Jump to content


Photo

Slow Vista. Found Trojans & Worms W/ Malwarebytes & Spybot


  • This topic is locked This topic is locked
21 replies to this topic

#1 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 11 June 2010 - 08:02 PM

Hello there, My sisters computer was running very slow and I ran Malwarebytes and Spybot and made a few fixes thru those programs and it seems a bit better but not 100%. Enclosed please find the logs. She had Limewire installed. I removed Limewire after the Malwarebytes and Spybot scans and before the HJT scan. Thanks for reading and for any help! Spybot log first, then MBAM, then HJT. --- Search result list --- Fraud.avi: [SBI $61E87388] Library (File, nothing done) C:\Windows\System32\fltLib32.dll Properties.size=203264 Properties.md5=84F3BD87D6F87ABCF12CE9F5B37A658A Properties.filedate=1269989861 Properties.filedatetext=2010-03-30 18:57:40 Win32.Prolaco.p: [SBI $DB5BC1A0] Program directory (Directory, fixed) C:\Users\belanger #2\AppData\Roaming\SystemProc\ Win32.Swisyn: [SBI $66F4E1C2] Executable (File, nothing done) C:\Users\belanger #2\AppData\Roaming\SystemProc\lsass.exe Properties.size=0 Properties.md5=D41D8CD98F00B204E9800998ECF8427E DoubleClick: Tracking cookie (Internet Explorer: belanger #2) (Cookie, fixed) MediaPlex: Tracking cookie (Internet Explorer: belanger #2) (Cookie, fixed) --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) --- 2009-01-26 blindman.exe (1.0.0.8) 2009-01-26 SDFiles.exe (1.6.1.7) 2009-01-26 SDMain.exe (1.0.0.6) 2009-01-26 SDUpdate.exe (1.6.0.12) 2009-01-26 SpybotSD.exe (1.6.2.46) 2009-01-26 TeaTimer.exe (1.6.4.26) 2010-06-11 unins000.exe (51.49.0.0) 2009-01-26 Update.exe (1.6.0.7) 2009-11-04 advcheck.dll (1.6.5.20) 2007-04-02 aports.dll (2.1.0.0) 2008-06-14 DelZip179.dll (1.79.11.1) 2009-01-26 SDHelper.dll (1.6.2.14) 2008-06-19 sqlite3.dll 2009-01-26 Tools.dll (2.1.6.10) 2009-01-16 UninsSrv.dll (1.0.0.0) 2010-02-17 Includes\Adware.sbi (*) 2010-06-08 Includes\AdwareC.sbi (*) 2010-01-25 Includes\Cookies.sbi (*) 2009-11-03 Includes\Dialer.sbi (*) 2010-06-08 Includes\DialerC.sbi (*) 2010-01-25 Includes\HeavyDuty.sbi (*) 2009-05-26 Includes\Hijackers.sbi (*) 2010-06-08 Includes\HijackersC.sbi (*) 2010-06-09 Includes\iPhone.sbi (*) 2010-01-20 Includes\Keyloggers.sbi (*) 2010-06-08 Includes\KeyloggersC.sbi (*) 2004-11-29 Includes\LSP.sbi (*) 2010-06-01 Includes\Malware.sbi (*) 2010-06-09 Includes\MalwareC.sbi (*) 2010-05-18 Includes\PUPS.sbi (*) 2010-06-08 Includes\PUPSC.sbi (*) 2010-01-25 Includes\Revision.sbi (*) 2009-01-13 Includes\Security.sbi (*) 2010-06-08 Includes\SecurityC.sbi (*) 2008-06-03 Includes\Spybots.sbi (*) 2008-06-03 Includes\SpybotsC.sbi (*) 2010-03-02 Includes\Spyware.sbi (*) 2010-06-08 Includes\SpywareC.sbi (*) 2010-03-08 Includes\Tracks.uti 2010-06-01 Includes\Trojans.sbi (*) 2010-06-08 Includes\TrojansC-02.sbi (*) 2010-06-08 Includes\TrojansC-03.sbi (*) 2010-06-08 Includes\TrojansC-04.sbi (*) 2010-06-09 Includes\TrojansC-05.sbi (*) 2010-06-08 Includes\TrojansC.sbi (*) 2008-03-04 Plugins\Chai.dll 2008-03-05 Plugins\Fennel.dll 2008-02-26 Plugins\Mate.dll 2007-12-24 Plugins\TCPIPAddress.dll --- System information --- Windows Vista (Build: 6002) Service Pack 2 (6.0.6002) --- Startup entries list --- Located: HK_LM:Run, ATICCC command: "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" file: C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe size: 90112 MD5: D331734EC12CC7A5F14D89735432800F Located: HK_LM:Run, LTCM Client command: C:\Program Files\LTCM Client\ltcmClient.exe /startup file: C:\Program Files\LTCM Client\ltcmClient.exe size: 1540288 MD5: A6CEDF7C168CFE5605BF632A39529C06 Located: HK_LM:Run, QuickTime Task command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime file: C:\Program Files\QuickTime\QTTask.exe size: 421888 MD5: ED7A6D40B20DC34BE06F4AE196AE7D50 Located: HK_LM:Run, RtHDVCpl command: RtHDVCpl.exe file: C:\Windows\RtHDVCpl.exe size: 3784704 MD5: A503A47A5E7EA8024379A8CC6059B74A Located: HK_LM:Run, Windows Defender command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide file: C:\Program Files\Windows Defender\MSASCui.exe size: 1008184 MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E Located: HK_LM:Run, Windows Mobile-based device management command: %windir%\WindowsMobile\wmdSync.exe file: C:\Windows\WindowsMobile\wmdSync.exe size: 215552 MD5: 4AB05041D5C922B9A7A5D9059F5538CD Located: HK_LM:RunOnce, Malwarebytes' Anti-Malware command: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent file: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe size: 437584 MD5: 5F0388038E7355982FE50B039D10315C Located: HK_CU:Run, RTHDBPL where: S-1-5-21-3074645540-534623877-3370066440-1001... command: C:\Users\BELANG~1\AppData\Local\Temp\51FA.tmp file: C:\Users\BELANG~1\AppData\Local\Temp\51FA.tmp size: 155136 MD5: 3BA1A133FC6E3158F9F2DF6B8475EED7 Located: Startup (user), OneNote 2007 Screen Clipper and Launcher.lnk where: C:\Users\belanger #2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup... command: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE file: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE size: 98632 MD5: D91AFB6D2A0DA7539B74FB5838775D94 --- Browser helper object list --- {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} () location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ BHO name: CLSID name: Path: C:\ProgramData\ Long name: brcoinst32.dll Short name: BRCOIN~1.DLL Date (created): 5/14/2010 6:00:16 PM Date (last access): 5/14/2010 6:00:16 PM Date (last write): 5/14/2010 6:00:16 PM Filesize: 283648 Attributes: archive MD5: 51F0C8EFA20F67F232F5D337C841FEED CRC32: FE8281CA {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} (Symantec NCO BHO) location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ BHO name: Symantec NCO BHO CLSID name: Symantec NCO BHO Path: C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ Long name: coieplg.dll Short name: Date (created): 5/20/2010 1:17:40 PM Date (last access): 5/20/2010 1:17:40 PM Date (last write): 3/25/2010 7:29:38 PM Filesize: 394608 Attributes: readonly archive MD5: ADCA57DE93428F27EE87DFA0477E61F7 CRC32: 6B6B9FFF Version: 2010.6.0.5 {6D53EC84-6AAE-4787-AEEE-F4628F01010C} (Symantec Intrusion Prevention) location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ BHO name: Symantec Intrusion Prevention CLSID name: Symantec Intrusion Prevention Path: C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ Long name: ipsbho.dll Short name: Date (created): 5/20/2010 1:18:06 PM Date (last access): 5/20/2010 1:18:06 PM Date (last write): 11/16/2009 8:51:14 PM Filesize: 79224 Attributes: readonly archive MD5: E60F55692DE0DF4F393A2A18C7FB9662 CRC32: 3C09EEC1 Version: 9.1.2.5 {9421DD08-935F-4701-A9CA-22DF90AC4EA6} (Easy Photo Print) location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ BHO name: CLSID name: Easy Photo Print Path: C:\Program Files\Epson Software\Easy Photo Print\ Long name: EPTBL.dll Short name: Date (created): 9/10/2009 6:07:18 PM Date (last access): 9/10/2009 6:07:18 PM Date (last write): 4/2/2008 1:24:02 PM Filesize: 266240 Attributes: archive MD5: EA3329E06D7C794B788CEADA90AB7000 CRC32: AD3B39B9 Version: 1.0.0.0 {CA6319C0-31B7-401E-A518-A07C3DB8F777} (Browser Address Error Redirector) location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ BHO name: Browser Address Error Redirector CLSID name: CBrowserHelperObject Object Path: c:\google\ Long name: bae.dll Short name: Date (created): 12/16/2006 5:51:14 PM Date (last access): 12/16/2006 5:51:14 PM Date (last write): 2/1/2006 6:54:30 AM Filesize: 94208 Attributes: archive MD5: 3467178AE878796650290CA54361C810 CRC32: 9C59917B Version: 1.1.0.1 --- ActiveX list --- {E2883E8F-472F-4FB0-9522-AC9BF37916A7} () DPF name: CLSID name: Installer: C:\Windows\Downloaded Program Files\gp.inf Codebase: http://platformdl.ad...Plus/1.6/gp.cab --- Process list --- PID: 2180 (1092) C:\Windows\system32\taskeng.exe size: 169984 MD5: E5BBFC283D6F5D69B41E464676361020 PID: 2476 (1072) C:\Windows\system32\Dwm.exe size: 81920 MD5: 01DD1004181FD46ECDC3628228EB269D PID: 2500 (2232) C:\Windows\Explorer.EXE size: 2926592 MD5: D07D4C3038F3578FFCE1C0237F2A1253 PID: 1680 (2500) C:\Windows\RtHDVCpl.exe size: 3784704 MD5: A503A47A5E7EA8024379A8CC6059B74A PID: 940 (2500) C:\Windows\WindowsMobile\wmdSync.exe size: 215552 MD5: 4AB05041D5C922B9A7A5D9059F5538CD PID: 1004 (2500) C:\Program Files\LTCM Client\ltcmClient.exe size: 1540288 MD5: A6CEDF7C168CFE5605BF632A39529C06 PID: 1192 (2500) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE size: 98632 MD5: D91AFB6D2A0DA7539B74FB5838775D94 PID: 2628 (2000) C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE size: 45056 MD5: 2FE88C5E0C19928854A6A52BCBE1233A PID: 3580 ( 840) C:\Windows\System32\mobsync.exe size: 95744 MD5: 9B89B3BB79EA1ACF041F40A7B6FC5827 PID: 2632 (2628) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe size: 45056 MD5: 2FE88C5E0C19928854A6A52BCBE1233A PID: 2652 (2628) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe size: 45056 MD5: 2FE88C5E0C19928854A6A52BCBE1233A PID: 3992 (2500) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe size: 5365592 MD5: 0477C2F9171599CA5BC3307FDFBA8D89 PID: 0 ( 0) [System Process] PID: 4 ( 0) System PID: 440 ( 4) smss.exe size: 64000 PID: 512 ( 500) csrss.exe size: 6144 PID: 572 ( 564) csrss.exe size: 6144 PID: 580 ( 500) wininit.exe size: 96768 PID: 620 ( 580) services.exe size: 279552 PID: 652 ( 564) winlogon.exe size: 314368 PID: 684 ( 580) lsass.exe size: 9728 PID: 692 ( 580) lsm.exe size: 229888 PID: 840 ( 620) svchost.exe size: 21504 PID: 908 ( 620) svchost.exe size: 21504 PID: 1024 ( 620) Ati2evxx.exe size: 557056 PID: 1044 ( 620) svchost.exe size: 21504 PID: 1072 ( 620) svchost.exe size: 21504 PID: 1092 ( 620) svchost.exe size: 21504 PID: 1168 (1044) audiodg.exe size: 88576 PID: 1196 ( 620) svchost.exe size: 21504 PID: 1228 ( 620) SLsvc.exe size: 3408896 PID: 1288 ( 620) svchost.exe size: 21504 PID: 1412 ( 620) svchost.exe size: 21504 PID: 1792 ( 620) spoolsv.exe size: 127488 PID: 1816 ( 620) svchost.exe size: 21504 PID: 308 ( 620) AOLacsd.exe PID: 456 ( 620) AppleMobileDeviceService.exe PID: 480 ( 620) mDNSResponder.exe PID: 500 ( 620) ccsvchst.exe PID: 1548 ( 620) svchost.exe size: 21504 PID: 2008 ( 620) PRISMXL.SYS PID: 1984 ( 620) svchost.exe size: 21504 PID: 1564 ( 620) svchost.exe size: 21504 PID: 1856 ( 620) SearchIndexer.exe size: 441344 PID: 2148 (1072) WUDFHost.exe size: 142336 PID: 2208 ( 620) XAudio.exe PID: 2884 (1092) taskeng.exe size: 169984 PID: 3452 ( 840) dllhost.exe size: 7168 PID: 3936 ( 500) ccsvchst.exe PID: 2220 ( 620) svchost.exe size: 21504 PID: 2948 (1856) SearchProtocolHost.exe size: 185344 PID: 3540 (1856) SearchFilterHost.exe size: 87552 --- Browser start & search pages list --- Spybot - Search & Destroy browser pages report, 6/11/2010 8:07:35 PM HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page C:\Windows\system32\blank.htm HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page http://go.microsoft....k/?LinkId=54896 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page http://www.yahoo.com/ HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page C:\Windows\System32\blank.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page http://go.microsoft....k/?LinkId=54896 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page http://www.gateway.c...Sys=DTP&M=T5082 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL http://www.gateway.c...Sys=DTP&M=T5082 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL http://go.microsoft....k/?LinkId=54896 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant http://www.gateway.c...Sys=DTP&M=T5082 --- Winsock Layered Service Provider list --- Namespace Provider 1: E-mail Naming Shim Provider GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE} Filename: Namespace Provider 2: PNRP Cloud Namespace Provider GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D} Filename: Namespace Provider 3: PNRP Name Namespace Provider GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D} Filename: --- Uninstall list --- --- System Services --- Service (registry key): .NET CLR Data Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): .NET CLR Networking Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): .NET Data Provider for Oracle Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): .NET Data Provider for SqlServer Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): .NETFramework Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): ACPI Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Microsoft ACPI Driver Image path: system32\drivers\acpi.sys Image size: 265688 Image MD5: 82B296AE1892FE3DBEE00C9CF92F8AC7 Control Set: CurrentControlSet Start: 0 Type: 1 Error Control: 3 Service (registry key): adp94xx Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\adp94xx.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): adpahci Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\adpahci.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): adpu160m Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\adpu160m.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): adpu320 Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\adpu320.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): adsi Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): AeLookupSvc Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\aelupsvc.dll,-1 Description: @%SystemRoot%\system32\aelupsvc.dll,-2 Object name: localSystem Image path: %systemroot%\system32\svchost.exe -k netsvcs Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Service (registry key): AFD Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Ancilliary Function Driver for Winsock Description: Ancilliary Function Driver for Winsock Image path: \SystemRoot\system32\drivers\afd.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 1 Type: 1 Error Control: 1 Service (registry key): agp440 Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Intel AGP Bus Filter Image path: \SystemRoot\system32\drivers\agp440.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): aic78xx Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\djsvs.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): ALG Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\Alg.exe,-112 Description: @%SystemRoot%\system32\Alg.exe,-113 Object name: NT AUTHORITY\LocalService Image path: %SystemRoot%\System32\alg.exe Image size: 59392 Image MD5: A1545B731579895D8CC44FC0481C1192 Control Set: CurrentControlSet Start: 3 Type: 16 Error Control: 1 Service (registry key): aliide Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\aliide.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 3 Service (registry key): amdagp Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: AMD AGP Bus Filter Driver Image path: \SystemRoot\system32\drivers\amdagp.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): amdide Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\amdide.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 3 Service (registry key): AmdK7 Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: AMD K7 Processor Driver Image path: \SystemRoot\system32\drivers\amdk7.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): AmdK8 Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: AMD K8 Processor Driver Image path: \SystemRoot\system32\drivers\amdk8.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): AOL ACS Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: AOL Connectivity Service Description: Connectivity engine for America Online Object name: LocalSystem Image path: "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" Image size: 46640 Image MD5: 85180CF88C5EBAD73B452A43A004CA51 Control Set: CurrentControlSet Start: 2 Type: 272 Error Control: 1 Service (registry key): Appinfo Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%systemroot%\system32\appinfo.dll,-100 Description: @%systemroot%\system32\appinfo.dll,-101 Object name: LocalSystem Image path: %SystemRoot%\system32\svchost.exe -k netsvcs Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 3 Type: 32 Error Control: 1 Depends On services: RpcSs,ProfSvc Service (registry key): Apple Mobile Device Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Apple Mobile Device Description: Provides the interface to Apple mobile devices. Object name: LocalSystem Image path: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" Image size: 144712 Image MD5: 7E94E567C1AA5ABE6174032B3DAB6C23 Control Set: CurrentControlSet Start: 2 Type: 16 Error Control: 1 Depends On services: Tcpip Service (registry key): arc Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\arc.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): arcsas Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\arcsas.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): AsyncMac Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: RAS Asynchronous Media Driver Description: RAS Asynchronous Media Driver Image path: system32\DRIVERS\asyncmac.sys Image size: 17408 Image MD5: 53B202ABEE6455406254444303E87BE1 Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): atapi Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: IDE Channel Image path: system32\drivers\atapi.sys Image size: 19944 Image MD5: 1F05B78AB91C9075565A9D8A4B880BC4 Control Set: CurrentControlSet Start: 0 Type: 1 Error Control: 3 Service (registry key): Ati External Event Utility Registry path: \SYSTEM\CurrentControlSet\Services\ Object name: LocalSystem Image path: %SystemRoot%\system32\Ati2evxx.exe Image size: 557056 Image MD5: CDAB1FB2AC6160EF35B44D6337A04DD4 Control Set: CurrentControlSet Start: 2 Type: 272 Error Control: 1 Service (registry key): Atierecord Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): AudioEndpointBuilder Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\audiosrv.dll,-204 Description: @%SystemRoot%\System32\audiosrv.dll,-205 Object name: LocalSystem Image path: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: PlugPlay Service (registry key): Audiosrv Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\audiosrv.dll,-200 Description: @%SystemRoot%\System32\audiosrv.dll,-201 Object name: NT AUTHORITY\LocalService Image path: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: AudioEndpointBuilder,RpcSs,MMCSS Service (registry key): BattC Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): Beep Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Beep Control Set: CurrentControlSet Start: 1 Type: 1 Error Control: 1 Service (registry key): BFE Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\bfe.dll,-1001 Description: @%SystemRoot%\system32\bfe.dll,-1002 Object name: NT AUTHORITY\LocalService Image path: %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: RpcSs Service (registry key): BHDrvx86 Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: BHDrvx86 Description: SONAR Engine Driver Image path: \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 1 Type: 1 Error Control: 1 Depends On services: SymEFA,FltMgr,SymDS,SymIRON,ccHP Service (registry key): BITS Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\qmgr.dll,-1000 Description: @%SystemRoot%\system32\qmgr.dll,-1001 Object name: LocalSystem Image path: %SystemRoot%\System32\svchost.exe -k netsvcs Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: RpcSs,EventSystem Service (registry key): blbdrive Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\blbdrive.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): Bonjour Service Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Bonjour Service Description: Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour, any network service that explicitly depends on it will fail to start. Object name: LocalSystem Image path: "C:\Program Files\Bonjour\mDNSResponder.exe" Image size: 238888 Image MD5: 3F56903E124E820AEECE6D471583C6C1 Control Set: CurrentControlSet Start: 2 Type: 16 Error Control: 1 Depends On services: Tcpip Service (registry key): bowser Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Bowser Description: Implements the datagram receiver for the computer browser browser service. Image path: system32\DRIVERS\bowser.sys Image size: 69632 Image MD5: 74B442B2BE1260B7588C136177CEAC66 Control Set: CurrentControlSet Start: 3 Type: 2 Error Control: 1 Service (registry key): BrFiltLo Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Brother USB Mass-Storage Lower Filter Driver Image path: \SystemRoot\system32\drivers\brfiltlo.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): BrFiltUp Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Brother USB Mass-Storage Upper Filter Driver Image path: \SystemRoot\system32\drivers\brfiltup.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): Browser Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%systemroot%\system32\browser.dll,-100 Description: @%systemroot%\system32\browser.dll,-101 Object name: LocalSystem Image path: %SystemRoot%\System32\svchost.exe -k netsvcs Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: LanmanWorkstation,LanmanServer Service (registry key): Brserid Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Brother MFC Serial Port Interface Driver (WDM) Image path: \SystemRoot\system32\drivers\brserid.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): BrSerWdm Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Brother WDM Serial driver Image path: \SystemRoot\system32\drivers\brserwdm.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): BrUsbMdm Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Brother MFC USB Fax Only Modem Image path: \SystemRoot\system32\drivers\brusbmdm.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): BrUsbSer Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Brother MFC USB Serial WDM Driver Image path: \SystemRoot\system32\drivers\brusbser.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): BTHMODEM Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Bluetooth Serial Communications Driver Image path: \SystemRoot\system32\drivers\bthmodem.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): BTHPORT Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): ccHP Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Symantec Hash Provider Image path: \SystemRoot\system32\drivers\N360\0401000.020\ccHPx86.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 1 Type: 1 Error Control: 1 Depends On services: SymEFA Service (registry key): cdfs Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: CD/DVD File System Reader Description: ISO9660/Joliet File System Reader for CD/DVDs. (Core) (All pieces) Image path: system32\DRIVERS\cdfs.sys Image size: 70144 Image MD5: 7ADD03E75BEB9E6DD102C3081D29840A Control Set: CurrentControlSet Start: 4 Type: 2 Error Control: 1 Depends On group: "SCSI CDROM Class" Service (registry key): cdrom Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: CD-ROM Driver Image path: system32\DRIVERS\cdrom.sys Image size: 67072 Image MD5: 6B4BFFB9BECD728097024276430DB314 Control Set: CurrentControlSet Start: 1 Type: 1 Error Control: 1 Service (registry key): CertPropSvc Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\System32\certprop.dll,-11 Description: @%SystemRoot%\System32\certprop.dll,-12 Object name: LocalSystem Image path: %SystemRoot%\system32\svchost.exe -k netsvcs Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 3 Type: 32 Error Control: 1 Depends On services: RpcSs Service (registry key): circlass Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Consumer IR Devices Image path: \SystemRoot\system32\drivers\circlass.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): CLFS Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Common Log (CLFS) Description: Common Log (CLFS) Image path: System32\CLFS.sys Image size: 245736 Image MD5: D7659D3B5B92C31E84E53C1431F35132 Control Set: CurrentControlSet Start: 0 Type: 1 Error Control: 3 Service (registry key): clr_optimization_v2.0.50727_32 Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Microsoft .NET Framework NGEN v2.0.50727_X86 Description: Microsoft .NET Framework NGEN Object name: LocalSystem Image path: %systemroot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe Image size: 66368 Image MD5: 8EE772032E2FE80A924F3B8DD5082194 Control Set: CurrentControlSet Start: 3 Type: 16 Error Control: 0 Service (registry key): CmBatt Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Microsoft ACPI Control Method Battery Driver Image path: system32\DRIVERS\CmBatt.sys Image size: 14208 Image MD5: 0FED59EDB4A83FF17F1778827B88AB1A Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): cmdide Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\cmdide.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 3 Service (registry key): Compbatt Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Microsoft Composite Battery Driver Image path: system32\DRIVERS\compbatt.sys Image size: 20792 Image MD5: 6AFEF0B60FA25DE07C0968983EE4F60A Control Set: CurrentControlSet Start: 0 Type: 1 Error Control: 3 Service (registry key): COMSysApp Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @comres.dll,-947 Description: @comres.dll,-948 Object name: LocalSystem Image path: %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} Image size: 7168 Image MD5: BE01E566D1F569AAB32D0335613E1EEA Control Set: CurrentControlSet Start: 3 Type: 16 Error Control: 1 Depends On services: RpcSs,EventSystem,SENS Service (registry key): crcdisk Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Crcdisk Filter Driver Image path: system32\drivers\crcdisk.sys Image size: 22632 Image MD5: 2A213AE086BBEC5E937553C7D9A2B22C Control Set: CurrentControlSet Start: 0 Type: 1 Error Control: 1 Service (registry key): Crusoe Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Transmeta Crusoe Processor Driver Image path: \SystemRoot\system32\drivers\crusoe.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): crypt32 Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): CryptSvc Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\cryptsvc.dll,-1001 Description: @%SystemRoot%\system32\cryptsvc.dll,-1002 Object name: NT Authority\NetworkService Image path: %SystemRoot%\system32\svchost.exe -k NetworkService Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: RpcSs Service (registry key): DCLocator Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): DcomLaunch Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @oleres.dll,-5012 Description: @oleres.dll,-5013 Object name: LocalSystem Image path: %SystemRoot%\system32\svchost.exe -k DcomLaunch Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Service (registry key): DfsC Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%systemroot%\system32\drivers\dfsc.sys,-101 Description: @%systemroot%\system32\drivers\dfsc.sys,-102 Image path: System32\Drivers\dfsc.sys Image size: 75264 Image MD5: 218D8AE46C88E82014F5D73D0236D9B2 Control Set: CurrentControlSet Start: 1 Type: 2 Error Control: 1 Depends On services: Mup Service (registry key): DFSR Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @dfsrres.dll,-101 Description: @dfsrres.dll,-102 Object name: LocalSystem Image path: %SystemRoot%\system32\DFSR.exe Image size: 2092544 Image MD5: 2CC3DCFB533A1035B13DCAB6160AB38B Control Set: CurrentControlSet Start: 3 Type: 16 Error Control: 1 Depends On services: RpcSs,EventSystem Service (registry key): Dhcp Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\dhcpcsvc.dll,-100 Description: @%SystemRoot%\system32\dhcpcsvc.dll,-101 Object name: NT Authority\LocalService Image path: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: NSI,Tdx,Afd Service (registry key): disk Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Disk Driver Image path: system32\drivers\disk.sys Image size: 53736 Image MD5: 5D4AEFC3386920236A548271F8F1AF6A Control Set: CurrentControlSet Start: 0 Type: 1 Error Control: 1 Service (registry key): Dnscache Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\System32\dnsapi.dll,-101 Description: @%SystemRoot%\System32\dnsapi.dll,-102 Object name: NT AUTHORITY\NetworkService Image path: %SystemRoot%\system32\svchost.exe -k NetworkService Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: Tdx Service (registry key): dot3svc Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%systemroot%\system32\dot3svc.dll,-1102 Description: @%systemroot%\system32\dot3svc.dll,-1103 Object name: localSystem Image path: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 3 Type: 32 Error Control: 1 Depends On services: RpcSs,Ndisuio,Eaphost Service (registry key): DPS Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%systemroot%\system32\dps.dll,-500 Description: @%systemroot%\system32\dps.dll,-501 Object name: NT AUTHORITY\LocalService Image path: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Service (registry key): drmkaud Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Microsoft Kernel DRM Audio Descrambler Image path: system32\drivers\drmkaud.sys Image size: 5632 Image MD5: 97FEF831AB90BEE128C9AF390E243F80 Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): DXGKrnl Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: LDDM Graphics Subsystem Description: Controls the underlying video driver stacks to provide fully-featured display capabilities. Image path: \SystemRoot\System32\drivers\dxgkrnl.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 0 Service (registry key): E1G60 Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Intel® PRO/1000 NDIS 6 Adapter Driver Image path: system32\DRIVERS\E1G60I32.sys Image size: 117760 Image MD5: F88FB26547FD2CE6D0A5AF2985892C48 Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): EapHost Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%systemroot%\system32\eapsvc.dll,-1 Description: @%systemroot%\system32\eapsvc.dll,-2 Object name: localSystem Image path: %SystemRoot%\System32\svchost.exe -k netsvcs Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 3 Type: 32 Error Control: 1 Depends On services: RPCSS,KeyIso Service (registry key): Ecache Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: ReadyBoost Caching Driver Description: ReadyBoost Caching Driver Image path: System32\drivers\ecache.sys Image size: 141288 Image MD5: 7F64EA048DCFAC7ACF8B4D7B4E6FE371 Control Set: CurrentControlSet Start: 0 Type: 1 Error Control: 3 Service (registry key): eeCtrl Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Symantec Eraser Control driver Image path: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 1 Type: 1 Error Control: 1 Depends On services: FltMgr Service (registry key): elxstor Registry path: \SYSTEM\CurrentControlSet\Services\ Image path: \SystemRoot\system32\drivers\elxstor.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): EmdCache Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): EMDMgmt Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\emdmgmt.dll,-1000 Description: @%SystemRoot%\system32\emdmgmt.dll,-1001 Object name: LocalSystem Image path: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 0 Depends On services: rpcss,ecache,slsvc,fileinfo Service (registry key): EraserUtilRebootDrv Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: EraserUtilRebootDrv Image path: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): ESENT Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 0 Type: 0 Error Control: 0 Service (registry key): Eventlog Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\wevtsvc.dll,-200 Description: @%SystemRoot%\system32\wevtsvc.dll,-201 Object name: NT AUTHORITY\LocalService Image path: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Service (registry key): EventSystem Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @comres.dll,-2450 Description: @comres.dll,-2451 Object name: NT AUTHORITY\LocalService Image path: %SystemRoot%\system32\svchost.exe -k LocalService Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: rpcss Service (registry key): exfat Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: exFAT File System Driver Description: exFAT File System Driver Control Set: CurrentControlSet Start: 3 Type: 2 Error Control: 1 Service (registry key): fastfat Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: FAT12/16/32 File System Driver Description: Note - dependance on CDROM.SYS only if required to read/write DVD-RAM media (which appears as CD class device). (Core) (All pieces) Control Set: CurrentControlSet Start: 3 Type: 2 Error Control: 1 Service (registry key): fdc Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Floppy Disk Controller Driver Image path: system32\DRIVERS\fdc.sys Image size: 25088 Image MD5: AFE1E8B9782A0DD7FB46BBD88E43F89A Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): fdPHost Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%systemroot%\system32\fdPHost.dll,-100 Description: @%systemroot%\system32\fdPHost.dll,-101 Object name: NT AUTHORITY\LocalService Image path: %SystemRoot%\system32\svchost.exe -k LocalService Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 3 Type: 32 Error Control: 1 Depends On services: RpcSs,http Service (registry key): FDResPub Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%systemroot%\system32\fdrespub.dll,-100 Description: @%systemroot%\system32\fdrespub.dll,-101 Object name: NT AUTHORITY\LocalService Image path: %SystemRoot%\system32\svchost.exe -k LocalService Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 32 Error Control: 1 Depends On services: RpcSs,http Service (registry key): FileInfo Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: File Information FS MiniFilter Description: Collects information about files in memory to be consumed by other system services. Image path: system32\drivers\fileinfo.sys Image size: 58936 Image MD5: A8C0139A884861E3AAE9CFE73B208A9F Control Set: CurrentControlSet Start: 0 Type: 2 Error Control: 1 Depends On services: fltmgr Service (registry key): Filetrace Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: FileTrace Description: ETW File Trace Filter Image path: system32\drivers\filetrace.sys Image size: 27648 Image MD5: 0AE429A696AECBC5970E3CF2C62635AE Control Set: CurrentControlSet Start: 3 Type: 2 Error Control: 1 Depends On services: FltMgr Service (registry key): flpydisk Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Floppy Disk Driver Image path: system32\DRIVERS\flpydisk.sys Image size: 20480 Image MD5: 6603957EFF5EC62D25075EA8AC27DE68 Control Set: CurrentControlSet Start: 4 Type: 1 Error Control: 1 Service (registry key): FltMgr Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: FltMgr Description: File System Filter Manager Driver Image path: system32\drivers\fltmgr.sys Image size: 190424 Image MD5: 01334F9EA68E6877C4EF05D3EA8ABB05 Control Set: CurrentControlSet Start: 0 Type: 2 Error Control: 3 Service (registry key): FontCache Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%systemroot%\system32\FntCache.dll,-100 Description: @%systemroot%\system32\FntCache.dll,-101 Object name: NT AUTHORITY\LocalService Image path: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 3 Type: 32 Error Control: 1 Service (registry key): FontCache3.0.0.0 Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @%SystemRoot%\system32\PresentationHost.exe,-3309 Description: @%SystemRoot%\system32\PresentationHost.exe,-3310 Object name: NT Authority\LocalService Image path: %systemroot%\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe Image size: 43904 Image MD5: C7FBDD1ED42F82BFA35167A5C9803EA3 Control Set: CurrentControlSet Start: 3 Type: 16 Error Control: 1 Service (registry key): Fs_Rec Registry path: \SYSTEM\CurrentControlSet\Services\ Control Set: CurrentControlSet Start: 1 Type: 8 Error Control: 0 Service (registry key): gagp30kx Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms Image path: \SystemRoot\system32\drivers\gagp30kx.sys Image size: 0 Image MD5: D41D8CD98F00B204E9800998ECF8427E Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): GEARAspiWDM Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: GEAR ASPI Filter Driver Image path: system32\DRIVERS\GEARAspiWDM.sys Image size: 26600 Image MD5: 8182FF89C65E4D38B2DE4BB0FB18564E Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): gpsvc Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: @gpapi.dll,-112 Description: @gpapi.dll,-113 Object name: LocalSystem Image path: %windir%\system32\svchost.exe -k GPSvcGroup Image size: 21504 Image MD5: 3794B461C45882E06856F282EEF025AF Control Set: CurrentControlSet Start: 2 Type: 16 Error Control: 1 Depends On services: RPCSS,Mup Service (registry key): HdAudAddService Registry path: \SYSTEM\CurrentControlSet\Services\ Display name: Microsoft 1.1 UAA Function Driver for High Definition Audio Service Image path: system32\drivers\HdAudio.sys Image size: 235520 Image MD5: CB04C744BE0A61B1D648FAED182C3B59 Control Set: CurrentControlSet Start: 3 Type: 1 Error Control: 1 Service (registry key): HDAudBus Registry path: \SYSTEM\CurrentControlSet\Services

#2 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 11 June 2010 - 08:22 PM

I ran DDS and have DDS.txt and Attach.txt DDS (Ver_10-03-17.01) - NTFSx86 Run by belanger #2 at 21:12:44.88 on Fri 06/11/2010 Internet Explorer: 8.0.6001.18904 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.445.105 [GMT -4:00] AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} SP: McAfee VirusScan *enabled* (Outdated) {C78B3C70-4777-4742-BB91-9D615CC575E6} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\RtHDVCpl.exe C:\Windows\WindowsMobile\wmdSync.exe C:\Program Files\LTCM Client\ltcmClient.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE svchost.exe C:\Windows\System32\mobsync.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe F:\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082 mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082 uInternet Settings,ProxyOverride = <local> mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082 BHO: {046faff5-e7cd-4ade-ac6d-472e0ee0d723} - c:\programdata\brcoinst32.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.1.0.32\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.1.0.32\IPSBHO.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.1.0.32\coIEPlg.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File uRun: [RTHDBPL] c:\users\belang~1\appdata\local\temp\51FA.tmp mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe" mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\users\belang~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\windows\system32\findnetprinters32.dll ============= SERVICES / DRIVERS =============== R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\symds.sys [2010-5-20 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\symefa.sys [2010-5-20 172592] R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-5-20 501888] R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100513.002\IDSvix86.sys [2010-5-20 343088] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\ironx86.sys [2010-5-20 116784] R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0401000.020\symtdiv.sys [2010-5-20 340016] R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.1.0.32\ccsvchst.exe [2010-5-20 126392] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-11 102448] S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-24 21504] S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184] =============== Created Last 30 ================ ==================== Find3M ==================== ============= FINISH: 21:18:18.82 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft® Windows Vista™ Home Basic Boot Device: \Device\HarddiskVolume2 Install Date: 12/16/2006 4:39:36 PM System Uptime: 6/11/2010 7:02:27 PM (2 hours ago) Motherboard: Intel Corporation | | D102GGC2 Processor: Intel® Pentium® 4 CPU 3.00GHz | LGA 775 | 3000/200mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 141 GiB total, 112.004 GiB free. D: is FIXED (NTFS) - 9 GiB total, 3.66 GiB free. E: is CDROM () F: is Removable G: is Removable H: is Removable I: is Removable ==== Disabled Device Manager Items ============= ==== System Restore Points =================== No restore point in system. ==== Installed Programs ====================== Activation Assistant for the 2007 Microsoft Office suites Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 7.0.8 AOL Uninstaller (Choose which Products to Remove) Apple Application Support Apple Mobile Device Support Apple Software Update ATI Catalyst Control Center Ex ATI Catalyst Install Manager Bonjour Browser Address Error Redirector Comcast High-Speed Internet Install Wizard eMachines Recovery Center Installer Epson CreativeZone Epson Easy Photo Print 2 EPSON NX410 Series Printer Uninstall EPSON Scan HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) iTunes Java™ SE Runtime Environment 6 LTCM Client Malwarebytes' Anti-Malware Microsoft .NET Framework 3.5 SP1 Microsoft Digital Image Library 9 - Blocker Microsoft Digital Image Starter Edition 2006 Microsoft Digital Image Starter Edition 2006 Editor Microsoft Digital Image Starter Edition 2006 Library Microsoft Office Excel MUI (English) 2007 Microsoft Office Home and Student 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Small Business Edition 2003 Microsoft Office Word MUI (English) 2007 Microsoft Visual C++ 2005 Redistributable Microsoft Works MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB941833) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Norton Security Suite Power2Go 5.0 QuickTime Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista Realtek High Definition Audio Driver RTC Client API v1.2 Safari Soft Data Fax Modem with SmartCP Spybot - Search & Destroy Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Viewpoint Media Player ==== Event Viewer Messages From Past Week ======== 6/7/2010 7:56:26 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP 6/7/2010 7:55:34 PM, Error: EventLog [6008] - The previous system shutdown at 7:52:03 PM on 6/7/2010 was unexpected. 6/7/2010 7:44:57 PM, Error: Service Control Manager [7022] - The Windows Mobile-based device connectivity service hung on starting. 6/6/2010 12:54:52 PM, Error: EventLog [6008] - The previous system shutdown at 8:13:08 PM on 6/4/2010 was unexpected. 6/6/2010 1:17:47 PM, Error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 6/6/2010 1:08:04 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start. 6/6/2010 1:05:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89} 6/6/2010 1:05:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E} 6/6/2010 1:05:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 6/6/2010 1:04:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} 6/6/2010 1:04:07 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP DfsC eeCtrl IDSVix86 NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr SRTSP SRTSPX SymIRON SYMTDIv tdx Wanarpv6 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start. 6/6/2010 1:02:56 PM, Error: EventLog [6008] - The previous system shutdown at 1:00:14 PM on 6/6/2010 was unexpected. 6/4/2010 8:09:03 PM, Error: EventLog [6008] - The previous system shutdown at 8:05:38 PM on 6/4/2010 was unexpected. 6/11/2010 7:12:40 PM, Error: Service Control Manager [7022] - The TPM Base Services service hung on starting. 6/11/2010 7:10:40 PM, Error: Service Control Manager [7022] - The KtmRm for Distributed Transaction Coordinator service hung on starting. 6/11/2010 7:08:19 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service. 6/11/2010 7:05:29 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt 6/11/2010 6:20:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Update for Windows Vista (KB981793). 6/11/2010 6:09:08 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB981793 (Update) into Resolving(Resolving) state 6/11/2010 6:09:08 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB981793 (Update) into Absent(Absent) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-694_neutral_GDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-693_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-692_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-607_neutral_GDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-606_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-605_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-253_neutral_GDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-252_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-251_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-166_neutral_GDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-165_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-164_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state 6/11/2010 6:08:02 PM, Error: netbt [4307] - Initialization failed because the transport refused to open initial addresses. 6/11/2010 6:08:02 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0019D13E18E3. The following error occurred: The wait operation timed out.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server. 6/11/2010 6:05:10 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Update for Internet Explorer 8 Compatibility View List for Windows Vista (KB982632). 6/11/2010 6:04:57 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB982632 (Update) into Resolving(Resolving) state 6/11/2010 6:04:57 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB982632 (Update) into Absent(Absent) state 6/11/2010 6:03:13 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 982632-2_neutral_GDR from package KB982632(Update) into Resolving(Resolving) state 6/11/2010 6:03:11 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 982632-1_neutral_LDR from package KB982632(Update) into Resolving(Resolving) state 6/11/2010 5:59:32 PM, Error: volsnap [20] - The shadow copies of volume C: were aborted because of a failed free space computation. 6/11/2010 5:50:45 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt SRTSP 6/11/2010 5:50:11 PM, Error: EventLog [6008] - The previous system shutdown at 8:01:23 PM on 6/7/2010 was unexpected. 6/11/2010 5:49:58 PM, Error: SRTSP [5] - Error loading Symantec real time Anti-Virus driver. 6/11/2010 5:49:58 PM, Error: SRTSP [4] - Error loading virus definitions. ==== End Of File ===========================

#3 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,964 posts
  • Gender:Female


Posted 13 June 2010 - 07:47 AM

Which antivirus are you using?
I see McAfee and Norton. We'll have to get this down to just one Antivirus program in order for scans and tools to work properly.



I can see MBAM ran and deleted a few things that might be still showing in the logs.


We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again


======================================================================



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\ProgramData\brcoinst32.dll
O4 - HKCU\..\Run: [RTHDBPL] C:\Users\BELANG~1\AppData\Local\Temp\51FA.tmp



Now reboot the computer.



Please post a new DDS.txt and give me details as to what the computer is doing now.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#4 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 13 June 2010 - 11:40 AM

Ok, I did the original MBAM, Spybot, and HJT scans under a Vista username that wasn't the administrator. These new logs were taken when running Vista under the administrator username. Norton, and McAfee have been removed. It's now using Symantec Antivirus. Before the scans I turned off RealTime Protection on Windows Defender and I turned off AutoProtect on Symantec Antivirus. I also removed the items in HJT that you reccomended. Before I did any of this however, I couldn't properly log onto Windows. I would get to the welcome screen, select the user, and as it was "Preparing Desktop", Windows Explorer would shut down. I manually had to restart it by going to task manager and starting explorer.exe manually. This is not occurring anymore after removing Norton and McAfee and installing Symantec. The computer is running very slow. Only has 512mb of RAM and I suspect that may be part of it. The other part being any malicious content still on it. Enclosed is DDS.txt first and then Attach.txt DDS (Ver_10-03-17.01) - NTFSx86 Run by steve at 12:11:48.45 on Sun 06/13/2010 Internet Explorer: 8.0.6001.18904 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.445.65 [GMT -4:00] AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\Ati2evxx.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Windows\RtHDVCpl.exe C:\Windows\WindowsMobile\wmdSync.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec AntiVirus\VPTray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Windows\system32\svchost.exe -k WindowsMobile C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec AntiVirus\DoScan.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\RacAgent.exe C:\Users\steve\Desktop\dds.scr C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082 mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082 uInternet Settings,ProxyOverride = *.local mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082 BHO: {046faff5-e7cd-4ade-ac6d-472e0ee0d723} - c:\programdata\brcoinst32.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll uRun: [EPSON NX410 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifca.exe /fu "c:\windows\temp\E_SA83F.tmp" /EF "HKCU" uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe" mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\windows\system32\findnetprinters32.dll ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2010-06-13 14:43:22 321024 ----a-w- c:\programdata\dmocx32.dll 2010-06-13 14:18:21 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-13 14:18:21 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-13 14:18:21 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-13 14:13:38 0 d-----w- c:\program files\Symantec 2010-06-13 14:13:16 0 d-----w- c:\programdata\Symantec 2010-06-13 14:13:16 0 d-----w- c:\program files\Symantec AntiVirus 2010-06-13 14:13:16 0 d-----w- c:\program files\common files\Symantec Shared 2010-06-11 22:36:40 0 d-----w- c:\program files\Trend Micro 2010-06-11 22:32:12 0 d-----w- c:\programdata\Spybot - Search & Destroy 2010-06-11 22:32:12 0 d-----w- c:\program files\Spybot - Search & Destroy 2010-06-11 22:27:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-11 22:26:59 0 d-----w- c:\programdata\Malwarebytes 2010-06-11 22:26:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-11 22:26:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-11 22:23:18 2048 ----a-w- c:\windows\system32\tzres.dll 2010-06-07 23:52:02 524288 --sha-w- c:\users\steve\ntuser.dat{8f3286c3-728d-11df-9fda-00038a000015}.TMContainer00000000000000000002.regtrans-ms 2010-06-07 23:52:00 524288 --sha-w- c:\users\steve\ntuser.dat{8f3286c3-728d-11df-9fda-00038a000015}.TMContainer00000000000000000001.regtrans-ms 2010-06-07 23:51:58 65536 --sha-w- c:\users\steve\ntuser.dat{8f3286c3-728d-11df-9fda-00038a000015}.TM.blf 2010-06-06 17:30:10 0 d-----w- C:\N360_BACKUP 2010-05-20 16:57:54 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys 2010-05-20 16:57:54 107368 ----a-r- c:\windows\system32\GEARAspi.dll 2010-05-20 16:54:47 0 d-----w- c:\programdata\NortonInstaller 2010-05-20 16:46:01 0 d-----w- c:\programdata\Norton 2010-05-17 02:02:04 283648 ----a-w- c:\programdata\AuxiliaryDisplayClassInstaller32.dll 2010-05-16 23:01:54 283648 ----a-w- c:\programdata\devmgr32.dll 2010-05-16 22:01:56 283648 ----a-w- c:\programdata\DfsShlEx32.dll 2010-05-16 12:01:49 283648 ----a-w- c:\programdata\dataclen32.dll 2010-05-16 08:01:27 283648 ----a-w- c:\programdata\cic32.dll 2010-05-16 07:01:20 283648 ----a-w- c:\programdata\CddbLangDE32.dll 2010-05-16 01:01:07 283648 ----a-w- c:\programdata\axaltocm32.dll 2010-05-15 22:01:09 283648 ----a-w- c:\programdata\batmeter32.dll 2010-05-15 21:00:59 283648 ----a-w- c:\programdata\diagperf32.dll 2010-05-15 18:00:56 283648 ----a-w- c:\programdata\DfrgRes32.dll 2010-05-15 16:00:52 283648 ----a-w- c:\programdata\dbnetlib32.dll 2010-05-15 15:00:52 283648 ----a-w- c:\programdata\DDACLSys32.dll 2010-05-15 11:00:48 283648 ----a-w- c:\programdata\d3d8thk32.dll 2010-05-15 08:00:35 283648 ----a-w- c:\programdata\colorui32.dll 2010-05-15 07:00:32 283648 ----a-w- c:\programdata\cmpbk3232.dll 2010-05-15 05:00:34 283648 ----a-w- c:\programdata\cofiredm32.dll 2010-05-15 04:00:27 283648 ----a-w- c:\programdata\chsbrkr32.dll 2010-05-15 03:00:26 283648 ----a-w- c:\programdata\cewmdm32.dll 2010-05-15 02:00:25 283648 ----a-w- c:\programdata\certmgr32.dll 2010-05-15 00:00:20 283648 ----a-w- c:\programdata\catsrvps32.dll 2010-05-14 23:00:17 283648 ----a-w- c:\programdata\bthci32.dll 2010-05-14 22:00:15 283648 ----a-w- c:\programdata\brcoinst32.dll 2010-05-14 21:00:14 283648 ----a-w- c:\programdata\blackbox32.dll 2010-05-14 20:00:12 283648 ----a-w- c:\programdata\bidispl32.dll 2010-05-14 19:00:10 283648 ----a-w- c:\programdata\bae32.dll 2010-05-14 18:00:07 283648 ----a-w- c:\programdata\avifil3232.dll 2010-05-14 17:00:03 283648 ----a-w- c:\programdata\AudioSes32.dll ==================== Find3M ==================== 2010-05-14 16:00:05 283648 ----a-w- c:\programdata\authui32.dll 2010-05-14 15:00:04 283648 ----a-w- c:\programdata\AuthFWGP32.dll 2010-05-14 12:59:59 283648 ----a-w- c:\programdata\iassvcs32.dll 2010-05-14 10:59:56 283648 ----a-w- c:\programdata\iasdatastore32.dll 2010-05-14 09:59:57 283648 ----a-w- c:\programdata\iasnap32.dll 2010-05-14 08:59:53 283648 ----a-w- c:\programdata\HotStartUserAgent32.dll 2010-05-14 07:59:47 283648 ----a-w- c:\programdata\gptext32.dll 2010-05-14 06:59:49 283648 ----a-w- c:\programdata\halmacpi32.dll 2010-05-14 02:59:43 284160 ----a-w- c:\programdata\FwRemoteSvr32.dll 2010-05-14 01:59:41 284160 ----a-w- c:\programdata\framedyn32.dll 2010-05-14 00:59:38 284160 ----a-w- c:\programdata\fltLib32.dll 2010-05-13 21:59:33 284160 ----a-w- c:\programdata\fdBth32.dll 2010-05-13 19:59:30 284160 ----a-w- c:\programdata\esentprf32.dll 2010-05-13 18:59:44 284160 ----a-w- c:\programdata\GameUXLegacyGDFs32.dll 2010-05-13 17:59:32 284160 ----a-w- c:\programdata\E_FD4BFCA32.dll 2010-05-13 16:59:32 284160 ----a-w- c:\programdata\evr32.dll 2010-05-13 15:59:29 284160 ----a-w- c:\programdata\EpPicPrt32.dll 2010-05-13 14:59:26 284160 ----a-w- c:\programdata\EAPQEC32.dll 2010-05-13 13:59:17 284160 ----a-w- c:\programdata\ds16gt32.dll 2010-05-13 12:14:44 284160 ----a-w- c:\programdata\DHCPQEC32.dll 2010-05-13 06:17:36 284160 ----a-w- c:\programdata\ddrawex32.dll 2010-05-13 05:17:29 284160 ----a-w- c:\programdata\d3d10core32.dll 2010-05-13 03:17:27 284160 ----a-w- c:\programdata\ctl3dv232.dll 2010-05-13 01:17:24 284160 ----a-w- c:\programdata\cryptdlg32.dll 2010-05-12 23:17:23 284160 ----a-w- c:\programdata\credui32.dll 2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-04-11 19:07:16 203776 --sh--w- c:\programdata\unrar.exe 2010-03-30 22:57:40 203264 ----a-w- c:\windows\system32\fltLib32.dll 2010-03-30 22:57:39 130048 ----a-w- c:\windows\system32\findnetprinters32.dll 2009-11-17 08:21:25 665600 ----a-w- c:\windows\inf\drvindex.dat 2009-11-17 08:21:25 51200 ----a-w- c:\windows\inf\infpub.dat 2009-11-17 08:21:24 86016 ----a-w- c:\windows\inf\infstor.dat 2009-11-17 08:21:24 143360 ----a-w- c:\windows\inf\infstrng.dat 2008-11-10 01:23:27 174 --sha-w- c:\program files\desktop.ini 2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat 2009-10-15 18:45:39 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat 2009-10-15 07:18:17 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat ============= FINISH: 12:22:01.31 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) ==== Installed Programs ====================== Activation Assistant for the 2007 Microsoft Office suites Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 7.0.8 AOL Uninstaller (Choose which Products to Remove) Apple Application Support Apple Mobile Device Support Apple Software Update ATI Catalyst Control Center Ex ATI Catalyst Install Manager Bonjour Browser Address Error Redirector Comcast High-Speed Internet Install Wizard eMachines Recovery Center Installer Epson CreativeZone Epson Easy Photo Print 2 EPSON NX410 Series Printer Uninstall EPSON Scan HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) iTunes Java™ SE Runtime Environment 6 LiveUpdate 3.3 (Symantec Corporation) LTCM Client Malwarebytes' Anti-Malware Microsoft .NET Framework 3.5 SP1 Microsoft Digital Image Library 9 - Blocker Microsoft Digital Image Starter Edition 2006 Microsoft Digital Image Starter Edition 2006 Editor Microsoft Digital Image Starter Edition 2006 Library Microsoft Office Excel MUI (English) 2007 Microsoft Office Home and Student 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Small Business Edition 2003 Microsoft Office Word MUI (English) 2007 Microsoft Visual C++ 2005 Redistributable Microsoft Works MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB941833) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Power2Go 5.0 QuickTime Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista Realtek High Definition Audio Driver RTC Client API v1.2 Safari Soft Data Fax Modem with SmartCP Spybot - Search & Destroy Symantec AntiVirus Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Viewpoint Media Player ==== End Of File ===========================

#5 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,964 posts
  • Gender:Female


Posted 13 June 2010 - 02:41 PM

The computer is running very slow. Only has 512mb of RAM and I suspect that may be part of it.

Thats just about as low as you can go if not to low, and with a big antivirus engine onboard it will definitely bog down.
Some programs may not open and run because of lack of resources.


There is one more scan I'd like for you to run, I'm thinking it should be done in safe mode to free up as much resources as possible.


Download ComboFix from either of these locations:
Link 1
Link 2




VERY IMPORTANT !!!
Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.



CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.




You may need several replies to post the requested logs, otherwise they might get cut off.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#6 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 13 June 2010 - 05:29 PM

Well I ran out and got 2 sticks of 1gb DDR2 so now the computer is running 2gb ram. It seems normal i think! :) Everything seems to be opening faster. So I ran ComboFix and here is the log: ComboFix 10-06-12.04 - steve 06/13/2010 16:36:37.1.2 - x86 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.445.144 [GMT -4:00] Running from: c:\users\steve\Desktop\ComboFix.exe AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf c:\programdata\AudioSes32.dll c:\programdata\AuthFWGP32.dll c:\programdata\authui32.dll c:\programdata\AuxiliaryDisplayClassInstaller32.dll c:\programdata\avifil3232.dll c:\programdata\axaltocm32.dll c:\programdata\bae32.dll c:\programdata\batmeter32.dll c:\programdata\bidispl32.dll c:\programdata\blackbox32.dll c:\programdata\brcoinst32.dll c:\programdata\bthci32.dll c:\programdata\catsrvps32.dll c:\programdata\CddbLangDE32.dll c:\programdata\certmgr32.dll c:\programdata\cewmdm32.dll c:\programdata\chsbrkr32.dll c:\programdata\cic32.dll c:\programdata\cmpbk3232.dll c:\programdata\cofiredm32.dll c:\programdata\colorui32.dll c:\programdata\credui32.dll c:\programdata\cryptdlg32.dll c:\programdata\ctl3dv232.dll c:\programdata\d3d10core32.dll c:\programdata\d3d8thk32.dll c:\programdata\dataclen32.dll c:\programdata\dbnetlib32.dll c:\programdata\DDACLSys32.dll c:\programdata\ddrawex32.dll c:\programdata\devmgr32.dll c:\programdata\DfrgRes32.dll c:\programdata\DfsShlEx32.dll c:\programdata\DHCPQEC32.dll c:\programdata\diagperf32.dll c:\programdata\ds16gt32.dll c:\programdata\E_FD4BFCA32.dll c:\programdata\EAPQEC32.dll c:\programdata\EpPicPrt32.dll c:\programdata\esentprf32.dll c:\programdata\evr32.dll c:\programdata\fdBth32.dll c:\programdata\fltLib32.dll c:\programdata\framedyn32.dll c:\programdata\FwRemoteSvr32.dll c:\programdata\GameUXLegacyGDFs32.dll c:\programdata\gptext32.dll c:\programdata\halmacpi32.dll c:\programdata\HotStartUserAgent32.dll c:\programdata\iasdatastore32.dll c:\programdata\iasnap32.dll c:\programdata\iassvcs32.dll c:\programdata\SysWoW32 c:\programdata\SysWoW32\@u34508796v0 c:\programdata\SysWoW32\@u34508796v1 c:\programdata\SysWoW32\@u34508796v2 c:\programdata\SysWoW32\@u34508796v3 c:\programdata\SysWoW32\@u34508796v4 c:\programdata\SysWoW32\@u34508796v5 c:\programdata\SysWoW32\@u34508796v6 c:\programdata\SysWoW32\@u34508796v7 c:\programdata\SysWoW32\_u34508796v0 c:\programdata\SysWoW32\_u34508796v1 c:\programdata\SysWoW32\_u34508796v2 c:\programdata\SysWoW32\_u34508796v3 c:\programdata\SysWoW32\_u34508796v4 c:\programdata\SysWoW32\_u34508796v5 c:\programdata\SysWoW32\_u34508796v6 c:\programdata\SysWoW32\_u34508796v7 c:\programdata\SysWoW32\mu34508796v4 c:\programdata\SysWoW32\mu34508796v4.kwd c:\programdata\SysWoW32\mu34508796v5 c:\programdata\SysWoW32\mu34508796v5.kwd c:\programdata\SysWoW32\mu34508796v6 c:\programdata\SysWoW32\mu34508796v6.kwd c:\programdata\SysWoW32\mu34508796v7 c:\programdata\SysWoW32\mu34508796v7.kwd c:\programdata\SysWoW32\wu34508796v0.kwd c:\programdata\SysWoW32\wu34508796v1 c:\programdata\SysWoW32\wu34508796v1.kwd c:\programdata\SysWoW32\wu34508796v2 c:\programdata\SysWoW32\wu34508796v2.kwd c:\programdata\SysWoW32\wu34508796v3 c:\programdata\SysWoW32\wu34508796v3.kwd c:\programdata\unrar.exe c:\programdata\Windows c:\users\belanger #2\AppData\Roaming\02000000b2cda569867C.manifest c:\users\belanger #2\AppData\Roaming\02000000b2cda569867O.manifest c:\users\belanger #2\AppData\Roaming\02000000b2cda569867P.manifest c:\users\belanger #2\AppData\Roaming\02000000b2cda569867S.manifest c:\users\belanger #2\AppData\Roaming\E8F5.tmp c:\users\steve\AppData\Roaming\02000000b2cda569867C.manifest c:\users\steve\AppData\Roaming\02000000b2cda569867O.manifest c:\users\steve\AppData\Roaming\02000000b2cda569867P.manifest c:\users\steve\AppData\Roaming\02000000b2cda569867S.manifest c:\users\steve\AppData\Roaming\SystemProc c:\users\steve\AppData\Roaming\SystemProc\lsass.exe D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 ))))))))))))))))))))))))))))))) . 2010-06-13 20:57 . 2010-06-13 20:58 -------- d-----w- c:\users\steve\AppData\Local\temp 2010-06-13 20:57 . 2010-06-13 20:57 -------- d-----w- c:\users\Guest\AppData\Local\temp 2010-06-13 20:57 . 2010-06-13 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-06-13 20:57 . 2010-06-13 20:57 -------- d-----w- c:\users\belanger #2\AppData\Local\temp 2010-06-13 17:21 . 2010-06-13 17:21 -------- d-----w- C:\57bfed0428aa0ff76eb42624936629b1 2010-06-13 17:20 . 2010-06-13 17:20 -------- d-----w- c:\windows\CheckSur 2010-06-13 17:11 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys 2010-06-13 14:20 . 2010-06-13 14:20 -------- d-----w- c:\users\steve\AppData\Local\Symantec 2010-06-13 14:18 . 2010-06-13 14:18 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-13 14:13 . 2010-06-13 14:18 -------- d-----w- c:\program files\Symantec 2010-06-13 14:13 . 2010-06-13 14:21 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-06-13 14:13 . 2010-06-13 14:20 -------- d-----w- c:\programdata\Symantec 2010-06-13 14:13 . 2010-06-13 14:13 -------- d-----w- c:\program files\Symantec AntiVirus 2010-06-11 22:38 . 2010-06-11 22:38 -------- d-----w- c:\users\belanger #2\AppData\Roaming\Malwarebytes 2010-06-11 22:36 . 2010-06-11 22:36 -------- d-----w- c:\program files\Trend Micro 2010-06-11 22:32 . 2010-06-12 01:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2010-06-11 22:32 . 2010-06-11 23:19 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-06-11 22:27 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-11 22:26 . 2010-06-11 22:26 -------- d-----w- c:\programdata\Malwarebytes 2010-06-11 22:26 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-11 22:26 . 2010-06-11 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-11 22:23 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll 2010-06-11 21:56 . 2010-06-11 21:56 -------- d-----w- c:\users\belanger #2\AppData\Roaming\Leader Technologies 2010-06-07 23:58 . 2010-06-07 23:58 -------- d-----w- c:\users\belanger #2\AppData\Local\Symantec 2010-06-06 17:30 . 2010-06-06 17:30 -------- d-----w- C:\N360_BACKUP 2010-05-20 22:58 . 2010-06-13 20:12 -------- d-----w- c:\users\steve\AppData\Local\CrashDumps 2010-05-20 16:57 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys 2010-05-20 16:57 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll 2010-05-20 16:54 . 2010-05-20 16:54 -------- d-----w- c:\programdata\NortonInstaller 2010-05-20 16:46 . 2010-06-13 13:56 -------- d-----w- c:\programdata\Norton . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-13 20:34 . 2010-04-11 19:07 -------- d-----w- c:\programdata\1785115329 2010-06-13 14:43 . 2010-06-13 14:43 321024 ----a-w- c:\programdata\dmocx32.dll 2010-06-13 14:43 . 2010-06-13 14:43 1107968 --sha-w- c:\users\steve\AppData\Roaming\276A.tmp 2010-06-13 14:18 . 2010-06-13 14:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-13 14:18 . 2010-06-13 14:18 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-11 23:06 . 2010-06-11 23:05 1107968 --sha-w- c:\users\belanger #2\AppData\Roaming\3C00.tmp 2010-06-11 21:56 . 2007-02-12 00:27 104176 ----a-w- c:\users\belanger #2\AppData\Local\GDIPFONTCACHEV1.DAT 2010-06-08 03:35 . 2006-12-16 21:49 -------- d-----w- c:\program files\Microsoft Works 2010-06-07 23:40 . 2006-12-16 21:51 -------- d-----w- c:\program files\Google 2010-05-25 11:08 . 2010-05-25 11:08 0 ----a-w- c:\users\steve\AppData\Roaming\BC8C.tmp 2010-05-25 11:08 . 2010-05-25 11:08 0 ----a-w- c:\users\steve\AppData\Roaming\A440.tmp 2010-05-13 07:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-05-12 15:21 . 2009-10-02 23:27 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-03-30 22:57 . 2010-03-30 22:57 203264 ----a-w- c:\windows\system32\fltLib32.dll 2010-03-30 22:57 . 2010-03-30 22:57 130048 ----a-w- c:\windows\system32\findnetprinters32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112] "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704] "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552] "LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2008-12-24 1540288] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-04-03 136080] c:\users\belanger #2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(B):72,d6,fe,21,d3,1a,ca,01 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3074645540-534623877-3370066440-1000] "EnableNotificationsRef"=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3074645540-534623877-3370066440-500] "EnableNotificationsRef"=dword:00000002 R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2008-04-03 121744] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-12 102448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082 uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html . - - - - ORPHANS REMOVED - - - - BHO-{046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - c:\programdata\brcoinst32.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-13 16:58 Windows 6.0.6002 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(724) c:\windows\System32\findnetprinters32.dll . Completion time: 2010-06-13 17:14:40 ComboFix-quarantined-files.txt 2010-06-13 21:14 Pre-Run: 116,903,280,640 bytes free Post-Run: 116,912,435,200 bytes free - - End Of File - - 72A326157E161FAE519FB0993BC00F99

#7 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 13 June 2010 - 08:29 PM

I ran Startup Inspector to find anything I don't need at startup. I noticed that this is on the list of startup items. I removed it and it just came back when I restarted. http://www.bleepingc...DBPL-25560.html Thanks so much for everything so far!

Edited by Bubba5056, 13 June 2010 - 08:31 PM.


#8 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,964 posts
  • Gender:Female


Posted 13 June 2010 - 10:33 PM

Well I ran out and got 2 sticks of 1gb DDR2 so now the computer is running 2gb ram. It seems normal i think! :) Everything seems to be opening faster.

Yes, you should notice a good difference.


I ran Startup Inspector to find anything I don't need at startup. I noticed that this is on the list of startup items. I removed it and it just came back when I restarted.

http://www.bleepingc...DBPL-25560.html

Thanks so much for everything so far!

Did you run it before or after running ComboFix?



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Go to My Computer->Tools->Folder Options->View tab:
  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck - Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)
Please go to: VirusTotal[/color]
  • Posted Image


  • Click the Browse button and search for the following file: c:\programdata\dmocx32.dll
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, so please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.



Using Internet Explorer, visit http://www.kaspersky...n=1260122209224
Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition
    files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobuc...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%
.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419


In your next reply post:
File requested scanned
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#9 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 14 June 2010 - 10:22 PM

Did you run it before or after running ComboFix?


After ComboFix.

The computer seems to be running like a charm :)

Enclosed are the logs. Thanks for all this help again!

Scanned file at this link:

http://www.virustota...e2d8-1276545105

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, June 14, 2010
Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, June 14, 2010 14:47:05
Records in database: 4276006
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 146880
Threats found: 10
Infected objects found: 60
Suspicious objects found: 0
Scan duration: 04:25:41


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\ProgramData\AudioSes32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\AuthFWGP32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\authui32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\AuxiliaryDisplayClassInstaller32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\avifil3232.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\axaltocm32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\bae32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\batmeter32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\bidispl32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\blackbox32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\brcoinst32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\bthci32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\catsrvps32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\CddbLangDE32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\certmgr32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\cewmdm32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\chsbrkr32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\cic32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\cmpbk3232.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\cofiredm32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\colorui32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\credui32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\cryptdlg32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\ctl3dv232.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\d3d10core32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\d3d8thk32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\dataclen32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\dbnetlib32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\DDACLSys32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\ddrawex32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\devmgr32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\DfrgRes32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\DfsShlEx32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\DHCPQEC32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\diagperf32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\ds16gt32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\EAPQEC32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\EpPicPrt32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\esentprf32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\evr32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\E_FD4BFCA32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\fdBth32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\fltLib32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\framedyn32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\FwRemoteSvr32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\GameUXLegacyGDFs32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1
C:\Qoobox\Quarantine\C\ProgramData\gptext32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\halmacpi32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\HotStartUserAgent32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\iasdatastore32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\iasnap32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\iassvcs32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1
C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\@u34508796v1.vir Infected: Trojan.Win32.Pincav.aaml 1
C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\wu34508796v1.vir Infected: Trojan.Win32.Pincav.aaoe 1
C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\wu34508796v2.vir Infected: Trojan.Win32.Pincav.abnk 1
C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\_u34508796v1.vir Infected: Trojan.Win32.Pincav.aane 1
C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\_u34508796v2.vir Infected: Trojan.Win32.Pincav.aanv 1
C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\_u34508796v3.vir Infected: Trojan.Win32.Pincav.aaqx 1
C:\Qoobox\Quarantine\C\Users\belanger #2\AppData\Roaming\E8F5.tmp.vir Infected: Trojan.Win32.Agent2.cruq 1
C:\Windows\System32\findnetprinters32.dll Infected: Trojan.Win32.BHO.ahfx 1

Selected area has been scanned.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:20:57 PM, on 6/14/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...Sys=DTP&M=T5082
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RTHDBPL] C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6449 bytes

Edited by Bubba5056, 14 June 2010 - 10:25 PM.


#10 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,964 posts
  • Gender:Female


Posted 14 June 2010 - 10:50 PM

The computer seems to be running like a charm

Good deal, we should be at the end now.


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll
O4 - HKCU\..\Run: [RTHDBPL] C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Download OTM by OldTimer Here & save it to your desktop.
  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

:Files
C:\Windows\system32\crtdll32.dll
C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe
:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDBPL"=-
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.


Post:
OTM log
new HJT log
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#11 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 15 June 2010 - 05:47 PM

okay here's the logs: All processes killed Error: Unable to interpret <:FilesC:\Windows\system32\crtdll32.dllC:\Users\steve\AppData\Roaming\SystemProc\lsass.exe:reg[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RTHDBPL"=-:Commands[purity][resethosts][emptytemp][CREATERESTOREPOINT][EMPTYFLASH][Reboot]> in the current context! OTM by OldTimer - Version 3.1.12.2 log created on 06152010_183819 Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 6:47:23 PM, on 6/15/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18928) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\RtHDVCpl.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Windows\WindowsMobile\wmdSync.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec AntiVirus\VPTray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\System32\mobsync.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe C:\Windows\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\Windows\system32\DllHost.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...Sys=DTP&M=T5082 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 6481 bytes

#12 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 15 June 2010 - 05:56 PM

I figured I messed up the OTM instructions. I copied and pasted that text and everything pasted on just one line. So I ran HJT again and fixed: O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\ProgramData\brcoinst32.dll (it said file is missing but I "fixed" anyways) The other entry was not present. Next I ran OTM and seperated the text on the proper lines and it produced a different log. Here's the new OTM log and new HJT log: All processes killed ========== FILES ========== C:\Windows\system32\crtdll32.dll moved successfully. C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe moved successfully. ========== REGISTRY ========== HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"RTHDBPL"|-:Commands /E :invalid edit format. Invalid data type. OTM by OldTimer - Version 3.1.12.2 log created on 06152010_185012 Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 6:52:57 PM, on 6/15/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18928) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec AntiVirus\VPTray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\System32\mobsync.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\explorer.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...Sys=DTP&M=T5082 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 6161 bytes

Edited by Bubba5056, 15 June 2010 - 05:58 PM.


#13 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,964 posts
  • Gender:Female


Posted 15 June 2010 - 09:44 PM

Looking better now.


We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll (file missing)


Now reboot the computer.

In your next reply post:
new HJT log


how's the computer now?
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#14 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 16 June 2010 - 02:46 AM

I did the fix, restarted the computer, and here is the new log. That Q2 is still there. The computer is running perfect! Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 3:44:27 AM, on 6/16/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18928) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Windows\RtHDVCpl.exe C:\Windows\WindowsMobile\wmdSync.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec AntiVirus\VPTray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\System32\mobsync.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe C:\Windows\system32\SearchProtocolHost.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\Windows\system32\DllHost.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...Sys=DTP&M=T5082 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 6458 bytes

Edited by Bubba5056, 16 June 2010 - 02:47 AM.


#15 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,964 posts
  • Gender:Female


Posted 16 June 2010 - 05:27 AM

That pesky varmint.

Tell me how the computer is now.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ComboFix should still be on desktop.

Right click and select delete.

Now we'll download a updated copy.


Download ComboFix from either of these locations:
Link 1
Link 2

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723}]
Reglock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

Please ostthe new ComboFix.txt
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#16 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 16 June 2010 - 09:52 AM

The computer is running perfectly. ComboFix 10-06-15.03 - steve 06/16/2010 10:31:18.2.2 - x86 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1917.1169 [GMT -4:00] Running from: c:\users\steve\Desktop\ComboFix.exe Command switches used :: c:\users\steve\Desktop\CFScript.txt AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\programdata\SysWoW32 c:\programdata\SysWoW32\mu34508796v4 c:\programdata\SysWoW32\mu34508796v4.kwd c:\programdata\SysWoW32\mu34508796v5 c:\programdata\SysWoW32\mu34508796v5.kwd c:\programdata\SysWoW32\mu34508796v6 c:\programdata\SysWoW32\mu34508796v6.kwd c:\programdata\SysWoW32\mu34508796v7 c:\programdata\SysWoW32\mu34508796v7.kwd c:\programdata\SysWoW32\wu34508796v0 c:\programdata\SysWoW32\wu34508796v0.kwd c:\programdata\SysWoW32\wu34508796v1 c:\programdata\SysWoW32\wu34508796v1.kwd c:\programdata\SysWoW32\wu34508796v2 c:\programdata\SysWoW32\wu34508796v2.kwd c:\programdata\SysWoW32\wu34508796v3 c:\programdata\SysWoW32\wu34508796v3.kwd c:\programdata\unrar.exe c:\users\belanger #2\AppData\Roaming\3C00.tmp c:\users\steve\AppData\Roaming\02000000b2cda569867C.manifest c:\users\steve\AppData\Roaming\02000000b2cda569867O.manifest c:\users\steve\AppData\Roaming\02000000b2cda569867P.manifest c:\users\steve\AppData\Roaming\02000000b2cda569867S.manifest c:\users\steve\AppData\Roaming\276A.tmp c:\users\steve\AppData\Roaming\D2F3.tmp c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907} c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907}\chrome.manifest c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907}\chrome\xulcache.jar c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907}\defaults\preferences\xulcache.js c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907}\install.rdf c:\users\steve\AppData\Roaming\SystemProc c:\users\steve\AppData\Roaming\SystemProc\upd.exe c:\windows\GnuHashes.ini . ((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 ))))))))))))))))))))))))))))))) . 2010-06-16 14:38 . 2010-06-16 14:38 -------- d-----w- c:\users\steve\AppData\Local\temp 2010-06-16 14:38 . 2010-06-16 14:38 -------- d-----w- c:\users\Guest\AppData\Local\temp 2010-06-16 14:38 . 2010-06-16 14:38 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-06-16 14:38 . 2010-06-16 14:38 -------- d-----w- c:\users\belanger #2\AppData\Local\temp 2010-06-15 22:38 . 2010-06-15 22:38 -------- d-----w- C:\_OTM 2010-06-15 22:31 . 2010-06-15 22:31 -------- d-----w- c:\programdata\Office Genuine Advantage 2010-06-15 03:44 . 2010-06-15 03:44 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-14 19:58 . 2010-06-14 19:58 -------- d-----w- c:\windows\Sun 2010-06-14 01:24 . 2010-06-14 01:24 -------- d-----w- c:\users\steve\AppData\Local\Apple Computer 2010-06-14 01:17 . 2010-06-15 22:43 -------- d-----w- c:\users\steve\AppData\Roaming\wsInspector 2010-06-14 01:15 . 2010-06-14 01:15 -------- d-----w- c:\program files\Startup Inspector for Windows 2010-06-14 00:48 . 2010-06-14 00:48 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2010-06-14 00:04 . 2010-06-14 00:04 -------- d-----w- c:\program files\Microsoft 2010-06-14 00:03 . 2010-06-14 00:03 -------- d-----w- c:\program files\Windows Live SkyDrive 2010-06-14 00:03 . 2010-06-14 00:04 -------- d-----w- c:\program files\Windows Live 2010-06-14 00:02 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll 2010-06-14 00:02 . 2010-06-14 00:02 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition 2010-06-14 00:00 . 2010-06-14 00:00 -------- d-----w- c:\program files\Common Files\Windows Live 2010-06-13 23:32 . 2010-06-13 23:32 -------- d-----w- c:\windows\PCHEALTH 2010-06-13 23:32 . 2010-06-13 23:32 -------- d-----w- c:\program files\Microsoft.NET 2010-06-13 23:26 . 2010-06-13 23:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8 2010-06-13 23:24 . 2010-06-13 23:24 -------- d-----w- c:\users\steve\AppData\Local\Microsoft Help 2010-06-13 23:19 . 2009-02-24 22:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys 2010-06-13 22:43 . 2010-06-13 22:43 -------- d-----w- c:\users\steve\AppData\Local\Mozilla 2010-06-13 17:21 . 2010-06-13 17:21 -------- d-----w- C:\57bfed0428aa0ff76eb42624936629b1 2010-06-13 17:20 . 2010-06-13 17:20 -------- d-----w- c:\windows\CheckSur 2010-06-13 17:03 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll 2010-06-13 17:03 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll 2010-06-13 17:02 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll 2010-06-13 14:54 . 2010-06-13 14:54 388096 ----a-r- c:\users\steve\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-06-13 14:43 . 2010-06-13 14:43 321024 ----a-w- c:\programdata\dmocx32.dll 2010-06-13 14:20 . 2010-06-13 14:20 -------- d-----w- c:\users\steve\AppData\Local\Symantec 2010-06-13 14:18 . 2010-06-13 14:18 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-13 14:13 . 2010-06-13 14:18 -------- d-----w- c:\program files\Symantec 2010-06-13 14:13 . 2010-06-13 14:21 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-06-13 14:13 . 2010-06-13 14:20 -------- d-----w- c:\programdata\Symantec 2010-06-13 14:13 . 2010-06-13 14:13 -------- d-----w- c:\program files\Symantec AntiVirus 2010-06-11 22:38 . 2010-06-11 22:38 -------- d-----w- c:\users\belanger #2\AppData\Roaming\Malwarebytes 2010-06-11 22:37 . 2010-06-11 22:37 388096 ----a-r- c:\users\belanger #2\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-06-11 22:36 . 2010-06-11 22:36 -------- d-----w- c:\program files\Trend Micro 2010-06-11 22:32 . 2010-06-12 01:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2010-06-11 22:32 . 2010-06-11 23:19 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-06-11 22:27 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-11 22:26 . 2010-06-11 22:26 -------- d-----w- c:\programdata\Malwarebytes 2010-06-11 22:26 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-11 22:26 . 2010-06-11 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-11 22:23 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll 2010-06-11 21:56 . 2010-06-11 21:56 -------- d-----w- c:\users\belanger #2\AppData\Roaming\Leader Technologies 2010-06-07 23:58 . 2010-06-07 23:58 -------- d-----w- c:\users\belanger #2\AppData\Local\Symantec 2010-06-06 17:30 . 2010-06-06 17:30 -------- d-----w- C:\N360_BACKUP 2010-05-20 22:58 . 2010-06-15 22:50 -------- d-----w- c:\users\steve\AppData\Local\CrashDumps 2010-05-20 16:57 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys 2010-05-20 16:57 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll 2010-05-20 16:54 . 2010-05-20 16:54 -------- d-----w- c:\programdata\NortonInstaller 2010-05-20 16:46 . 2010-06-13 13:56 -------- d-----w- c:\programdata\Norton . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-15 03:45 . 2006-12-16 21:42 -------- d-----w- c:\program files\CONEXANT 2010-06-15 03:40 . 2006-12-16 21:47 -------- d-----w- c:\programdata\Microsoft Help 2010-06-14 01:05 . 2007-02-08 23:57 104248 ----a-w- c:\users\steve\AppData\Local\GDIPFONTCACHEV1.DAT 2010-06-14 00:56 . 2006-12-16 21:49 -------- d-----w- c:\program files\Microsoft Works 2010-06-14 00:22 . 2007-02-20 22:44 -------- d-----w- c:\program files\Common Files\aol 2010-06-14 00:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-06-13 23:34 . 2006-11-02 12:35 -------- d-----w- c:\program files\MSBuild 2010-06-13 22:52 . 2006-12-16 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-06-13 22:50 . 2007-02-20 22:44 -------- d-----w- c:\programdata\AOL 2010-06-13 22:48 . 2007-02-20 22:57 -------- d-----w- c:\users\steve\AppData\Roaming\AOL 2010-06-13 22:02 . 2010-06-13 22:02 0 ---ha-w- c:\users\steve\wrhqyuvyhi.tmp 2010-06-13 21:16 . 2010-04-11 19:07 -------- d-----w- c:\programdata\1785115329 2010-06-13 14:18 . 2010-06-13 14:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-13 14:18 . 2010-06-13 14:18 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-11 21:56 . 2007-02-12 00:27 104176 ----a-w- c:\users\belanger #2\AppData\Local\GDIPFONTCACHEV1.DAT 2010-06-07 23:40 . 2006-12-16 21:51 -------- d-----w- c:\program files\Google 2010-05-25 11:08 . 2010-05-25 11:08 0 ----a-w- c:\users\steve\AppData\Roaming\BC8C.tmp 2010-05-25 11:08 . 2010-05-25 11:08 0 ----a-w- c:\users\steve\AppData\Roaming\A440.tmp 2010-05-15 17:32 . 2010-05-15 17:32 501872 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb3A78.tmp.exe 2010-05-12 15:21 . 2009-10-02 23:27 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-04 05:59 . 2010-06-13 17:11 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-04 05:55 . 2010-06-13 17:11 109056 ----a-w- c:\windows\system32\iesysprep.dll 2010-05-04 05:55 . 2010-06-13 17:11 71680 ----a-w- c:\windows\system32\iesetup.dll 2010-05-04 04:31 . 2010-06-13 17:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2010-05-01 14:13 . 2010-06-13 17:11 2037248 ----a-w- c:\windows\system32\win32k.sys 2010-04-17 04:04 . 2010-04-17 04:04 306032 ----a-w- c:\windows\WLXPGSS.SCR 2010-03-30 22:57 . 2010-03-30 22:57 203264 ----a-w- c:\windows\system32\fltLib32.dll 2010-03-30 22:57 . 2010-03-30 22:57 130048 ----a-w- c:\windows\system32\findnetprinters32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112] "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704] "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552] "LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2008-12-24 1540288] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-04-03 136080] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] c:\users\belanger #2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiSpywareOverride"=dword:00000001 "VistaSp2"=hex(B):72,d6,fe,21,d3,1a,ca,01 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3074645540-534623877-3370066440-1000] "EnableNotificationsRef"=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3074645540-534623877-3370066440-500] "EnableNotificationsRef"=dword:00000002 R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2008-04-03 121744] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-12 102448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc WindowsMobile REG_MULTI_SZ wcescomm rapimgr LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082 uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html FF - ProfilePath - c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\ FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-16 10:38 Windows 6.0.6002 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\users\steve\AppData\Local\Temp\catchme.dll 53248 bytes executable scan completed successfully hidden files: 1 ************************************************************************** . Completion time: 2010-06-16 10:42:36 ComboFix-quarantined-files.txt 2010-06-16 14:42 ComboFix2.txt 2010-06-13 21:14 Pre-Run: 98,835,304,448 bytes free Post-Run: 98,968,510,464 bytes free - - End Of File - - 44554B4102529A1A614F9FE2D2E7BC82

#17 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,964 posts
  • Gender:Female


Posted 16 June 2010 - 03:02 PM

The computer is running perfectly.

Good deal.



  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

:Files
c:\users\steve\wrhqyuvyhi.tmp
c:\users\steve\AppData\Roaming\BC8C.tmp
c:\users\steve\AppData\Roaming\A440.tmp
C:\Windows\System32\findnetprinters32.dll
:Commands
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.


In your next reply post:
OTM log
new HJT log.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#18 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 16 June 2010 - 03:53 PM

========== FILES ========== c:\users\steve\wrhqyuvyhi.tmp moved successfully. c:\users\steve\AppData\Roaming\BC8C.tmp moved successfully. c:\users\steve\AppData\Roaming\A440.tmp moved successfully. LoadLibrary failed for C:\Windows\System32\findnetprinters32.dll C:\Windows\System32\findnetprinters32.dll moved successfully. ========== COMMANDS ========== OTM by OldTimer - Version 3.1.12.2 log created on 06162010_164628 Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 4:53:17 PM, on 6/16/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18928) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\RtHDVCpl.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Windows\WindowsMobile\wmdSync.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec AntiVirus\VPTray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\System32\mobsync.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\SearchProtocolHost.exe C:\Users\steve\Desktop\HijackThis.exe C:\Windows\system32\DllHost.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...Sys=DTP&M=T5082 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 6378 bytes

#19 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 21,964 posts
  • Gender:Female


Posted 16 June 2010 - 03:59 PM

Looks good to me, I think we're ready to do final clean up and send you on your way.


Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Go to Start > Run > copy and paste the full text path in the run box

Start > Run & typing in ComboFix /Uninstall

Note the space between the x and the /U, it needs to be there.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Your good to go, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-
Please note that these products can also be run as free without a licience as a scan on demand scanner.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Please read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet...owcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsuppo...-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#20 Bubba5056

Bubba5056

    Member

  • Members
  • 65 posts

Posted 16 June 2010 - 05:14 PM

Great! Thanks for all the help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users