04:14 -------- d-----w- c:\program files\Windows Defender
2009-09-02 03:36 . 2009-09-02 03:36 -------- d-----w- c:\documents and settings\iamphil\DoctorWeb
2009-09-02 02:41 . 2009-09-02 02:41 -------- d-----w- c:\program files\Trend Micro
2009-09-02 01:09 . 2009-09-02 01:09 7680 ----a-w- c:\windows\system32\drivers\RKL1A90.tmp.sys
2009-09-01 16:05 . 2009-09-01 16:05 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\ESET
2009-09-01 15:58 . 2009-09-01 15:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-09-01 15:49 . 2008-01-07 21:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg
2009-09-01 15:44 . 2009-09-01 15:44 -------- d-----w- c:\program files\ESET
2009-09-01 15:44 . 2009-09-01 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-09-01 15:32 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-01 15:26 . 2009-09-01 15:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-01 15:20 . 2009-09-01 15:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2009-09-01 15:19 . 2009-09-01 15:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-01 14:41 . 2009-09-01 14:42 117760 ----a-w- c:\documents and settings\iamphil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-01 14:41 . 2009-09-01 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-01 14:41 . 2009-09-01 14:41 -------- d-----w- c:\documents and settings\iamphil\Application Data\SUPERAntiSpyware.com
2009-09-01 02:04 . 2009-09-01 16:31 -------- d-----w- c:\program files\a-squared Anti-Malware
2009-08-28 17:09 . 2009-08-28 17:09 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\Opera
2009-08-28 17:08 . 2009-08-28 17:08 -------- d-----w- c:\program files\Opera
2009-08-28 11:34 . 2009-08-28 11:34 120 ----a-w- c:\windows\Vrufobunitoba.dat
2009-08-28 01:29 . 2009-08-28 01:29 -------- d-----w- C:\SIERRA
2009-08-28 01:29 . 2009-08-28 01:29 -------- d-----w- c:\program files\WON
2009-08-28 01:29 . 2009-08-28 01:29 -------- d-----w- c:\program files\Sierra On-Line
2009-08-28 01:29 . 1998-10-03 02:00 327168 ----a-w- c:\windows\IsUninst.exe
2009-08-28 01:13 . 2009-08-28 01:13 -------- d-----w- c:\documents and settings\iamphil\Application Data\Ulead Systems
2009-08-27 02:44 . 2009-08-27 02:44 -------- d-----w- c:\program files\ieSpell
2009-08-26 23:55 . 2009-08-26 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-08-26 23:34 . 2009-09-02 02:28 -------- d-----w- c:\program files\Panda Security
2009-08-26 17:46 . 2009-08-26 17:46 -------- d-----w- c:\documents and settings\iamphil\Application Data\Malwarebytes
2009-08-26 17:46 . 2009-08-26 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-26 15:40 . 2009-08-26 15:40 -------- d-----w- c:\documents and settings\iamphil\Application Data\URSoft
2009-08-26 15:40 . 2009-08-26 15:40 -------- d-----w- c:\program files\Your Uninstaller 2008
2009-08-26 13:26 . 2009-08-26 13:26 -------- d-----w- c:\windows\Downloaded Installations
2009-08-26 07:45 . 2009-08-26 15:43 -------- d-----w- c:\documents and settings\iamphil\Application Data\JLC's Software
2009-08-25 00:18 . 2009-08-25 00:18 1656832 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-x86\FahCore_a0.exe
2009-08-25 00:18 . 2009-08-25 00:18 1382280 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-x86\libfftw3f-3.dll
2009-08-21 01:38 . 2009-08-26 15:42 -------- d-----w- c:\program files\ffdshow
2009-08-21 01:22 . 2009-08-21 01:22 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-21 01:22 . 2009-08-21 01:22 -------- d-----w- c:\windows\system32\LogFiles
2009-08-19 03:07 . 2009-08-19 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-19 03:07 . 2009-08-19 03:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 01:43 . 2009-08-14 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\redistpart
2009-08-14 01:40 . 2009-08-14 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\createpart
2009-08-14 01:40 . 2009-08-14 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\launcher
2009-08-14 01:40 . 2009-08-14 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\explauncher
2009-08-13 06:23 . 2009-08-13 06:23 -------- d-----w- c:\program files\RivaTuner v2.24
2009-08-13 06:22 . 2009-08-31 22:21 -------- d--h--w- c:\windows\PIF
2009-08-13 03:01 . 2009-08-05 01:56 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2009-08-13 03:00 . 2009-08-13 03:00 -------- d-----w- c:\program files\Paragon Software
2009-08-13 01:17 . 2009-08-13 01:17 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\Identities
2009-08-13 01:14 . 2009-08-26 13:21 -------- d-----w- c:\documents and settings\iamphil\Application Data\MailWasherPro
2009-08-13 01:14 . 2009-08-13 01:14 -------- d-----w- c:\program files\FireTrust
2009-08-12 15:15 . 2009-08-12 15:15 -------- d-----w- c:\documents and settings\iamphil\Application Data\vlc
2009-08-12 15:12 . 2009-08-12 15:12 -------- d-----w- c:\program files\VideoLAN
2009-08-12 13:47 . 2009-08-12 13:47 0 ----a-w- c:\windows\nsreg.dat
2009-08-12 13:47 . 2009-08-12 13:47 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\Mozilla
2009-08-12 08:43 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 06:22 . 2009-08-12 06:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-12 06:22 . 2009-08-12 06:27 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-12 06:22 . 2009-08-12 06:27 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-12 06:22 . 2009-08-12 06:27 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-12 06:22 . 2009-08-12 06:27 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-12 06:22 . 2009-09-01 13:51 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-12 06:22 . 2009-08-12 06:22 -------- d-----w- c:\program files\AVG
2009-08-12 06:22 . 2009-09-01 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-12 02:15 . 2009-08-12 02:15 -------- d-----w- c:\program files\ImgBurn
2009-08-12 02:11 . 2009-08-12 02:11 -------- d-----w- c:\program files\DAMN NFO Viewer
2009-08-12 01:08 . 2009-08-12 01:08 -------- d-----w- c:\program files\uTorrent
2009-08-12 01:08 . 2009-08-26 15:39 -------- d-----w- c:\documents and settings\iamphil\Application Data\uTorrent
2009-08-09 04:55 . 2009-08-09 04:55 1843200 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-gpu\FahCore_11.exe
2009-08-08 18:18 . 2009-08-08 18:18 -------- d-----w- c:\documents and settings\iamphil\Application Data\Goodsol
2009-08-08 18:17 . 2009-08-08 18:17 -------- d-----w- c:\program files\goodsol
2009-08-08 18:15 . 2009-08-08 18:16 -------- d-----w- c:\program files\Mahjong The Endless Journey
2009-08-08 18:14 . 2009-08-08 18:14 -------- d-----w- c:\program files\ReflexiveArcade
2009-08-08 09:15 . 2009-08-26 23:14 -------- d-----w- c:\documents and settings\iamphil\Application Data\Auslogics
2009-08-08 09:13 . 2009-08-08 09:13 -------- d-----w- c:\program files\Auslogics
2009-08-08 07:25 . 2009-08-08 07:25 1298432 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-gpu\FahCore_14.exe
2009-08-08 07:24 . 2009-09-02 05:57 -------- d-----w- c:\documents and settings\iamphil\Application Data\Folding@home-gpu
2009-08-08 07:24 . 2009-08-18 23:48 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_6FEFF9B68218417F98F549.exe
2009-08-08 07:24 . 2009-08-18 23:48 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_41346D1BD9E98636678C85.exe
2009-08-08 07:24 . 2009-08-18 23:48 10134 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_5429DBF727E2384037BDE1.exe
2009-08-08 07:24 . 2009-08-08 07:24 2338816 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-x86\FahCore_78.exe
2009-08-08 07:22 . 2009-08-08 07:22 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_6FEFF9B68218417F98F549.exe
2009-08-08 07:22 . 2009-08-08 07:22 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
2009-08-08 07:22 . 2009-08-08 07:22 10134 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_D153F602E769D1960CE13B.exe
2009-08-08 07:22 . 2009-09-01 02:49 -------- d-----w- c:\documents and settings\iamphil\Application Data\Folding@home-x86
2009-08-08 07:22 . 2009-08-08 07:24 -------- d-----w- c:\program files\Folding@home
2009-08-08 07:03 . 2009-08-08 07:03 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-08 07:03 . 2009-08-08 07:03 -------- d-----w- c:\program files\MSBuild
2009-08-08 07:03 . 2009-08-08 07:03 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 18:44 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 18:44 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 18:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-07 18:44 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 18:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-07 18:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-07 18:44 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\system32\scripting
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\system32\en
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\l2schemas
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\system32\bits
2009-08-07 18:19 . 2009-08-07 18:21 -------- d-----w- c:\windows\ServicePackFiles
2009-08-07 18:09 . 2004-08-04 05:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-08-07 17:55 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\ndisip.sys
2009-08-07 17:55 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\streamip.sys
2009-08-07 17:55 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\mstee.sys
2009-08-07 17:55 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\drivers\slip.sys
2009-08-07 17:55 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\wstcodec.sys
2009-08-07 17:55 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\nabtsfec.sys
2009-08-07 17:55 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\ccdecode.sys
2009-08-07 17:55 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-08-07 17:55 . 2009-08-07 17:55 -------- d-----w- c:\program files\Microsoft LifeCam
2009-08-07 17:54 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-07 17:31 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-08-07 17:31 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-08-07 17:29 . 2009-08-07 17:29 -------- d-----w- c:\windows\nview
2009-08-07 17:29 . 2008-10-07 05:33 453152 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-07 17:28 . 2008-10-02 17:07 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-07 17:27 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 05:43 . 2004-08-04 12:00 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-09-02 02:30 . 2009-08-07 04:15 -------- d-----w- c:\program files\Ulead Systems
2009-09-02 02:30 . 2009-08-07 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-09-01 15:18 . 2009-08-07 17:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-26 13:54 . 2009-08-26 13:44 -------- d-----w- c:\documents and settings\iamphil\Application Data\Winamp
2009-08-26 13:45 . 2009-08-26 13:44 -------- d-----w- c:\program files\Winamp
2009-08-19 08:05 . 2009-08-19 08:05 -------- d-----w- c:\program files\Philips
2009-08-10 16:47 . 2009-08-07 04:12 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-08 08:26 . 2009-08-07 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-08 07:55 . 2009-08-07 04:10 -------- d-----w- c:\program files\ASUS
2009-08-07 17:30 . 2009-08-07 17:30 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-07 06:04 . 2009-08-07 06:03 -------- d-----w- c:\program files\VIA
2009-08-07 05:53 . 2009-08-07 05:53 -------- d-----w- c:\program files\microsoft frontpage
2009-08-07 05:50 . 2009-08-07 05:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-07 04:10 . 2009-08-07 04:10 -------- d-----w- c:\program files\AMD
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:56 . 2009-08-05 01:56 4248840 ----a-w- c:\windows\system32\qtp-mt334.dll
2009-08-05 01:56 . 2009-08-05 01:56 248584 ----a-w- c:\windows\system32\prgiso.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2009-08-07 05:49 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-08-21 943888]

c:\documents and settings\iamphil\Start Menu\Programs\Startup\
Folding@home.lnk - c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_41346D1BD9E98636678C85.exe [2009-8-8 98477]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-12 06:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ASUS\\ASUSUpdate\\Update.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Charon\\Stan.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/11/2009 11:22 PM 12552]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/12/2009 8:01 PM 40560]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/11/2009 11:22 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/11/2009 11:22 PM 108552]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2007 8:21 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [9/1/2009 10:06 PM 305936]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [8/6/2009 11:04 PM 1057024]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe


.
------- Supplementary Scan -------
.
uStart Page = forums.pcpitstop.com/index.php?
uInternet Connection Wizard,ShellNext = hxxp://www.pctools.com/en/anti-virus/uninstall/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\documents and settings\iamphil\Application Data\Mozilla\Firefox\Profiles\52tptwi0.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.pcpitstop.com/index.php?
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 08:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(56592)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-03 8:22
ComboFix-quarantined-files.txt 2009-09-03 15:22

Pre-Run: 75,896,246,272 bytes free
Post-Run: 75,894,308,864 bytes free

256 --- E O F --- 2009-09-02 02:54

Edited by dickster, 03 September 2009 - 02:32 PM.

Make four wishes for yourself and work towards making them happen.

#4 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,092 posts
  • Gender:Female


Posted 03 September 2009 - 05:45 PM

Welcome back

Did you run CF three times?
ComboFix 09-09-02.02 - iamphil 09/03/2009 8:18.3.2 - NTFSx86

Check if you can find these files, please post them if found.
C:\qoobox\ComboFix2.txt
C:\qoobox\ComboFix3.txt


Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which should open.




I uninstalled AGV but what you see was left behind. I don't have to .exe file to reinstall, and can't get it to stop running.

We can remove it.

Experiment and see if you can update and then run a scan now with Malwarebytes' Anti-Malware, if you can please save the log.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
File::
c:\windows\system32\drivers\avgtdix.sys
c:\windows\system32\drivers\avgrkx86.sys
c:\windows\system32\drivers\avgldx86.sys
c:\windows\system32\drivers\avgmfx86.sys
Folder::
c:\windows\system32\drivers\Avg
c:\program files\AVG
c:\documents and settings\All Users\Application Data\avg8
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
Driver::
AvgRkx86
AvgLdx86
AvgTdiX
avg8emc
avg8wd

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Download and run Win32kDiag:In your next reply post:
Combofix.txt
MBAM log if possible
Win32kDiag.txt




How's the computer?

Edited by Juliet, 03 September 2009 - 06:24 PM.

Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#5 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 04 September 2009 - 06:06 AM

Was still not able to get Malwarebytes to run, but here are the others.

Quarantine log.

2009-09-03 15:21:57 . 2009-09-03 15:21:57 132 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-AVG8_TRAY.reg.dat
2009-09-03 15:21:57 . 2009-09-03 15:21:57 159 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-SUPERAntiSpyware.reg.dat
2009-09-03 15:21:37 . 2007-08-17 20:48:16 40 ----a-w- C:\Qoobox\Quarantine\I\Autorun.inf.vir
2009-09-03 15:20:47 . 2009-09-03 15:20:47 5,937 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-09-03 15:15:12 . 2009-09-03 15:15:12 51 ----a-w- C:\Qoobox\Quarantine\catchme.log



New combofix log.

ComboFix 09-09-03.02 - iamphil 09/04/2009 7:00.6.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2909 [GMT -7:00]
Running from: c:\documents and settings\iamphil\Desktop\ComboFix.com
Command switches used :: c:\docume~1\iamphil\Desktop\CFScript.txt
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\drivers\avgldx86.sys"
"c:\windows\system32\drivers\avgmfx86.sys"
"c:\windows\system32\drivers\avgrkx86.sys"
"c:\windows\system32\drivers\avgtdix.sys"
.

((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-02 12:21 . 2009-09-02 12:21 -------- d-----w- c:\program files\Enigma Software Group
2009-09-02 05:17 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 05:17 . 2009-09-02 05:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 05:17 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 05:06 . 2009-09-02 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-09-02 05:06 . 2009-09-02 05:06 -------- d-----w- c:\program files\IObit
2009-09-02 04:14 . 2009-09-02 04:14 -------- d-----w- c:\program files\Windows Defender
2009-09-02 03:36 . 2009-09-02 03:36 -------- d-----w- c:\documents and settings\iamphil\DoctorWeb
2009-09-02 02:41 . 2009-09-02 02:41 -------- d-----w- c:\program files\Trend Micro
2009-09-02 01:09 . 2009-09-02 01:09 7680 ----a-w- c:\windows\system32\drivers\RKL1A90.tmp.sys
2009-09-01 16:05 . 2009-09-01 16:05 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\ESET
2009-09-01 15:58 . 2009-09-01 15:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-09-01 15:49 . 2008-01-07 21:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg
2009-09-01 15:44 . 2009-09-01 15:44 -------- d-----w- c:\program files\ESET
2009-09-01 15:44 . 2009-09-01 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-09-01 15:32 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-01 15:26 . 2009-09-01 15:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-01 15:20 . 2009-09-01 15:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2009-09-01 15:19 . 2009-09-01 15:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-01 14:41 . 2009-09-01 14:42 117760 ----a-w- c:\documents and settings\iamphil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-01 14:41 . 2009-09-01 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-01 14:41 . 2009-09-01 14:41 -------- d-----w- c:\documents and settings\iamphil\Application Data\SUPERAntiSpyware.com
2009-09-01 02:04 . 2009-09-01 16:31 -------- d-----w- c:\program files\a-squared Anti-Malware
2009-08-28 17:09 . 2009-08-28 17:09 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\Opera
2009-08-28 17:08 . 2009-08-28 17:08 -------- d-----w- c:\program files\Opera
2009-08-28 11:34 . 2009-08-28 11:34 120 ----a-w- c:\windows\Vrufobunitoba.dat
2009-08-28 01:29 . 2009-08-28 01:29 -------- d-----w- C:\SIERRA
2009-08-28 01:29 . 2009-08-28 01:29 -------- d-----w- c:\program files\WON
2009-08-28 01:29 . 2009-08-28 01:29 -------- d-----w- c:\program files\Sierra On-Line
2009-08-28 01:29 . 1998-10-03 02:00 327168 ----a-w- c:\windows\IsUninst.exe
2009-08-28 01:13 . 2009-08-28 01:13 -------- d-----w- c:\documents and settings\iamphil\Application Data\Ulead Systems
2009-08-27 02:44 . 2009-08-27 02:44 -------- d-----w- c:\program files\ieSpell
2009-08-26 23:55 . 2009-08-26 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-08-26 23:34 . 2009-09-02 02:28 -------- d-----w- c:\program files\Panda Security
2009-08-26 17:46 . 2009-08-26 17:46 -------- d-----w- c:\documents and settings\iamphil\Application Data\Malwarebytes
2009-08-26 17:46 . 2009-08-26 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-26 15:40 . 2009-08-26 15:40 -------- d-----w- c:\documents and settings\iamphil\Application Data\URSoft
2009-08-26 15:40 . 2009-08-26 15:40 -------- d-----w- c:\program files\Your Uninstaller 2008
2009-08-26 13:26 . 2009-08-26 13:26 -------- d-----w- c:\windows\Downloaded Installations
2009-08-26 07:45 . 2009-08-26 15:43 -------- d-----w- c:\documents and settings\iamphil\Application Data\JLC's Software
2009-08-25 00:18 . 2009-08-25 00:18 1656832 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-x86\FahCore_a0.exe
2009-08-25 00:18 . 2009-08-25 00:18 1382280 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-x86\libfftw3f-3.dll
2009-08-21 01:38 . 2009-08-26 15:42 -------- d-----w- c:\program files\ffdshow
2009-08-21 01:22 . 2009-08-21 01:22 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-21 01:22 . 2009-08-21 01:22 -------- d-----w- c:\windows\system32\LogFiles
2009-08-19 03:07 . 2009-08-19 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-19 03:07 . 2009-08-19 03:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 01:43 . 2009-08-14 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\redistpart
2009-08-14 01:40 . 2009-08-14 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\createpart
2009-08-14 01:40 . 2009-08-14 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\launcher
2009-08-14 01:40 . 2009-08-14 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\explauncher
2009-08-13 06:23 . 2009-08-13 06:23 -------- d-----w- c:\program files\RivaTuner v2.24
2009-08-13 06:22 . 2009-08-31 22:21 -------- d--h--w- c:\windows\PIF
2009-08-13 03:01 . 2009-08-05 01:56 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2009-08-13 03:00 . 2009-08-13 03:00 -------- d-----w- c:\program files\Paragon Software
2009-08-13 01:17 . 2009-08-13 01:17 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\Identities
2009-08-13 01:14 . 2009-08-26 13:21 -------- d-----w- c:\documents and settings\iamphil\Application Data\MailWasherPro
2009-08-13 01:14 . 2009-08-13 01:14 -------- d-----w- c:\program files\FireTrust
2009-08-12 15:15 . 2009-08-12 15:15 -------- d-----w- c:\documents and settings\iamphil\Application Data\vlc
2009-08-12 15:12 . 2009-08-12 15:12 -------- d-----w- c:\program files\VideoLAN
2009-08-12 13:47 . 2009-08-12 13:47 0 ----a-w- c:\windows\nsreg.dat
2009-08-12 13:47 . 2009-08-12 13:47 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\Mozilla
2009-08-12 08:43 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 06:22 . 2009-08-12 06:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-12 02:15 . 2009-08-12 02:15 -------- d-----w- c:\program files\ImgBurn
2009-08-12 02:11 . 2009-08-12 02:11 -------- d-----w- c:\program files\DAMN NFO Viewer
2009-08-12 01:08 . 2009-08-12 01:08 -------- d-----w- c:\program files\uTorrent
2009-08-12 01:08 . 2009-08-26 15:39 -------- d-----w- c:\documents and settings\iamphil\Application Data\uTorrent
2009-08-09 04:55 . 2009-08-09 04:55 1843200 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-gpu\FahCore_11.exe
2009-08-08 18:18 . 2009-08-08 18:18 -------- d-----w- c:\documents and settings\iamphil\Application Data\Goodsol
2009-08-08 18:17 . 2009-08-08 18:17 -------- d-----w- c:\program files\goodsol
2009-08-08 18:15 . 2009-08-08 18:16 -------- d-----w- c:\program files\Mahjong The Endless Journey
2009-08-08 18:14 . 2009-08-08 18:14 -------- d-----w- c:\program files\ReflexiveArcade
2009-08-08 09:15 . 2009-08-26 23:14 -------- d-----w- c:\documents and settings\iamphil\Application Data\Auslogics
2009-08-08 09:13 . 2009-08-08 09:13 -------- d-----w- c:\program files\Auslogics
2009-08-08 07:25 . 2009-08-08 07:25 1298432 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-gpu\FahCore_14.exe
2009-08-08 07:24 . 2009-09-04 02:32 -------- d-----w- c:\documents and settings\iamphil\Application Data\Folding@home-gpu
2009-08-08 07:24 . 2009-08-18 23:48 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_6FEFF9B68218417F98F549.exe
2009-08-08 07:24 . 2009-08-18 23:48 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_41346D1BD9E98636678C85.exe
2009-08-08 07:24 . 2009-08-18 23:48 10134 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_5429DBF727E2384037BDE1.exe
2009-08-08 07:24 . 2009-08-08 07:24 2338816 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-x86\FahCore_78.exe
2009-08-08 07:22 . 2009-08-08 07:22 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_6FEFF9B68218417F98F549.exe
2009-08-08 07:22 . 2009-08-08 07:22 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
2009-08-08 07:22 . 2009-08-08 07:22 10134 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_D153F602E769D1960CE13B.exe
2009-08-08 07:22 . 2009-09-01 02:49 -------- d-----w- c:\documents and settings\iamphil\Application Data\Folding@home-x86
2009-08-08 07:22 . 2009-08-08 07:24 -------- d-----w- c:\program files\Folding@home
2009-08-08 07:03 . 2009-08-08 07:03 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-08 07:03 . 2009-08-08 07:03 -------- d-----w- c:\program files\MSBuild
2009-08-08 07:03 . 2009-08-08 07:03 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 18:44 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 18:44 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 18:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-07 18:44 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 18:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-07 18:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-07 18:44 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\system32\scripting
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\system32\en
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\l2schemas
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\system32\bits
2009-08-07 18:19 . 2009-08-07 18:21 -------- d-----w- c:\windows\ServicePackFiles
2009-08-07 18:09 . 2004-08-04 05:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-08-07 17:55 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\ndisip.sys
2009-08-07 17:55 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\streamip.sys
2009-08-07 17:55 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\mstee.sys
2009-08-07 17:55 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\drivers\slip.sys
2009-08-07 17:55 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\wstcodec.sys
2009-08-07 17:55 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\nabtsfec.sys
2009-08-07 17:55 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\ccdecode.sys
2009-08-07 17:55 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-08-07 17:55 . 2009-08-07 17:55 -------- d-----w- c:\program files\Microsoft LifeCam
2009-08-07 17:54 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-07 17:31 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-08-07 17:31 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-08-07 17:29 . 2009-08-07 17:29 -------- d-----w- c:\windows\nview
2009-08-07 17:29 . 2008-10-07 05:33 453152 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-07 17:28 . 2008-10-02 17:07 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-07 17:27 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-08-07 17:27 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-07 17:27 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-08-07 17:27 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-07 17:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-08-07 17:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-07 17:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-08-07 17:22 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 05:43 . 2004-08-04 12:00 56320 ------w- c:\windows\system32\eventlog.dll
2009-09-02 02:30 . 2009-08-07 04:15 -------- d-----w- c:\program files\Ulead Systems
2009-09-02 02:30 . 2009-08-07 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-09-01 15:18 . 2009-08-07 17:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-26 13:54 . 2009-08-26 13:44 -------- d-----w- c:\documents and settings\iamphil\Application Data\Winamp
2009-08-26 13:45 . 2009-08-26 13:44 -------- d-----w- c:\program files\Winamp
2009-08-19 08:05 . 2009-08-19 08:05 -------- d-----w- c:\program files\Philips
2009-08-10 16:47 . 2009-08-07 04:12 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-08 08:26 . 2009-08-07 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-08 07:55 . 2009-08-07 04:10 -------- d-----w- c:\program files\ASUS
2009-08-07 17:30 . 2009-08-07 17:30 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-07 06:04 . 2009-08-07 06:03 -------- d-----w- c:\program files\VIA
2009-08-07 05:53 . 2009-08-07 05:53 -------- d-----w- c:\program files\microsoft frontpage
2009-08-07 05:50 . 2009-08-07 05:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-07 04:10 . 2009-08-07 04:10 -------- d-----w- c:\program files\AMD
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:56 . 2009-08-05 01:56 4248840 ----a-w- c:\windows\system32\qtp-mt334.dll
2009-08-05 01:56 . 2009-08-05 01:56 248584 ----a-w- c:\windows\system32\prgiso.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2004-08-04 12:00 666624 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2009-08-07 05:49 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_15.21.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-09-02 12:51 67516 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-04 02:36 67516 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-04 02:36 432686 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-02 12:51 432686 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-08-21 943888]

c:\documents and settings\iamphil\Start Menu\Programs\Startup\
Folding@home.lnk - c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_41346D1BD9E98636678C85.exe [2009-8-8 98477]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ASUS\\ASUSUpdate\\Update.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Charon\\Stan.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/12/2009 8:01 PM 40560]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2007 8:21 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [9/1/2009 10:06 PM 305936]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [8/6/2009 11:04 PM 1057024]
.
.
------- Supplementary Scan -------
.
uStart Page = forums.pcpitstop.com/index.php?
uInternet Connection Wizard,ShellNext = hxxp://www.pctools.com/en/anti-virus/uninstall/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\documents and settings\iamphil\Application Data\Mozilla\Firefox\Profiles\52tptwi0.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.pcpitstop.com/index.php?
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 07:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-04 7:02
ComboFix-quarantined-files.txt 2009-09-04 14:02
ComboFix2.txt 2009-09-04 02:42
ComboFix3.txt 2009-09-03 15:22

Pre-Run: 75,802,181,632 bytes free
Post-Run: 75,771,162,624 bytes free

260 --- E O F --- 2009-09-04 13:49

Edited by dickster, 04 September 2009 - 07:05 AM.

Make four wishes for yourself and work towards making them happen.

#6 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 04 September 2009 - 06:11 AM

Win32kDiag.txt Log file is located at: C:\Documents and Settings\iamphil\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP196.tmp\ZAP196.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D5.tmp\ZAP1D5.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7.tmp\ZAP7.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB5.tmp\ZAPB5.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\DataColl\DataColl Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\HMBRRP9R\HMBRRP9R Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\all Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\brt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\can Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\eng Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\as1.suitesmart.com\_f5e.swf\_f5e.swf Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\box.anchorfree.net\afso\afso.swf\afso.swf Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\cdn.widgetserver.com\cdn.widgetserver.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\cdn4.specificclick.net\img\img Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\files.deezer.com\swf\billboard-v40.swf\billboard-v40.swf Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\files.deezer.com\swf\player-v40.swf\player-v40.swf Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\flash.quantserve.com\flash.quantserve.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\gannett.a.mms.mavenapps.net\gannett.a.mms.mavenapps.net Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\is1.j.tv2n.net\is1.j.tv2n.net Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\pub.widgetbox.com\pub.widgetbox.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\udn.specificclick.net\udn.specificclick.net Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\video.flashtalking.com\video.flashtalking.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\www.crackle.com\www.crackle.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#as1.suitesmart.com\#as1.suitesmart.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#box.anchorfree.net\#box.anchorfree.net Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn.widgetserver.com\#cdn.widgetserver.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn4.specificclick.net\#cdn4.specificclick.net Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#files.deezer.com\#files.deezer.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flash.quantserve.com\#flash.quantserve.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#gannett.a.mms.mavenapps.net\#gannett.a.mms.mavenapps.net Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#is1.j.tv2n.net\#is1.j.tv2n.net Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#pub.widgetbox.com\#pub.widgetbox.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#udn.specificclick.net\#udn.specificclick.net Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.flashtalking.com\#video.flashtalking.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.crackle.com\#www.crackle.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.mydamnchannel.com\#www.mydamnchannel.com Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache\Search80\Search80 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\ESD\ESD Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\good\good Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Finished!
Make four wishes for yourself and work towards making them happen.

#7 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,092 posts
  • Gender:Female


Posted 04 September 2009 - 07:17 AM

Welcome back


Several steps to complete here, just take your time.


Locate your version of ComboFix on the desktop > right click and select delete.

Now we'll download an updated copy.


Download Combofix© by sUBs from any of the links below.

Save it to your desktop.

Link 1
Link 2


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingc...opic114351.html


Please only run the tool once, ty.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




NEXT**

NEXT** download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked.

    Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt
Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries




In your next reply post:
ComboFix.txt
Win32kDiag.txt
ark.txt
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#8 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 04 September 2009 - 02:19 PM

Combofix log.

ComboFix 09-09-03.02 - iamphil 09/04/2009 13:32.7.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2824 [GMT -7:00]
Running from: c:\documents and settings\iamphil\Desktop\ComboFix.com
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-09-02 12:21 . 2009-09-02 12:21 -------- d-----w- c:\program files\Enigma Software Group
2009-09-02 05:17 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 05:17 . 2009-09-02 05:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 05:17 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 05:06 . 2009-09-02 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-09-02 05:06 . 2009-09-02 05:06 -------- d-----w- c:\program files\IObit
2009-09-02 04:14 . 2009-09-02 04:14 -------- d-----w- c:\program files\Windows Defender
2009-09-02 03:36 . 2009-09-02 03:36 -------- d-----w- c:\documents and settings\iamphil\DoctorWeb
2009-09-02 02:41 . 2009-09-02 02:41 -------- d-----w- c:\program files\Trend Micro
2009-09-02 01:09 . 2009-09-02 01:09 7680 ----a-w- c:\windows\system32\drivers\RKL1A90.tmp.sys
2009-09-01 16:05 . 2009-09-01 16:05 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\ESET
2009-09-01 15:58 . 2009-09-01 15:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-09-01 15:49 . 2008-01-07 21:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg
2009-09-01 15:44 . 2009-09-01 15:44 -------- d-----w- c:\program files\ESET
2009-09-01 15:44 . 2009-09-01 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-09-01 15:32 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-01 15:26 . 2009-09-01 15:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-01 15:20 . 2009-09-01 15:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2009-09-01 15:19 . 2009-09-01 15:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-01 14:41 . 2009-09-01 14:42 117760 ----a-w- c:\documents and settings\iamphil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-01 14:41 . 2009-09-01 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-01 14:41 . 2009-09-01 14:41 -------- d-----w- c:\documents and settings\iamphil\Application Data\SUPERAntiSpyware.com
2009-09-01 02:04 . 2009-09-01 16:31 -------- d-----w- c:\program files\a-squared Anti-Malware
2009-08-28 17:09 . 2009-08-28 17:09 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\Opera
2009-08-28 17:08 . 2009-08-28 17:08 -------- d-----w- c:\program files\Opera
2009-08-28 11:34 . 2009-08-28 11:34 120 ----a-w- c:\windows\Vrufobunitoba.dat
2009-08-28 01:29 . 2009-08-28 01:29 -------- d-----w- C:\SIERRA
2009-08-28 01:29 . 2009-08-28 01:29 -------- d-----w- c:\program files\WON
2009-08-28 01:29 . 2009-08-28 01:29 -------- d-----w- c:\program files\Sierra On-Line
2009-08-28 01:29 . 1998-10-03 02:00 327168 ----a-w- c:\windows\IsUninst.exe
2009-08-28 01:13 . 2009-08-28 01:13 -------- d-----w- c:\documents and settings\iamphil\Application Data\Ulead Systems
2009-08-27 02:44 . 2009-08-27 02:44 -------- d-----w- c:\program files\ieSpell
2009-08-26 23:55 . 2009-08-26 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-08-26 23:34 . 2009-09-02 02:28 -------- d-----w- c:\program files\Panda Security
2009-08-26 17:46 . 2009-08-26 17:46 -------- d-----w- c:\documents and settings\iamphil\Application Data\Malwarebytes
2009-08-26 17:46 . 2009-08-26 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-26 15:40 . 2009-08-26 15:40 -------- d-----w- c:\documents and settings\iamphil\Application Data\URSoft
2009-08-26 15:40 . 2009-08-26 15:40 -------- d-----w- c:\program files\Your Uninstaller 2008
2009-08-26 13:26 . 2009-08-26 13:26 -------- d-----w- c:\windows\Downloaded Installations
2009-08-26 07:45 . 2009-08-26 15:43 -------- d-----w- c:\documents and settings\iamphil\Application Data\JLC's Software
2009-08-25 00:18 . 2009-08-25 00:18 1656832 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-x86\FahCore_a0.exe
2009-08-25 00:18 . 2009-08-25 00:18 1382280 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-x86\libfftw3f-3.dll
2009-08-21 01:38 . 2009-08-26 15:42 -------- d-----w- c:\program files\ffdshow
2009-08-21 01:22 . 2009-08-21 01:22 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-21 01:22 . 2009-08-21 01:22 -------- d-----w- c:\windows\system32\LogFiles
2009-08-19 03:07 . 2009-08-19 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-19 03:07 . 2009-08-19 03:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 01:43 . 2009-08-14 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\redistpart
2009-08-14 01:40 . 2009-08-14 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\createpart
2009-08-14 01:40 . 2009-08-14 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\launcher
2009-08-14 01:40 . 2009-08-14 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\explauncher
2009-08-13 06:23 . 2009-08-13 06:23 -------- d-----w- c:\program files\RivaTuner v2.24
2009-08-13 06:22 . 2009-09-04 20:27 -------- d--h--w- c:\windows\PIF
2009-08-13 03:01 . 2009-08-05 01:56 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2009-08-13 03:00 . 2009-08-13 03:00 -------- d-----w- c:\program files\Paragon Software
2009-08-13 01:17 . 2009-08-13 01:17 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\Identities
2009-08-13 01:14 . 2009-08-26 13:21 -------- d-----w- c:\documents and settings\iamphil\Application Data\MailWasherPro
2009-08-13 01:14 . 2009-08-13 01:14 -------- d-----w- c:\program files\FireTrust
2009-08-12 15:15 . 2009-08-12 15:15 -------- d-----w- c:\documents and settings\iamphil\Application Data\vlc
2009-08-12 15:12 . 2009-08-12 15:12 -------- d-----w- c:\program files\VideoLAN
2009-08-12 13:47 . 2009-08-12 13:47 0 ----a-w- c:\windows\nsreg.dat
2009-08-12 13:47 . 2009-08-12 13:47 -------- d-----w- c:\documents and settings\iamphil\Local Settings\Application Data\Mozilla
2009-08-12 08:43 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 06:22 . 2009-08-12 06:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-12 02:15 . 2009-08-12 02:15 -------- d-----w- c:\program files\ImgBurn
2009-08-12 02:11 . 2009-08-12 02:11 -------- d-----w- c:\program files\DAMN NFO Viewer
2009-08-12 01:08 . 2009-08-12 01:08 -------- d-----w- c:\program files\uTorrent
2009-08-12 01:08 . 2009-08-26 15:39 -------- d-----w- c:\documents and settings\iamphil\Application Data\uTorrent
2009-08-09 04:55 . 2009-08-09 04:55 1843200 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-gpu\FahCore_11.exe
2009-08-08 18:18 . 2009-08-08 18:18 -------- d-----w- c:\documents and settings\iamphil\Application Data\Goodsol
2009-08-08 18:17 . 2009-08-08 18:17 -------- d-----w- c:\program files\goodsol
2009-08-08 18:15 . 2009-08-08 18:16 -------- d-----w- c:\program files\Mahjong The Endless Journey
2009-08-08 18:14 . 2009-08-08 18:14 -------- d-----w- c:\program files\ReflexiveArcade
2009-08-08 09:15 . 2009-08-26 23:14 -------- d-----w- c:\documents and settings\iamphil\Application Data\Auslogics
2009-08-08 09:13 . 2009-08-08 09:13 -------- d-----w- c:\program files\Auslogics
2009-08-08 07:25 . 2009-08-08 07:25 1298432 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-gpu\FahCore_14.exe
2009-08-08 07:24 . 2009-09-04 02:32 -------- d-----w- c:\documents and settings\iamphil\Application Data\Folding@home-gpu
2009-08-08 07:24 . 2009-08-18 23:48 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_6FEFF9B68218417F98F549.exe
2009-08-08 07:24 . 2009-08-18 23:48 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_41346D1BD9E98636678C85.exe
2009-08-08 07:24 . 2009-08-18 23:48 10134 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_5429DBF727E2384037BDE1.exe
2009-08-08 07:24 . 2009-08-08 07:24 2338816 ----a-w- c:\documents and settings\iamphil\Application Data\Folding@home-x86\FahCore_78.exe
2009-08-08 07:22 . 2009-08-08 07:22 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_6FEFF9B68218417F98F549.exe
2009-08-08 07:22 . 2009-08-08 07:22 98477 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
2009-08-08 07:22 . 2009-08-08 07:22 10134 ----a-r- c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_D153F602E769D1960CE13B.exe
2009-08-08 07:22 . 2009-09-01 02:49 -------- d-----w- c:\documents and settings\iamphil\Application Data\Folding@home-x86
2009-08-08 07:22 . 2009-08-08 07:24 -------- d-----w- c:\program files\Folding@home
2009-08-08 07:03 . 2009-08-08 07:03 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-08 07:03 . 2009-08-08 07:03 -------- d-----w- c:\program files\MSBuild
2009-08-08 07:03 . 2009-08-08 07:03 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 18:44 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-07 18:44 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-07 18:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-07 18:44 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-07 18:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-07 18:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-07 18:44 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\system32\scripting
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\system32\en
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\l2schemas
2009-08-07 18:20 . 2009-08-07 18:20 -------- d-----w- c:\windows\system32\bits
2009-08-07 18:19 . 2009-08-07 18:21 -------- d-----w- c:\windows\ServicePackFiles
2009-08-07 18:09 . 2004-08-04 05:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-08-07 17:55 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\ndisip.sys
2009-08-07 17:55 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\streamip.sys
2009-08-07 17:55 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\mstee.sys
2009-08-07 17:55 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\drivers\slip.sys
2009-08-07 17:55 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\wstcodec.sys
2009-08-07 17:55 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\nabtsfec.sys
2009-08-07 17:55 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\ccdecode.sys
2009-08-07 17:55 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-08-07 17:55 . 2009-08-07 17:55 -------- d-----w- c:\program files\Microsoft LifeCam
2009-08-07 17:54 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-07 17:31 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-08-07 17:31 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-08-07 17:29 . 2009-08-07 17:29 -------- d-----w- c:\windows\nview
2009-08-07 17:29 . 2008-10-07 05:33 453152 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-07 17:28 . 2008-10-02 17:07 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-07 17:27 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-08-07 17:27 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-07 17:27 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-08-07 17:27 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-07 17:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-08-07 17:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-07 17:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-08-07 17:22 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\usbaudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 05:43 . 2004-08-04 12:00 56320 ------w- c:\windows\system32\eventlog.dll
2009-09-02 02:30 . 2009-08-07 04:15 -------- d-----w- c:\program files\Ulead Systems
2009-09-02 02:30 . 2009-08-07 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-09-01 15:18 . 2009-08-07 17:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-26 13:54 . 2009-08-26 13:44 -------- d-----w- c:\documents and settings\iamphil\Application Data\Winamp
2009-08-26 13:45 . 2009-08-26 13:44 -------- d-----w- c:\program files\Winamp
2009-08-19 08:05 . 2009-08-19 08:05 -------- d-----w- c:\program files\Philips
2009-08-10 16:47 . 2009-08-07 04:12 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-08 08:26 . 2009-08-07 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-08 07:55 . 2009-08-07 04:10 -------- d-----w- c:\program files\ASUS
2009-08-07 17:30 . 2009-08-07 17:30 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-07 06:04 . 2009-08-07 06:03 -------- d-----w- c:\program files\VIA
2009-08-07 05:53 . 2009-08-07 05:53 -------- d-----w- c:\program files\microsoft frontpage
2009-08-07 05:50 . 2009-08-07 05:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-07 04:10 . 2009-08-07 04:10 -------- d-----w- c:\program files\AMD
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:56 . 2009-08-05 01:56 4248840 ----a-w- c:\windows\system32\qtp-mt334.dll
2009-08-05 01:56 . 2009-08-05 01:56 248584 ----a-w- c:\windows\system32\prgiso.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2004-08-04 12:00 666624 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2009-08-07 05:49 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_15.21.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-09-02 12:51 67516 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-04 02:36 67516 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-04 02:36 432686 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-02 12:51 432686 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-08-21 943888]

c:\documents and settings\iamphil\Start Menu\Programs\Startup\
Folding@home.lnk - c:\documents and settings\iamphil\Application Data\Microsoft\Installer\{4AA947A0-0BA8-4065-B8EE-29C6DA9661EE}\_41346D1BD9E98636678C85.exe [2009-8-8 98477]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ASUS\\ASUSUpdate\\Update.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Charon\\Stan.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/12/2009 8:01 PM 40560]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2007 8:21 AM 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [9/1/2009 10:06 PM 305936]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [8/6/2009 11:04 PM 1057024]

--- Other Services/Drivers In Memory ---

*Deregistered* - aujasnkj
.
.
------- Supplementary Scan -------
.
uStart Page = forums.pcpitstop.com/index.php?
uInternet Connection Wizard,ShellNext = hxxp://www.pctools.com/en/anti-virus/uninstall/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\documents and settings\iamphil\Application Data\Mozilla\Firefox\Profiles\52tptwi0.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.pcpitstop.com/index.php?
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 13:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-04 13:34
ComboFix-quarantined-files.txt 2009-09-04 20:34
ComboFix2.txt 2009-09-04 14:02
ComboFix3.txt 2009-09-04 02:42
ComboFix4.txt 2009-09-03 15:22

Pre-Run: 75,940,458,496 bytes free
Post-Run: 75,932,176,384 bytes free

257 --- E O F --- 2009-09-04 13:49
Make four wishes for yourself and work towards making them happen.

#9 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 04 September 2009 - 02:22 PM

WinDiag log

Log file is located at: C:\Documents and Settings\iamphil\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP196.tmp\ZAP196.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP196.tmp\ZAP196.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D5.tmp\ZAP1D5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D5.tmp\ZAP1D5.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7.tmp\ZAP7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7.tmp\ZAP7.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB5.tmp\ZAPB5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB5.tmp\ZAPB5.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\DataColl\DataColl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\DataColl\DataColl

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\HMBRRP9R\HMBRRP9R

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\HMBRRP9R\HMBRRP9R

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\all

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\all

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\brt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\brt

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\can

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\can

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\eng

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\eng

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\as1.suitesmart.com\_f5e.swf\_f5e.swf

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\as1.suitesmart.com\_f5e.swf\_f5e.swf

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\box.anchorfree.net\afso\afso.swf\afso.swf

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\box.anchorfree.net\afso\afso.swf\afso.swf

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\cdn.widgetserver.com\cdn.widgetserver.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\cdn.widgetserver.com\cdn.widgetserver.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\cdn4.specificclick.net\img\img

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\cdn4.specificclick.net\img\img

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\files.deezer.com\swf\billboard-v40.swf\billboard-v40.swf

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\files.deezer.com\swf\billboard-v40.swf\billboard-v40.swf

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\files.deezer.com\swf\player-v40.swf\player-v40.swf

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\files.deezer.com\swf\player-v40.swf\player-v40.swf

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\flash.quantserve.com\flash.quantserve.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\flash.quantserve.com\flash.quantserve.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\gannett.a.mms.mavenapps.net\gannett.a.mms.mavenapps.net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\gannett.a.mms.mavenapps.net\gannett.a.mms.mavenapps.net

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\is1.j.tv2n.net\is1.j.tv2n.net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\is1.j.tv2n.net\is1.j.tv2n.net

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\pub.widgetbox.com\pub.widgetbox.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\pub.widgetbox.com\pub.widgetbox.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\udn.specificclick.net\udn.specificclick.net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\udn.specificclick.net\udn.specificclick.net

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\video.flashtalking.com\video.flashtalking.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\video.flashtalking.com\video.flashtalking.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\www.crackle.com\www.crackle.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\7MSYU4F9\www.crackle.com\www.crackle.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#as1.suitesmart.com\#as1.suitesmart.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#as1.suitesmart.com\#as1.suitesmart.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#box.anchorfree.net\#box.anchorfree.net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#box.anchorfree.net\#box.anchorfree.net

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn.widgetserver.com\#cdn.widgetserver.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn.widgetserver.com\#cdn.widgetserver.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn4.specificclick.net\#cdn4.specificclick.net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#cdn4.specificclick.net\#cdn4.specificclick.net

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#files.deezer.com\#files.deezer.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#files.deezer.com\#files.deezer.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flash.quantserve.com\#flash.quantserve.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flash.quantserve.com\#flash.quantserve.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#gannett.a.mms.mavenapps.net\#gannett.a.mms.mavenapps.net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#gannett.a.mms.mavenapps.net\#gannett.a.mms.mavenapps.net

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#is1.j.tv2n.net\#is1.j.tv2n.net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#is1.j.tv2n.net\#is1.j.tv2n.net

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#pub.widgetbox.com\#pub.widgetbox.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#pub.widgetbox.com\#pub.widgetbox.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#udn.specificclick.net\#udn.specificclick.net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#udn.specificclick.net\#udn.specificclick.net

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.flashtalking.com\#video.flashtalking.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.flashtalking.com\#video.flashtalking.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.crackle.com\#www.crackle.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.crackle.com\#www.crackle.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.mydamnchannel.com\#www.mydamnchannel.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.mydamnchannel.com\#www.mydamnchannel.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache\Search80\Search80

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\8.0\Cache\Search80\Search80

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\ESD\ESD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\ESD\ESD

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!


ark.txt

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-04 14:16:59
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\iamphil\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

---- EOF - GMER 1.0.15 ----
Make four wishes for yourself and work towards making them happen.

#10 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,092 posts
  • Gender:Female


Posted 04 September 2009 - 02:34 PM

dickster, give me an update on how the computer is now.



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Using Internet Explorer, visit http://www.kaspersky...n=1250646146031



http://www.kaspersky...apter=161739400

Ensure your external and/or USB/Flash or Pen drives are inserted during the scan.


Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition
    files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobuc...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%
.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#11 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 05 September 2009 - 12:20 AM

Computer has always run good, but was getting those windows antivirus popups every other minute. End one in task manager and another popped up almost immediatly. Kaspersky log is short. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Saturday, September 5, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, September 05, 2009 06:03:19 Records in database: 2747807 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ H:\ I:\ J:\ W:\ X:\ Y:\ Z:\ Scan statistics: Objects scanned: 38195 Threats found: 1 Infected objects found: 2 Suspicious objects found: 0 Scan duration: 00:32:23 File name / Threat / Threats count C:\Documents and Settings\iamphil\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\kf141.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2 Selected area has been scanned. Still can't run HJT.
Make four wishes for yourself and work towards making them happen.

#12 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,092 posts
  • Gender:Female


Posted 05 September 2009 - 07:03 AM

Morning

Computer has always run good, but was getting those windows antivirus popups every other minute. End one in task manager and another popped up almost immediately.


Have the pop ups stopped?


We have a file that needs to be deleted.



Download OTM by OldTimer Here & save it to your desktop.
  • Double click on OTM.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error
:Files
C:\Documents and Settings\iamphil\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\kf141.zip
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.


Still can't run HJT.

For MalwareBytes and HJT.
Delete what you have......now download again and when saving to desktop rename, instead of allowing the .exe rename to .com and this should allow it to run.


Download Trend Micro Hijack This™ and save to desktop.


Please download Malwarebytes' Anti-Malware to your desktop

Additional Link
Here also



We need to run a tool once more.

Locate and delete your version of Win32kDiag.


Download and run Win32kDiag:

In your next reply post:
OTM log
MBAM log
HJT log
Win32kDiag.txt

Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#13 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 05 September 2009 - 11:59 PM

Still can't get HJT to run but here are the other logs. Haven't been using the pc, so not sure if the popups stopped. OTM All processes killed ========== FILES ========== C:\Documents and Settings\iamphil\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\kf141.zip moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->FireFox cache emptied: 16914219 bytes ->Opera cache emptied: 1023427 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: iamphil ->Temp folder emptied: 82310216 bytes ->Temporary Internet Files folder emptied: 2855450 bytes ->Java cache emptied: 25755153 bytes ->FireFox cache emptied: 87180243 bytes ->Opera cache emptied: 74953163 bytes User: LocalService ->Temp folder emptied: 0 bytes File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 32835 bytes User: NetworkService ->Temp folder emptied: 0 bytes File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 49219 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 2162283 bytes %systemroot%\System32 .tmp files removed: 2577 bytes Windows Temp folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 279.65 mb OTM by OldTimer - Version 3.0.0.6 log created on 09052009_100755 Files moved on Reboot... Registry entries deleted on Reboot... Malwarebytes Malwarebytes' Anti-Malware 1.40 Database version: 2744 Windows 5.1.2600 Service Pack 3 9/5/2009 10:30:41 AM mbam-log-2009-09-05 (10-30-19).txt Scan type: Quick Scan Objects scanned: 90366 Time elapsed: 2 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Win32kDiag.txt Log file is located at: C:\Documents and Settings\iamphil\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished!

Edited by dickster, 06 September 2009 - 12:01 AM.

Make four wishes for yourself and work towards making them happen.

#14 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 06 September 2009 - 03:21 AM

Got HJT to run and posting log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:53 AM, on 9/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = forums.pcpitstop.com/index.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pctools.c...irus/uninstall/
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: Folding@home.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f.../fslauncher.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1249652376531
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 5080 bytes
Make four wishes for yourself and work towards making them happen.

#15 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,092 posts
  • Gender:Female


Posted 06 September 2009 - 08:13 AM

Welcome back


Scans show me the infection has been removed.....good job.



Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Go to Start > Run > copy and paste the full text path in the run box


"%userprofile%\desktop\combofix.exe" /u


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`


Win32kDiag <--delete
Win32kDiag.txt <--delete


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
NEXT**
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)



Go to Start> Run> In the space provided type

sc stop WMPNetworkSvc
press enter

Type this command too
Go to Start> Run> In the space provided type
sc delete WMPNetworkSvc
press enter
Exit

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
NEXT**
  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including the OTC application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

How's the computer?
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#16 dickster

dickster

    Just trying to fit in.

  • Anti-Spyware Brigade
  • 14,531 posts
  • Gender:Male
  • Location:Texas



Posted 07 September 2009 - 07:11 AM

Everything appears to be running fine now. I do THANK you so very much for your help. Couldn't have done it without you. You do a fantastic job of helping us, and it's most appreciated! :tup:
Make four wishes for yourself and work towards making them happen.

#17 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,092 posts
  • Gender:Female


Posted 07 September 2009 - 08:11 PM

Everything appears to be running fine now. I do THANK you so very much for your help. Couldn't have done it without you. You do a fantastic job of helping us, and it's most appreciated! :tup:

Ahhhh, thank you! :wub:



GMER Rootkit Scanner
ark.txt
Make sure to remove the above or it's very likely to be picked up by scanners.


Your good to go.


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-
Please note that these products can also be run as free without a licience as a scan on demand scanner.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Please read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet...owcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsuppo...-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#18 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,092 posts
  • Gender:Female


Posted 08 September 2009 - 12:10 PM

Glad we could help. :)Posted Image

Since this issue appears resolved ... this Topic is closed.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users