Jump to content
Sign in to follow this  
Bubba5056

Slow Vista. Found Trojans & Worms W/ Malwarebytes & Spybot

Recommended Posts

Hello there,

 

My sisters computer was running very slow and I ran Malwarebytes and Spybot and made a few fixes thru those programs and it seems a bit better but not 100%. Enclosed please find the logs. She had Limewire installed. I removed Limewire after the Malwarebytes and Spybot scans and before the HJT scan.

 

Thanks for reading and for any help!

 

Spybot log first, then MBAM, then HJT.

 

 

 

--- Search result list ---

Fraud.avi: [sBI $61E87388] Library (File, nothing done)

C:\Windows\System32\fltLib32.dll

Properties.size=203264

Properties.md5=84F3BD87D6F87ABCF12CE9F5B37A658A

Properties.filedate=1269989861

Properties.filedatetext=2010-03-30 18:57:40

 

Win32.Prolaco.p: [sBI $DB5BC1A0] Program directory (Directory, fixed)

C:\Users\belanger #2\AppData\Roaming\SystemProc\

 

Win32.Swisyn: [sBI $66F4E1C2] Executable (File, nothing done)

C:\Users\belanger #2\AppData\Roaming\SystemProc\lsass.exe

Properties.size=0

Properties.md5=D41D8CD98F00B204E9800998ECF8427E

 

DoubleClick: Tracking cookie (Internet Explorer: belanger #2) (Cookie, fixed)

 

 

MediaPlex: Tracking cookie (Internet Explorer: belanger #2) (Cookie, fixed)

 

 

 

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

 

2009-01-26 blindman.exe (1.0.0.8)

2009-01-26 SDFiles.exe (1.6.1.7)

2009-01-26 SDMain.exe (1.0.0.6)

2009-01-26 SDUpdate.exe (1.6.0.12)

2009-01-26 SpybotSD.exe (1.6.2.46)

2009-01-26 TeaTimer.exe (1.6.4.26)

2010-06-11 unins000.exe (51.49.0.0)

2009-01-26 Update.exe (1.6.0.7)

2009-11-04 advcheck.dll (1.6.5.20)

2007-04-02 aports.dll (2.1.0.0)

2008-06-14 DelZip179.dll (1.79.11.1)

2009-01-26 SDHelper.dll (1.6.2.14)

2008-06-19 sqlite3.dll

2009-01-26 Tools.dll (2.1.6.10)

2009-01-16 UninsSrv.dll (1.0.0.0)

2010-02-17 Includes\Adware.sbi (*)

2010-06-08 Includes\AdwareC.sbi (*)

2010-01-25 Includes\Cookies.sbi (*)

2009-11-03 Includes\Dialer.sbi (*)

2010-06-08 Includes\DialerC.sbi (*)

2010-01-25 Includes\HeavyDuty.sbi (*)

2009-05-26 Includes\Hijackers.sbi (*)

2010-06-08 Includes\HijackersC.sbi (*)

2010-06-09 Includes\iPhone.sbi (*)

2010-01-20 Includes\Keyloggers.sbi (*)

2010-06-08 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2010-06-01 Includes\Malware.sbi (*)

2010-06-09 Includes\MalwareC.sbi (*)

2010-05-18 Includes\PUPS.sbi (*)

2010-06-08 Includes\PUPSC.sbi (*)

2010-01-25 Includes\Revision.sbi (*)

2009-01-13 Includes\Security.sbi (*)

2010-06-08 Includes\SecurityC.sbi (*)

2008-06-03 Includes\Spybots.sbi (*)

2008-06-03 Includes\SpybotsC.sbi (*)

2010-03-02 Includes\Spyware.sbi (*)

2010-06-08 Includes\SpywareC.sbi (*)

2010-03-08 Includes\Tracks.uti

2010-06-01 Includes\Trojans.sbi (*)

2010-06-08 Includes\TrojansC-02.sbi (*)

2010-06-08 Includes\TrojansC-03.sbi (*)

2010-06-08 Includes\TrojansC-04.sbi (*)

2010-06-09 Includes\TrojansC-05.sbi (*)

2010-06-08 Includes\TrojansC.sbi (*)

2008-03-04 Plugins\Chai.dll

2008-03-05 Plugins\Fennel.dll

2008-02-26 Plugins\Mate.dll

2007-12-24 Plugins\TCPIPAddress.dll

 

 

 

--- System information ---

Windows Vista (Build: 6002) Service Pack 2 (6.0.6002)

 

 

--- Startup entries list ---

Located: HK_LM:Run, ATICCC

command: "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

file: C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

size: 90112

MD5: D331734EC12CC7A5F14D89735432800F

 

Located: HK_LM:Run, LTCM Client

command: C:\Program Files\LTCM Client\ltcmClient.exe /startup

file: C:\Program Files\LTCM Client\ltcmClient.exe

size: 1540288

MD5: A6CEDF7C168CFE5605BF632A39529C06

 

Located: HK_LM:Run, QuickTime Task

command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime

file: C:\Program Files\QuickTime\QTTask.exe

size: 421888

MD5: ED7A6D40B20DC34BE06F4AE196AE7D50

 

Located: HK_LM:Run, RtHDVCpl

command: RtHDVCpl.exe

file: C:\Windows\RtHDVCpl.exe

size: 3784704

MD5: A503A47A5E7EA8024379A8CC6059B74A

 

Located: HK_LM:Run, Windows Defender

command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide

file: C:\Program Files\Windows Defender\MSASCui.exe

size: 1008184

MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E

 

Located: HK_LM:Run, Windows Mobile-based device management

command: %windir%\WindowsMobile\wmdSync.exe

file: C:\Windows\WindowsMobile\wmdSync.exe

size: 215552

MD5: 4AB05041D5C922B9A7A5D9059F5538CD

 

Located: HK_LM:RunOnce, Malwarebytes' Anti-Malware

command: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

file: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

size: 437584

MD5: 5F0388038E7355982FE50B039D10315C

 

Located: HK_CU:Run, RTHDBPL

where: S-1-5-21-3074645540-534623877-3370066440-1001...

command: C:\Users\BELANG~1\AppData\Local\Temp\51FA.tmp

file: C:\Users\BELANG~1\AppData\Local\Temp\51FA.tmp

size: 155136

MD5: 3BA1A133FC6E3158F9F2DF6B8475EED7

 

Located: Startup (user), OneNote 2007 Screen Clipper and Launcher.lnk

where: C:\Users\belanger #2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup...

command: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

file: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

size: 98632

MD5: D91AFB6D2A0DA7539B74FB5838775D94

 

 

 

--- Browser helper object list ---

{046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} ()

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name:

Path: C:\ProgramData\

Long name: brcoinst32.dll

Short name: BRCOIN~1.DLL

Date (created): 5/14/2010 6:00:16 PM

Date (last access): 5/14/2010 6:00:16 PM

Date (last write): 5/14/2010 6:00:16 PM

Filesize: 283648

Attributes: archive

MD5: 51F0C8EFA20F67F232F5D337C841FEED

CRC32: FE8281CA

 

{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} (Symantec NCO BHO)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name: Symantec NCO BHO

CLSID name: Symantec NCO BHO

Path: C:\Program Files\Norton Security Suite\Engine\4.1.0.32\

Long name: coieplg.dll

Short name:

Date (created): 5/20/2010 1:17:40 PM

Date (last access): 5/20/2010 1:17:40 PM

Date (last write): 3/25/2010 7:29:38 PM

Filesize: 394608

Attributes: readonly archive

MD5: ADCA57DE93428F27EE87DFA0477E61F7

CRC32: 6B6B9FFF

Version: 2010.6.0.5

 

{6D53EC84-6AAE-4787-AEEE-F4628F01010C} (Symantec Intrusion Prevention)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name: Symantec Intrusion Prevention

CLSID name: Symantec Intrusion Prevention

Path: C:\Program Files\Norton Security Suite\Engine\4.1.0.32\

Long name: ipsbho.dll

Short name:

Date (created): 5/20/2010 1:18:06 PM

Date (last access): 5/20/2010 1:18:06 PM

Date (last write): 11/16/2009 8:51:14 PM

Filesize: 79224

Attributes: readonly archive

MD5: E60F55692DE0DF4F393A2A18C7FB9662

CRC32: 3C09EEC1

Version: 9.1.2.5

 

{9421DD08-935F-4701-A9CA-22DF90AC4EA6} (Easy Photo Print)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Easy Photo Print

Path: C:\Program Files\Epson Software\Easy Photo Print\

Long name: EPTBL.dll

Short name:

Date (created): 9/10/2009 6:07:18 PM

Date (last access): 9/10/2009 6:07:18 PM

Date (last write): 4/2/2008 1:24:02 PM

Filesize: 266240

Attributes: archive

MD5: EA3329E06D7C794B788CEADA90AB7000

CRC32: AD3B39B9

Version: 1.0.0.0

 

{CA6319C0-31B7-401E-A518-A07C3DB8F777} (Browser Address Error Redirector)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name: Browser Address Error Redirector

CLSID name: CBrowserHelperObject Object

Path: c:\google\

Long name: bae.dll

Short name:

Date (created): 12/16/2006 5:51:14 PM

Date (last access): 12/16/2006 5:51:14 PM

Date (last write): 2/1/2006 6:54:30 AM

Filesize: 94208

Attributes: archive

MD5: 3467178AE878796650290CA54361C810

CRC32: 9C59917B

Version: 1.1.0.1

 

 

 

--- ActiveX list ---

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} ()

DPF name:

CLSID name:

Installer: C:\Windows\Downloaded Program Files\gp.inf

Codebase: http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

 

 

 

--- Process list ---

PID: 2180 (1092) C:\Windows\system32\taskeng.exe

size: 169984

MD5: E5BBFC283D6F5D69B41E464676361020

PID: 2476 (1072) C:\Windows\system32\Dwm.exe

size: 81920

MD5: 01DD1004181FD46ECDC3628228EB269D

PID: 2500 (2232) C:\Windows\Explorer.EXE

size: 2926592

MD5: D07D4C3038F3578FFCE1C0237F2A1253

PID: 1680 (2500) C:\Windows\RtHDVCpl.exe

size: 3784704

MD5: A503A47A5E7EA8024379A8CC6059B74A

PID: 940 (2500) C:\Windows\WindowsMobile\wmdSync.exe

size: 215552

MD5: 4AB05041D5C922B9A7A5D9059F5538CD

PID: 1004 (2500) C:\Program Files\LTCM Client\ltcmClient.exe

size: 1540288

MD5: A6CEDF7C168CFE5605BF632A39529C06

PID: 1192 (2500) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

size: 98632

MD5: D91AFB6D2A0DA7539B74FB5838775D94

PID: 2628 (2000) C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

size: 45056

MD5: 2FE88C5E0C19928854A6A52BCBE1233A

PID: 3580 ( 840) C:\Windows\System32\mobsync.exe

size: 95744

MD5: 9B89B3BB79EA1ACF041F40A7B6FC5827

PID: 2632 (2628) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

size: 45056

MD5: 2FE88C5E0C19928854A6A52BCBE1233A

PID: 2652 (2628) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

size: 45056

MD5: 2FE88C5E0C19928854A6A52BCBE1233A

PID: 3992 (2500) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

size: 5365592

MD5: 0477C2F9171599CA5BC3307FDFBA8D89

PID: 0 ( 0) [system Process]

PID: 4 ( 0) System

PID: 440 ( 4) smss.exe

size: 64000

PID: 512 ( 500) csrss.exe

size: 6144

PID: 572 ( 564) csrss.exe

size: 6144

PID: 580 ( 500) wininit.exe

size: 96768

PID: 620 ( 580) services.exe

size: 279552

PID: 652 ( 564) winlogon.exe

size: 314368

PID: 684 ( 580) lsass.exe

size: 9728

PID: 692 ( 580) lsm.exe

size: 229888

PID: 840 ( 620) svchost.exe

size: 21504

PID: 908 ( 620) svchost.exe

size: 21504

PID: 1024 ( 620) Ati2evxx.exe

size: 557056

PID: 1044 ( 620) svchost.exe

size: 21504

PID: 1072 ( 620) svchost.exe

size: 21504

PID: 1092 ( 620) svchost.exe

size: 21504

PID: 1168 (1044) audiodg.exe

size: 88576

PID: 1196 ( 620) svchost.exe

size: 21504

PID: 1228 ( 620) SLsvc.exe

size: 3408896

PID: 1288 ( 620) svchost.exe

size: 21504

PID: 1412 ( 620) svchost.exe

size: 21504

PID: 1792 ( 620) spoolsv.exe

size: 127488

PID: 1816 ( 620) svchost.exe

size: 21504

PID: 308 ( 620) AOLacsd.exe

PID: 456 ( 620) AppleMobileDeviceService.exe

PID: 480 ( 620) mDNSResponder.exe

PID: 500 ( 620) ccsvchst.exe

PID: 1548 ( 620) svchost.exe

size: 21504

PID: 2008 ( 620) PRISMXL.SYS

PID: 1984 ( 620) svchost.exe

size: 21504

PID: 1564 ( 620) svchost.exe

size: 21504

PID: 1856 ( 620) SearchIndexer.exe

size: 441344

PID: 2148 (1072) WUDFHost.exe

size: 142336

PID: 2208 ( 620) XAudio.exe

PID: 2884 (1092) taskeng.exe

size: 169984

PID: 3452 ( 840) dllhost.exe

size: 7168

PID: 3936 ( 500) ccsvchst.exe

PID: 2220 ( 620) svchost.exe

size: 21504

PID: 2948 (1856) SearchProtocolHost.exe

size: 185344

PID: 3540 (1856) SearchFilterHost.exe

size: 87552

 

 

--- Browser start & search pages list ---

Spybot - Search & Destroy browser pages report, 6/11/2010 8:07:35 PM

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

C:\Windows\system32\blank.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.yahoo.com/

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

C:\Windows\System32\blank.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

 

 

--- Winsock Layered Service Provider list ---

Namespace Provider 1: E-mail Naming Shim Provider

GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}

Filename:

 

Namespace Provider 2: PNRP Cloud Namespace Provider

GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}

Filename:

 

Namespace Provider 3: PNRP Name Namespace Provider

GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}

Filename:

 

 

 

--- Uninstall list ---

 

 

--- System Services ---

Service (registry key): .NET CLR Data

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): .NET CLR Networking

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): .NET Data Provider for Oracle

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): .NET Data Provider for SqlServer

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): .NETFramework

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): ACPI

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Microsoft ACPI Driver

Image path: system32\drivers\acpi.sys

Image size: 265688

Image MD5: 82B296AE1892FE3DBEE00C9CF92F8AC7

Control Set: CurrentControlSet

Start: 0

Type: 1

Error Control: 3

 

Service (registry key): adp94xx

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\adp94xx.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): adpahci

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\adpahci.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): adpu160m

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\adpu160m.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): adpu320

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\adpu320.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): adsi

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): AeLookupSvc

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\aelupsvc.dll,-1

Description: @%SystemRoot%\system32\aelupsvc.dll,-2

Object name: localSystem

Image path: %systemroot%\system32\svchost.exe -k netsvcs

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

 

Service (registry key): AFD

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Ancilliary Function Driver for Winsock

Description: Ancilliary Function Driver for Winsock

Image path: \SystemRoot\system32\drivers\afd.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 1

Type: 1

Error Control: 1

 

Service (registry key): agp440

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Intel AGP Bus Filter

Image path: \SystemRoot\system32\drivers\agp440.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): aic78xx

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\djsvs.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): ALG

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\Alg.exe,-112

Description: @%SystemRoot%\system32\Alg.exe,-113

Object name: NT AUTHORITY\LocalService

Image path: %SystemRoot%\System32\alg.exe

Image size: 59392

Image MD5: A1545B731579895D8CC44FC0481C1192

Control Set: CurrentControlSet

Start: 3

Type: 16

Error Control: 1

 

Service (registry key): aliide

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\aliide.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 3

 

Service (registry key): amdagp

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: AMD AGP Bus Filter Driver

Image path: \SystemRoot\system32\drivers\amdagp.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): amdide

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\amdide.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 3

 

Service (registry key): AmdK7

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: AMD K7 Processor Driver

Image path: \SystemRoot\system32\drivers\amdk7.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): AmdK8

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: AMD K8 Processor Driver

Image path: \SystemRoot\system32\drivers\amdk8.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): AOL ACS

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: AOL Connectivity Service

Description: Connectivity engine for America Online

Object name: LocalSystem

Image path: "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"

Image size: 46640

Image MD5: 85180CF88C5EBAD73B452A43A004CA51

Control Set: CurrentControlSet

Start: 2

Type: 272

Error Control: 1

 

Service (registry key): Appinfo

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%systemroot%\system32\appinfo.dll,-100

Description: @%systemroot%\system32\appinfo.dll,-101

Object name: LocalSystem

Image path: %SystemRoot%\system32\svchost.exe -k netsvcs

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 3

Type: 32

Error Control: 1

Depends On services: RpcSs,ProfSvc

 

Service (registry key): Apple Mobile Device

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Apple Mobile Device

Description: Provides the interface to Apple mobile devices.

Object name: LocalSystem

Image path: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"

Image size: 144712

Image MD5: 7E94E567C1AA5ABE6174032B3DAB6C23

Control Set: CurrentControlSet

Start: 2

Type: 16

Error Control: 1

Depends On services: Tcpip

 

Service (registry key): arc

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\arc.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): arcsas

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\arcsas.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): AsyncMac

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: RAS Asynchronous Media Driver

Description: RAS Asynchronous Media Driver

Image path: system32\DRIVERS\asyncmac.sys

Image size: 17408

Image MD5: 53B202ABEE6455406254444303E87BE1

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): atapi

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: IDE Channel

Image path: system32\drivers\atapi.sys

Image size: 19944

Image MD5: 1F05B78AB91C9075565A9D8A4B880BC4

Control Set: CurrentControlSet

Start: 0

Type: 1

Error Control: 3

 

Service (registry key): Ati External Event Utility

Registry path: \SYSTEM\CurrentControlSet\Services\

Object name: LocalSystem

Image path: %SystemRoot%\system32\Ati2evxx.exe

Image size: 557056

Image MD5: CDAB1FB2AC6160EF35B44D6337A04DD4

Control Set: CurrentControlSet

Start: 2

Type: 272

Error Control: 1

 

Service (registry key): Atierecord

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): AudioEndpointBuilder

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\audiosrv.dll,-204

Description: @%SystemRoot%\System32\audiosrv.dll,-205

Object name: LocalSystem

Image path: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: PlugPlay

 

Service (registry key): Audiosrv

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\audiosrv.dll,-200

Description: @%SystemRoot%\System32\audiosrv.dll,-201

Object name: NT AUTHORITY\LocalService

Image path: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: AudioEndpointBuilder,RpcSs,MMCSS

 

Service (registry key): BattC

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): Beep

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Beep

Control Set: CurrentControlSet

Start: 1

Type: 1

Error Control: 1

 

Service (registry key): BFE

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\bfe.dll,-1001

Description: @%SystemRoot%\system32\bfe.dll,-1002

Object name: NT AUTHORITY\LocalService

Image path: %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: RpcSs

 

Service (registry key): BHDrvx86

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: BHDrvx86

Description: SONAR Engine Driver

Image path: \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 1

Type: 1

Error Control: 1

Depends On services: SymEFA,FltMgr,SymDS,SymIRON,ccHP

 

Service (registry key): BITS

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\qmgr.dll,-1000

Description: @%SystemRoot%\system32\qmgr.dll,-1001

Object name: LocalSystem

Image path: %SystemRoot%\System32\svchost.exe -k netsvcs

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: RpcSs,EventSystem

 

Service (registry key): blbdrive

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\blbdrive.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): Bonjour Service

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Bonjour Service

Description: Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour, any network service that explicitly depends on it will fail to start.

Object name: LocalSystem

Image path: "C:\Program Files\Bonjour\mDNSResponder.exe"

Image size: 238888

Image MD5: 3F56903E124E820AEECE6D471583C6C1

Control Set: CurrentControlSet

Start: 2

Type: 16

Error Control: 1

Depends On services: Tcpip

 

Service (registry key): bowser

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Bowser

Description: Implements the datagram receiver for the computer browser browser service.

Image path: system32\DRIVERS\bowser.sys

Image size: 69632

Image MD5: 74B442B2BE1260B7588C136177CEAC66

Control Set: CurrentControlSet

Start: 3

Type: 2

Error Control: 1

 

Service (registry key): BrFiltLo

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Brother USB Mass-Storage Lower Filter Driver

Image path: \SystemRoot\system32\drivers\brfiltlo.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): BrFiltUp

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Brother USB Mass-Storage Upper Filter Driver

Image path: \SystemRoot\system32\drivers\brfiltup.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): Browser

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%systemroot%\system32\browser.dll,-100

Description: @%systemroot%\system32\browser.dll,-101

Object name: LocalSystem

Image path: %SystemRoot%\System32\svchost.exe -k netsvcs

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: LanmanWorkstation,LanmanServer

 

Service (registry key): Brserid

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Brother MFC Serial Port Interface Driver (WDM)

Image path: \SystemRoot\system32\drivers\brserid.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): BrSerWdm

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Brother WDM Serial driver

Image path: \SystemRoot\system32\drivers\brserwdm.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): BrUsbMdm

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Brother MFC USB Fax Only Modem

Image path: \SystemRoot\system32\drivers\brusbmdm.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): BrUsbSer

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Brother MFC USB Serial WDM Driver

Image path: \SystemRoot\system32\drivers\brusbser.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): BTHMODEM

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Bluetooth Serial Communications Driver

Image path: \SystemRoot\system32\drivers\bthmodem.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): BTHPORT

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): ccHP

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Symantec Hash Provider

Image path: \SystemRoot\system32\drivers\N360\0401000.020\ccHPx86.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 1

Type: 1

Error Control: 1

Depends On services: SymEFA

 

Service (registry key): cdfs

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: CD/DVD File System Reader

Description: ISO9660/Joliet File System Reader for CD/DVDs. (Core) (All pieces)

Image path: system32\DRIVERS\cdfs.sys

Image size: 70144

Image MD5: 7ADD03E75BEB9E6DD102C3081D29840A

Control Set: CurrentControlSet

Start: 4

Type: 2

Error Control: 1

Depends On group: "SCSI CDROM Class"

 

Service (registry key): cdrom

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: CD-ROM Driver

Image path: system32\DRIVERS\cdrom.sys

Image size: 67072

Image MD5: 6B4BFFB9BECD728097024276430DB314

Control Set: CurrentControlSet

Start: 1

Type: 1

Error Control: 1

 

Service (registry key): CertPropSvc

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\System32\certprop.dll,-11

Description: @%SystemRoot%\System32\certprop.dll,-12

Object name: LocalSystem

Image path: %SystemRoot%\system32\svchost.exe -k netsvcs

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 3

Type: 32

Error Control: 1

Depends On services: RpcSs

 

Service (registry key): circlass

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Consumer IR Devices

Image path: \SystemRoot\system32\drivers\circlass.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): CLFS

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Common Log (CLFS)

Description: Common Log (CLFS)

Image path: System32\CLFS.sys

Image size: 245736

Image MD5: D7659D3B5B92C31E84E53C1431F35132

Control Set: CurrentControlSet

Start: 0

Type: 1

Error Control: 3

 

Service (registry key): clr_optimization_v2.0.50727_32

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Microsoft .NET Framework NGEN v2.0.50727_X86

Description: Microsoft .NET Framework NGEN

Object name: LocalSystem

Image path: %systemroot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Image size: 66368

Image MD5: 8EE772032E2FE80A924F3B8DD5082194

Control Set: CurrentControlSet

Start: 3

Type: 16

Error Control: 0

 

Service (registry key): CmBatt

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Microsoft ACPI Control Method Battery Driver

Image path: system32\DRIVERS\CmBatt.sys

Image size: 14208

Image MD5: 0FED59EDB4A83FF17F1778827B88AB1A

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): cmdide

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\cmdide.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 3

 

Service (registry key): Compbatt

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Microsoft Composite Battery Driver

Image path: system32\DRIVERS\compbatt.sys

Image size: 20792

Image MD5: 6AFEF0B60FA25DE07C0968983EE4F60A

Control Set: CurrentControlSet

Start: 0

Type: 1

Error Control: 3

 

Service (registry key): COMSysApp

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @comres.dll,-947

Description: @comres.dll,-948

Object name: LocalSystem

Image path: %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

Image size: 7168

Image MD5: BE01E566D1F569AAB32D0335613E1EEA

Control Set: CurrentControlSet

Start: 3

Type: 16

Error Control: 1

Depends On services: RpcSs,EventSystem,SENS

 

Service (registry key): crcdisk

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Crcdisk Filter Driver

Image path: system32\drivers\crcdisk.sys

Image size: 22632

Image MD5: 2A213AE086BBEC5E937553C7D9A2B22C

Control Set: CurrentControlSet

Start: 0

Type: 1

Error Control: 1

 

Service (registry key): Crusoe

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Transmeta Crusoe Processor Driver

Image path: \SystemRoot\system32\drivers\crusoe.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): crypt32

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): CryptSvc

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\cryptsvc.dll,-1001

Description: @%SystemRoot%\system32\cryptsvc.dll,-1002

Object name: NT Authority\NetworkService

Image path: %SystemRoot%\system32\svchost.exe -k NetworkService

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: RpcSs

 

Service (registry key): DCLocator

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): DcomLaunch

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @oleres.dll,-5012

Description: @oleres.dll,-5013

Object name: LocalSystem

Image path: %SystemRoot%\system32\svchost.exe -k DcomLaunch

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

 

Service (registry key): DfsC

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%systemroot%\system32\drivers\dfsc.sys,-101

Description: @%systemroot%\system32\drivers\dfsc.sys,-102

Image path: System32\Drivers\dfsc.sys

Image size: 75264

Image MD5: 218D8AE46C88E82014F5D73D0236D9B2

Control Set: CurrentControlSet

Start: 1

Type: 2

Error Control: 1

Depends On services: Mup

 

Service (registry key): DFSR

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @dfsrres.dll,-101

Description: @dfsrres.dll,-102

Object name: LocalSystem

Image path: %SystemRoot%\system32\DFSR.exe

Image size: 2092544

Image MD5: 2CC3DCFB533A1035B13DCAB6160AB38B

Control Set: CurrentControlSet

Start: 3

Type: 16

Error Control: 1

Depends On services: RpcSs,EventSystem

 

Service (registry key): Dhcp

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\dhcpcsvc.dll,-100

Description: @%SystemRoot%\system32\dhcpcsvc.dll,-101

Object name: NT Authority\LocalService

Image path: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: NSI,Tdx,Afd

 

Service (registry key): disk

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Disk Driver

Image path: system32\drivers\disk.sys

Image size: 53736

Image MD5: 5D4AEFC3386920236A548271F8F1AF6A

Control Set: CurrentControlSet

Start: 0

Type: 1

Error Control: 1

 

Service (registry key): Dnscache

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\System32\dnsapi.dll,-101

Description: @%SystemRoot%\System32\dnsapi.dll,-102

Object name: NT AUTHORITY\NetworkService

Image path: %SystemRoot%\system32\svchost.exe -k NetworkService

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: Tdx

 

Service (registry key): dot3svc

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%systemroot%\system32\dot3svc.dll,-1102

Description: @%systemroot%\system32\dot3svc.dll,-1103

Object name: localSystem

Image path: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 3

Type: 32

Error Control: 1

Depends On services: RpcSs,Ndisuio,Eaphost

 

Service (registry key): DPS

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%systemroot%\system32\dps.dll,-500

Description: @%systemroot%\system32\dps.dll,-501

Object name: NT AUTHORITY\LocalService

Image path: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

 

Service (registry key): drmkaud

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Microsoft Kernel DRM Audio Descrambler

Image path: system32\drivers\drmkaud.sys

Image size: 5632

Image MD5: 97FEF831AB90BEE128C9AF390E243F80

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): DXGKrnl

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: LDDM Graphics Subsystem

Description: Controls the underlying video driver stacks to provide fully-featured display capabilities.

Image path: \SystemRoot\System32\drivers\dxgkrnl.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 0

 

Service (registry key): E1G60

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Intel® PRO/1000 NDIS 6 Adapter Driver

Image path: system32\DRIVERS\E1G60I32.sys

Image size: 117760

Image MD5: F88FB26547FD2CE6D0A5AF2985892C48

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): EapHost

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%systemroot%\system32\eapsvc.dll,-1

Description: @%systemroot%\system32\eapsvc.dll,-2

Object name: localSystem

Image path: %SystemRoot%\System32\svchost.exe -k netsvcs

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 3

Type: 32

Error Control: 1

Depends On services: RPCSS,KeyIso

 

Service (registry key): Ecache

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: ReadyBoost Caching Driver

Description: ReadyBoost Caching Driver

Image path: System32\drivers\ecache.sys

Image size: 141288

Image MD5: 7F64EA048DCFAC7ACF8B4D7B4E6FE371

Control Set: CurrentControlSet

Start: 0

Type: 1

Error Control: 3

 

Service (registry key): eeCtrl

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Symantec Eraser Control driver

Image path: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 1

Type: 1

Error Control: 1

Depends On services: FltMgr

 

Service (registry key): elxstor

Registry path: \SYSTEM\CurrentControlSet\Services\

Image path: \SystemRoot\system32\drivers\elxstor.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): EmdCache

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): EMDMgmt

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\emdmgmt.dll,-1000

Description: @%SystemRoot%\system32\emdmgmt.dll,-1001

Object name: LocalSystem

Image path: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 0

Depends On services: rpcss,ecache,slsvc,fileinfo

 

Service (registry key): EraserUtilRebootDrv

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: EraserUtilRebootDrv

Image path: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): ESENT

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 0

Type: 0

Error Control: 0

 

Service (registry key): Eventlog

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\wevtsvc.dll,-200

Description: @%SystemRoot%\system32\wevtsvc.dll,-201

Object name: NT AUTHORITY\LocalService

Image path: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

 

Service (registry key): EventSystem

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @comres.dll,-2450

Description: @comres.dll,-2451

Object name: NT AUTHORITY\LocalService

Image path: %SystemRoot%\system32\svchost.exe -k LocalService

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: rpcss

 

Service (registry key): exfat

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: exFAT File System Driver

Description: exFAT File System Driver

Control Set: CurrentControlSet

Start: 3

Type: 2

Error Control: 1

 

Service (registry key): fastfat

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: FAT12/16/32 File System Driver

Description: Note - dependance on CDROM.SYS only if required to read/write DVD-RAM media (which appears as CD class device). (Core) (All pieces)

Control Set: CurrentControlSet

Start: 3

Type: 2

Error Control: 1

 

Service (registry key): fdc

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Floppy Disk Controller Driver

Image path: system32\DRIVERS\fdc.sys

Image size: 25088

Image MD5: AFE1E8B9782A0DD7FB46BBD88E43F89A

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): fdPHost

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%systemroot%\system32\fdPHost.dll,-100

Description: @%systemroot%\system32\fdPHost.dll,-101

Object name: NT AUTHORITY\LocalService

Image path: %SystemRoot%\system32\svchost.exe -k LocalService

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 3

Type: 32

Error Control: 1

Depends On services: RpcSs,http

 

Service (registry key): FDResPub

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%systemroot%\system32\fdrespub.dll,-100

Description: @%systemroot%\system32\fdrespub.dll,-101

Object name: NT AUTHORITY\LocalService

Image path: %SystemRoot%\system32\svchost.exe -k LocalService

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 32

Error Control: 1

Depends On services: RpcSs,http

 

Service (registry key): FileInfo

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: File Information FS MiniFilter

Description: Collects information about files in memory to be consumed by other system services.

Image path: system32\drivers\fileinfo.sys

Image size: 58936

Image MD5: A8C0139A884861E3AAE9CFE73B208A9F

Control Set: CurrentControlSet

Start: 0

Type: 2

Error Control: 1

Depends On services: fltmgr

 

Service (registry key): Filetrace

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: FileTrace

Description: ETW File Trace Filter

Image path: system32\drivers\filetrace.sys

Image size: 27648

Image MD5: 0AE429A696AECBC5970E3CF2C62635AE

Control Set: CurrentControlSet

Start: 3

Type: 2

Error Control: 1

Depends On services: FltMgr

 

Service (registry key): flpydisk

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Floppy Disk Driver

Image path: system32\DRIVERS\flpydisk.sys

Image size: 20480

Image MD5: 6603957EFF5EC62D25075EA8AC27DE68

Control Set: CurrentControlSet

Start: 4

Type: 1

Error Control: 1

 

Service (registry key): FltMgr

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: FltMgr

Description: File System Filter Manager Driver

Image path: system32\drivers\fltmgr.sys

Image size: 190424

Image MD5: 01334F9EA68E6877C4EF05D3EA8ABB05

Control Set: CurrentControlSet

Start: 0

Type: 2

Error Control: 3

 

Service (registry key): FontCache

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%systemroot%\system32\FntCache.dll,-100

Description: @%systemroot%\system32\FntCache.dll,-101

Object name: NT AUTHORITY\LocalService

Image path: %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 3

Type: 32

Error Control: 1

 

Service (registry key): FontCache3.0.0.0

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @%SystemRoot%\system32\PresentationHost.exe,-3309

Description: @%SystemRoot%\system32\PresentationHost.exe,-3310

Object name: NT Authority\LocalService

Image path: %systemroot%\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

Image size: 43904

Image MD5: C7FBDD1ED42F82BFA35167A5C9803EA3

Control Set: CurrentControlSet

Start: 3

Type: 16

Error Control: 1

 

Service (registry key): Fs_Rec

Registry path: \SYSTEM\CurrentControlSet\Services\

Control Set: CurrentControlSet

Start: 1

Type: 8

Error Control: 0

 

Service (registry key): gagp30kx

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms

Image path: \SystemRoot\system32\drivers\gagp30kx.sys

Image size: 0

Image MD5: D41D8CD98F00B204E9800998ECF8427E

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): GEARAspiWDM

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: GEAR ASPI Filter Driver

Image path: system32\DRIVERS\GEARAspiWDM.sys

Image size: 26600

Image MD5: 8182FF89C65E4D38B2DE4BB0FB18564E

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): gpsvc

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: @gpapi.dll,-112

Description: @gpapi.dll,-113

Object name: LocalSystem

Image path: %windir%\system32\svchost.exe -k GPSvcGroup

Image size: 21504

Image MD5: 3794B461C45882E06856F282EEF025AF

Control Set: CurrentControlSet

Start: 2

Type: 16

Error Control: 1

Depends On services: RPCSS,Mup

 

Service (registry key): HdAudAddService

Registry path: \SYSTEM\CurrentControlSet\Services\

Display name: Microsoft 1.1 UAA Function Driver for High Definition Audio Service

Image path: system32\drivers\HdAudio.sys

Image size: 235520

Image MD5: CB04C744BE0A61B1D648FAED182C3B59

Control Set: CurrentControlSet

Start: 3

Type: 1

Error Control: 1

 

Service (registry key): HDAudBus

Registry path: \SYSTEM\CurrentControlSet\Services

Share this post


Link to post
Share on other sites

I ran DDS and have DDS.txt and Attach.txt

 

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by belanger #2 at 21:12:44.88 on Fri 06/11/2010

Internet Explorer: 8.0.6001.18904

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.445.105 [GMT -4:00]

 

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

SP: McAfee VirusScan *enabled* (Outdated) {C78B3C70-4777-4742-BB91-9D615CC575E6}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

 

============== Running Processes ===============

 

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\LTCM Client\ltcmClient.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

svchost.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

F:\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

BHO: {046faff5-e7cd-4ade-ac6d-472e0ee0d723} - c:\programdata\brcoinst32.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.1.0.32\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.1.0.32\IPSBHO.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll

BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll

TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.1.0.32\coIEPlg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [RTHDBPL] c:\users\belang~1\appdata\local\temp\51FA.tmp

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\users\belang~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\windows\system32\findnetprinters32.dll

 

============= SERVICES / DRIVERS ===============

 

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\symds.sys [2010-5-20 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\symefa.sys [2010-5-20 172592]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-5-20 501888]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100513.002\IDSvix86.sys [2010-5-20 343088]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\ironx86.sys [2010-5-20 116784]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0401000.020\symtdiv.sys [2010-5-20 340016]

R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.1.0.32\ccsvchst.exe [2010-5-20 126392]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-11 102448]

S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-24 21504]

S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

 

=============== Created Last 30 ================

 

 

==================== Find3M ====================

 

 

============= FINISH: 21:18:18.82 ===============

 

 

 

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_10-03-17.01)

 

Microsoft® Windows Vista™ Home Basic

Boot Device: \Device\HarddiskVolume2

Install Date: 12/16/2006 4:39:36 PM

System Uptime: 6/11/2010 7:02:27 PM (2 hours ago)

 

Motherboard: Intel Corporation | | D102GGC2

Processor: Intel® Pentium® 4 CPU 3.00GHz | LGA 775 | 3000/200mhz

 

==== Disk Partitions =========================

 

C: is FIXED (NTFS) - 141 GiB total, 112.004 GiB free.

D: is FIXED (NTFS) - 9 GiB total, 3.66 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

 

==== Disabled Device Manager Items =============

 

==== System Restore Points ===================

 

No restore point in system.

 

==== Installed Programs ======================

 

Activation Assistant for the 2007 Microsoft Office suites

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 7.0.8

AOL Uninstaller (Choose which Products to Remove)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI Catalyst Control Center Ex

ATI Catalyst Install Manager

Bonjour

Browser Address Error Redirector

Comcast High-Speed Internet Install Wizard

eMachines Recovery Center Installer

Epson CreativeZone

Epson Easy Photo Print 2

EPSON NX410 Series Printer Uninstall

EPSON Scan

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

iTunes

Java SE Runtime Environment 6

LTCM Client

Malwarebytes' Anti-Malware

Microsoft .NET Framework 3.5 SP1

Microsoft Digital Image Library 9 - Blocker

Microsoft Digital Image Starter Edition 2006

Microsoft Digital Image Starter Edition 2006 Editor

Microsoft Digital Image Starter Edition 2006 Library

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Small Business Edition 2003

Microsoft Office Word MUI (English) 2007

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Norton Security Suite

Power2Go 5.0

QuickTime

Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista

Realtek High Definition Audio Driver

RTC Client API v1.2

Safari

Soft Data Fax Modem with SmartCP

Spybot - Search & Destroy

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Viewpoint Media Player

 

==== Event Viewer Messages From Past Week ========

 

6/7/2010 7:56:26 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP

6/7/2010 7:55:34 PM, Error: EventLog [6008] - The previous system shutdown at 7:52:03 PM on 6/7/2010 was unexpected.

6/7/2010 7:44:57 PM, Error: Service Control Manager [7022] - The Windows Mobile-based device connectivity service hung on starting.

6/6/2010 12:54:52 PM, Error: EventLog [6008] - The previous system shutdown at 8:13:08 PM on 6/4/2010 was unexpected.

6/6/2010 1:17:47 PM, Error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

6/6/2010 1:08:04 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

6/6/2010 1:05:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

6/6/2010 1:05:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

6/6/2010 1:05:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/6/2010 1:04:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

6/6/2010 1:04:07 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP DfsC eeCtrl IDSVix86 NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr SRTSP SRTSPX SymIRON SYMTDIv tdx Wanarpv6

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

6/6/2010 1:04:07 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

6/6/2010 1:02:56 PM, Error: EventLog [6008] - The previous system shutdown at 1:00:14 PM on 6/6/2010 was unexpected.

6/4/2010 8:09:03 PM, Error: EventLog [6008] - The previous system shutdown at 8:05:38 PM on 6/4/2010 was unexpected.

6/11/2010 7:12:40 PM, Error: Service Control Manager [7022] - The TPM Base Services service hung on starting.

6/11/2010 7:10:40 PM, Error: Service Control Manager [7022] - The KtmRm for Distributed Transaction Coordinator service hung on starting.

6/11/2010 7:08:19 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

6/11/2010 7:05:29 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt

6/11/2010 6:20:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Update for Windows Vista (KB981793).

6/11/2010 6:09:08 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB981793 (Update) into Resolving(Resolving) state

6/11/2010 6:09:08 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB981793 (Update) into Absent(Absent) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-694_neutral_GDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-693_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-692_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-607_neutral_GDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-606_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-605_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-253_neutral_GDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-252_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-251_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-166_neutral_GDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-165_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:58 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 981793-164_neutral_LDR from package KB981793(Update) into Resolving(Resolving) state

6/11/2010 6:08:02 PM, Error: netbt [4307] - Initialization failed because the transport refused to open initial addresses.

6/11/2010 6:08:02 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0019D13E18E3. The following error occurred: The wait operation timed out.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

6/11/2010 6:05:10 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Update for Internet Explorer 8 Compatibility View List for Windows Vista (KB982632).

6/11/2010 6:04:57 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB982632 (Update) into Resolving(Resolving) state

6/11/2010 6:04:57 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB982632 (Update) into Absent(Absent) state

6/11/2010 6:03:13 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 982632-2_neutral_GDR from package KB982632(Update) into Resolving(Resolving) state

6/11/2010 6:03:11 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 982632-1_neutral_LDR from package KB982632(Update) into Resolving(Resolving) state

6/11/2010 5:59:32 PM, Error: volsnap [20] - The shadow copies of volume C: were aborted because of a failed free space computation.

6/11/2010 5:50:45 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt SRTSP

6/11/2010 5:50:11 PM, Error: EventLog [6008] - The previous system shutdown at 8:01:23 PM on 6/7/2010 was unexpected.

6/11/2010 5:49:58 PM, Error: SRTSP [5] - Error loading Symantec real time Anti-Virus driver.

6/11/2010 5:49:58 PM, Error: SRTSP [4] - Error loading virus definitions.

 

==== End Of File ===========================

Share this post


Link to post
Share on other sites
Juliet   

Which antivirus are you using?

I see McAfee and Norton. We'll have to get this down to just one Antivirus program in order for scans and tools to work properly.

 

 

 

I can see MBAM ran and deleted a few things that might be still showing in the logs.

 

 

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

 

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

 

After all of the fixes are complete it is very important that you enable Real-time Protection again

 

 

======================================================================

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\ProgramData\brcoinst32.dll

O4 - HKCU\..\Run: [RTHDBPL] C:\Users\BELANG~1\AppData\Local\Temp\51FA.tmp

 

 

 

Now reboot the computer.

 

 

 

Please post a new DDS.txt and give me details as to what the computer is doing now.

Share this post


Link to post
Share on other sites

Ok, I did the original MBAM, Spybot, and HJT scans under a Vista username that wasn't the administrator. These new logs were taken when running Vista under the administrator username.

 

Norton, and McAfee have been removed. It's now using Symantec Antivirus. Before the scans I turned off RealTime Protection on Windows Defender and I turned off AutoProtect on Symantec Antivirus. I also removed the items in HJT that you reccomended.

 

Before I did any of this however, I couldn't properly log onto Windows. I would get to the welcome screen, select the user, and as it was "Preparing Desktop", Windows Explorer would shut down. I manually had to restart it by going to task manager and starting explorer.exe manually. This is not occurring anymore after removing Norton and McAfee and installing Symantec.

 

The computer is running very slow. Only has 512mb of RAM and I suspect that may be part of it. The other part being any malicious content still on it.

 

Enclosed is DDS.txt first and then Attach.txt

 

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by steve at 12:11:48.45 on Sun 06/13/2010

Internet Explorer: 8.0.6001.18904

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.445.65 [GMT -4:00]

 

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

 

============== Running Processes ===============

 

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec AntiVirus\VPTray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Symantec AntiVirus\DoScan.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\RacAgent.exe

C:\Users\steve\Desktop\dds.scr

C:\Windows\system32\wbem\wmiprvse.exe

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

BHO: {046faff5-e7cd-4ade-ac6d-472e0ee0d723} - c:\programdata\brcoinst32.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll

BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll

TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

uRun: [EPSON NX410 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifca.exe /fu "c:\windows\temp\E_SA83F.tmp" /EF "HKCU"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\windows\system32\findnetprinters32.dll

 

============= SERVICES / DRIVERS ===============

 

 

=============== Created Last 30 ================

 

2010-06-13 14:43:22 321024 ----a-w- c:\programdata\dmocx32.dll

2010-06-13 14:18:21 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-06-13 14:18:21 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-06-13 14:18:21 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-06-13 14:13:38 0 d-----w- c:\program files\Symantec

2010-06-13 14:13:16 0 d-----w- c:\programdata\Symantec

2010-06-13 14:13:16 0 d-----w- c:\program files\Symantec AntiVirus

2010-06-13 14:13:16 0 d-----w- c:\program files\common files\Symantec Shared

2010-06-11 22:36:40 0 d-----w- c:\program files\Trend Micro

2010-06-11 22:32:12 0 d-----w- c:\programdata\Spybot - Search & Destroy

2010-06-11 22:32:12 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-11 22:27:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-11 22:26:59 0 d-----w- c:\programdata\Malwarebytes

2010-06-11 22:26:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-11 22:26:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-11 22:23:18 2048 ----a-w- c:\windows\system32\tzres.dll

2010-06-07 23:52:02 524288 --sha-w- c:\users\steve\ntuser.dat{8f3286c3-728d-11df-9fda-00038a000015}.TMContainer00000000000000000002.regtrans-ms

2010-06-07 23:52:00 524288 --sha-w- c:\users\steve\ntuser.dat{8f3286c3-728d-11df-9fda-00038a000015}.TMContainer00000000000000000001.regtrans-ms

2010-06-07 23:51:58 65536 --sha-w- c:\users\steve\ntuser.dat{8f3286c3-728d-11df-9fda-00038a000015}.TM.blf

2010-06-06 17:30:10 0 d-----w- C:\N360_BACKUP

2010-05-20 16:57:54 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-05-20 16:57:54 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-05-20 16:54:47 0 d-----w- c:\programdata\NortonInstaller

2010-05-20 16:46:01 0 d-----w- c:\programdata\Norton

2010-05-17 02:02:04 283648 ----a-w- c:\programdata\AuxiliaryDisplayClassInstaller32.dll

2010-05-16 23:01:54 283648 ----a-w- c:\programdata\devmgr32.dll

2010-05-16 22:01:56 283648 ----a-w- c:\programdata\DfsShlEx32.dll

2010-05-16 12:01:49 283648 ----a-w- c:\programdata\dataclen32.dll

2010-05-16 08:01:27 283648 ----a-w- c:\programdata\cic32.dll

2010-05-16 07:01:20 283648 ----a-w- c:\programdata\CddbLangDE32.dll

2010-05-16 01:01:07 283648 ----a-w- c:\programdata\axaltocm32.dll

2010-05-15 22:01:09 283648 ----a-w- c:\programdata\batmeter32.dll

2010-05-15 21:00:59 283648 ----a-w- c:\programdata\diagperf32.dll

2010-05-15 18:00:56 283648 ----a-w- c:\programdata\DfrgRes32.dll

2010-05-15 16:00:52 283648 ----a-w- c:\programdata\dbnetlib32.dll

2010-05-15 15:00:52 283648 ----a-w- c:\programdata\DDACLSys32.dll

2010-05-15 11:00:48 283648 ----a-w- c:\programdata\d3d8thk32.dll

2010-05-15 08:00:35 283648 ----a-w- c:\programdata\colorui32.dll

2010-05-15 07:00:32 283648 ----a-w- c:\programdata\cmpbk3232.dll

2010-05-15 05:00:34 283648 ----a-w- c:\programdata\cofiredm32.dll

2010-05-15 04:00:27 283648 ----a-w- c:\programdata\chsbrkr32.dll

2010-05-15 03:00:26 283648 ----a-w- c:\programdata\cewmdm32.dll

2010-05-15 02:00:25 283648 ----a-w- c:\programdata\certmgr32.dll

2010-05-15 00:00:20 283648 ----a-w- c:\programdata\catsrvps32.dll

2010-05-14 23:00:17 283648 ----a-w- c:\programdata\bthci32.dll

2010-05-14 22:00:15 283648 ----a-w- c:\programdata\brcoinst32.dll

2010-05-14 21:00:14 283648 ----a-w- c:\programdata\blackbox32.dll

2010-05-14 20:00:12 283648 ----a-w- c:\programdata\bidispl32.dll

2010-05-14 19:00:10 283648 ----a-w- c:\programdata\bae32.dll

2010-05-14 18:00:07 283648 ----a-w- c:\programdata\avifil3232.dll

2010-05-14 17:00:03 283648 ----a-w- c:\programdata\AudioSes32.dll

 

==================== Find3M ====================

 

2010-05-14 16:00:05 283648 ----a-w- c:\programdata\authui32.dll

2010-05-14 15:00:04 283648 ----a-w- c:\programdata\AuthFWGP32.dll

2010-05-14 12:59:59 283648 ----a-w- c:\programdata\iassvcs32.dll

2010-05-14 10:59:56 283648 ----a-w- c:\programdata\iasdatastore32.dll

2010-05-14 09:59:57 283648 ----a-w- c:\programdata\iasnap32.dll

2010-05-14 08:59:53 283648 ----a-w- c:\programdata\HotStartUserAgent32.dll

2010-05-14 07:59:47 283648 ----a-w- c:\programdata\gptext32.dll

2010-05-14 06:59:49 283648 ----a-w- c:\programdata\halmacpi32.dll

2010-05-14 02:59:43 284160 ----a-w- c:\programdata\FwRemoteSvr32.dll

2010-05-14 01:59:41 284160 ----a-w- c:\programdata\framedyn32.dll

2010-05-14 00:59:38 284160 ----a-w- c:\programdata\fltLib32.dll

2010-05-13 21:59:33 284160 ----a-w- c:\programdata\fdBth32.dll

2010-05-13 19:59:30 284160 ----a-w- c:\programdata\esentprf32.dll

2010-05-13 18:59:44 284160 ----a-w- c:\programdata\GameUXLegacyGDFs32.dll

2010-05-13 17:59:32 284160 ----a-w- c:\programdata\E_FD4BFCA32.dll

2010-05-13 16:59:32 284160 ----a-w- c:\programdata\evr32.dll

2010-05-13 15:59:29 284160 ----a-w- c:\programdata\EpPicPrt32.dll

2010-05-13 14:59:26 284160 ----a-w- c:\programdata\EAPQEC32.dll

2010-05-13 13:59:17 284160 ----a-w- c:\programdata\ds16gt32.dll

2010-05-13 12:14:44 284160 ----a-w- c:\programdata\DHCPQEC32.dll

2010-05-13 06:17:36 284160 ----a-w- c:\programdata\ddrawex32.dll

2010-05-13 05:17:29 284160 ----a-w- c:\programdata\d3d10core32.dll

2010-05-13 03:17:27 284160 ----a-w- c:\programdata\ctl3dv232.dll

2010-05-13 01:17:24 284160 ----a-w- c:\programdata\cryptdlg32.dll

2010-05-12 23:17:23 284160 ----a-w- c:\programdata\credui32.dll

2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-04-11 19:07:16 203776 --sh--w- c:\programdata\unrar.exe

2010-03-30 22:57:40 203264 ----a-w- c:\windows\system32\fltLib32.dll

2010-03-30 22:57:39 130048 ----a-w- c:\windows\system32\findnetprinters32.dll

2009-11-17 08:21:25 665600 ----a-w- c:\windows\inf\drvindex.dat

2009-11-17 08:21:25 51200 ----a-w- c:\windows\inf\infpub.dat

2009-11-17 08:21:24 86016 ----a-w- c:\windows\inf\infstor.dat

2009-11-17 08:21:24 143360 ----a-w- c:\windows\inf\infstrng.dat

2008-11-10 01:23:27 174 --sha-w- c:\program files\desktop.ini

2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-10-15 18:45:39 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-10-15 07:18:17 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

 

============= FINISH: 12:22:01.31 ===============

 

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_10-03-17.01)

 

 

==== Installed Programs ======================

 

Activation Assistant for the 2007 Microsoft Office suites

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 7.0.8

AOL Uninstaller (Choose which Products to Remove)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI Catalyst Control Center Ex

ATI Catalyst Install Manager

Bonjour

Browser Address Error Redirector

Comcast High-Speed Internet Install Wizard

eMachines Recovery Center Installer

Epson CreativeZone

Epson Easy Photo Print 2

EPSON NX410 Series Printer Uninstall

EPSON Scan

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

iTunes

Java SE Runtime Environment 6

LiveUpdate 3.3 (Symantec Corporation)

LTCM Client

Malwarebytes' Anti-Malware

Microsoft .NET Framework 3.5 SP1

Microsoft Digital Image Library 9 - Blocker

Microsoft Digital Image Starter Edition 2006

Microsoft Digital Image Starter Edition 2006 Editor

Microsoft Digital Image Starter Edition 2006 Library

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Small Business Edition 2003

Microsoft Office Word MUI (English) 2007

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Power2Go 5.0

QuickTime

Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista

Realtek High Definition Audio Driver

RTC Client API v1.2

Safari

Soft Data Fax Modem with SmartCP

Spybot - Search & Destroy

Symantec AntiVirus

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Viewpoint Media Player

 

==== End Of File ===========================

Share this post


Link to post
Share on other sites
Juliet   

The computer is running very slow. Only has 512mb of RAM and I suspect that may be part of it.

Thats just about as low as you can go if not to low, and with a big antivirus engine onboard it will definitely bog down.

Some programs may not open and run because of lack of resources.

 

 

There is one more scan I'd like for you to run, I'm thinking it should be done in safe mode to free up as much resources as possible.

 

 

Download ComboFix from either of these locations:

Link 1

Link 2

 

 

 

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

 

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

 

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

Posted Image

 

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

 

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

 

 

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

Don't select to run the Recovery Console as we don't need it.

By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

 

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

If there are internet issues afterward:

 

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

 

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

 

 

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Well I ran out and got 2 sticks of 1gb DDR2 so now the computer is running 2gb ram. It seems normal i think! :) Everything seems to be opening faster.

 

So I ran ComboFix and here is the log:

 

ComboFix 10-06-12.04 - steve 06/13/2010 16:36:37.1.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.445.144 [GMT -4:00]

Running from: c:\users\steve\Desktop\ComboFix.exe

AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest

c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul

c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

c:\programdata\AudioSes32.dll

c:\programdata\AuthFWGP32.dll

c:\programdata\authui32.dll

c:\programdata\AuxiliaryDisplayClassInstaller32.dll

c:\programdata\avifil3232.dll

c:\programdata\axaltocm32.dll

c:\programdata\bae32.dll

c:\programdata\batmeter32.dll

c:\programdata\bidispl32.dll

c:\programdata\blackbox32.dll

c:\programdata\brcoinst32.dll

c:\programdata\bthci32.dll

c:\programdata\catsrvps32.dll

c:\programdata\CddbLangDE32.dll

c:\programdata\certmgr32.dll

c:\programdata\cewmdm32.dll

c:\programdata\chsbrkr32.dll

c:\programdata\cic32.dll

c:\programdata\cmpbk3232.dll

c:\programdata\cofiredm32.dll

c:\programdata\colorui32.dll

c:\programdata\credui32.dll

c:\programdata\cryptdlg32.dll

c:\programdata\ctl3dv232.dll

c:\programdata\d3d10core32.dll

c:\programdata\d3d8thk32.dll

c:\programdata\dataclen32.dll

c:\programdata\dbnetlib32.dll

c:\programdata\DDACLSys32.dll

c:\programdata\ddrawex32.dll

c:\programdata\devmgr32.dll

c:\programdata\DfrgRes32.dll

c:\programdata\DfsShlEx32.dll

c:\programdata\DHCPQEC32.dll

c:\programdata\diagperf32.dll

c:\programdata\ds16gt32.dll

c:\programdata\E_FD4BFCA32.dll

c:\programdata\EAPQEC32.dll

c:\programdata\EpPicPrt32.dll

c:\programdata\esentprf32.dll

c:\programdata\evr32.dll

c:\programdata\fdBth32.dll

c:\programdata\fltLib32.dll

c:\programdata\framedyn32.dll

c:\programdata\FwRemoteSvr32.dll

c:\programdata\GameUXLegacyGDFs32.dll

c:\programdata\gptext32.dll

c:\programdata\halmacpi32.dll

c:\programdata\HotStartUserAgent32.dll

c:\programdata\iasdatastore32.dll

c:\programdata\iasnap32.dll

c:\programdata\iassvcs32.dll

c:\programdata\SysWoW32

c:\programdata\SysWoW32\@u34508796v0

c:\programdata\SysWoW32\@u34508796v1

c:\programdata\SysWoW32\@u34508796v2

c:\programdata\SysWoW32\@u34508796v3

c:\programdata\SysWoW32\@u34508796v4

c:\programdata\SysWoW32\@u34508796v5

c:\programdata\SysWoW32\@u34508796v6

c:\programdata\SysWoW32\@u34508796v7

c:\programdata\SysWoW32\_u34508796v0

c:\programdata\SysWoW32\_u34508796v1

c:\programdata\SysWoW32\_u34508796v2

c:\programdata\SysWoW32\_u34508796v3

c:\programdata\SysWoW32\_u34508796v4

c:\programdata\SysWoW32\_u34508796v5

c:\programdata\SysWoW32\_u34508796v6

c:\programdata\SysWoW32\_u34508796v7

c:\programdata\SysWoW32\mu34508796v4

c:\programdata\SysWoW32\mu34508796v4.kwd

c:\programdata\SysWoW32\mu34508796v5

c:\programdata\SysWoW32\mu34508796v5.kwd

c:\programdata\SysWoW32\mu34508796v6

c:\programdata\SysWoW32\mu34508796v6.kwd

c:\programdata\SysWoW32\mu34508796v7

c:\programdata\SysWoW32\mu34508796v7.kwd

c:\programdata\SysWoW32\wu34508796v0.kwd

c:\programdata\SysWoW32\wu34508796v1

c:\programdata\SysWoW32\wu34508796v1.kwd

c:\programdata\SysWoW32\wu34508796v2

c:\programdata\SysWoW32\wu34508796v2.kwd

c:\programdata\SysWoW32\wu34508796v3

c:\programdata\SysWoW32\wu34508796v3.kwd

c:\programdata\unrar.exe

c:\programdata\Windows

c:\users\belanger #2\AppData\Roaming\02000000b2cda569867C.manifest

c:\users\belanger #2\AppData\Roaming\02000000b2cda569867O.manifest

c:\users\belanger #2\AppData\Roaming\02000000b2cda569867P.manifest

c:\users\belanger #2\AppData\Roaming\02000000b2cda569867S.manifest

c:\users\belanger #2\AppData\Roaming\E8F5.tmp

c:\users\steve\AppData\Roaming\02000000b2cda569867C.manifest

c:\users\steve\AppData\Roaming\02000000b2cda569867O.manifest

c:\users\steve\AppData\Roaming\02000000b2cda569867P.manifest

c:\users\steve\AppData\Roaming\02000000b2cda569867S.manifest

c:\users\steve\AppData\Roaming\SystemProc

c:\users\steve\AppData\Roaming\SystemProc\lsass.exe

D:\Autorun.inf

 

.

((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 )))))))))))))))))))))))))))))))

.

 

2010-06-13 20:57 . 2010-06-13 20:58 -------- d-----w- c:\users\steve\AppData\Local\temp

2010-06-13 20:57 . 2010-06-13 20:57 -------- d-----w- c:\users\Guest\AppData\Local\temp

2010-06-13 20:57 . 2010-06-13 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-06-13 20:57 . 2010-06-13 20:57 -------- d-----w- c:\users\belanger #2\AppData\Local\temp

2010-06-13 17:21 . 2010-06-13 17:21 -------- d-----w- C:\57bfed0428aa0ff76eb42624936629b1

2010-06-13 17:20 . 2010-06-13 17:20 -------- d-----w- c:\windows\CheckSur

2010-06-13 17:11 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys

2010-06-13 14:20 . 2010-06-13 14:20 -------- d-----w- c:\users\steve\AppData\Local\Symantec

2010-06-13 14:18 . 2010-06-13 14:18 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-06-13 14:13 . 2010-06-13 14:18 -------- d-----w- c:\program files\Symantec

2010-06-13 14:13 . 2010-06-13 14:21 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-06-13 14:13 . 2010-06-13 14:20 -------- d-----w- c:\programdata\Symantec

2010-06-13 14:13 . 2010-06-13 14:13 -------- d-----w- c:\program files\Symantec AntiVirus

2010-06-11 22:38 . 2010-06-11 22:38 -------- d-----w- c:\users\belanger #2\AppData\Roaming\Malwarebytes

2010-06-11 22:36 . 2010-06-11 22:36 -------- d-----w- c:\program files\Trend Micro

2010-06-11 22:32 . 2010-06-12 01:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-06-11 22:32 . 2010-06-11 23:19 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-11 22:27 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-11 22:26 . 2010-06-11 22:26 -------- d-----w- c:\programdata\Malwarebytes

2010-06-11 22:26 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-11 22:26 . 2010-06-11 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-11 22:23 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll

2010-06-11 21:56 . 2010-06-11 21:56 -------- d-----w- c:\users\belanger #2\AppData\Roaming\Leader Technologies

2010-06-07 23:58 . 2010-06-07 23:58 -------- d-----w- c:\users\belanger #2\AppData\Local\Symantec

2010-06-06 17:30 . 2010-06-06 17:30 -------- d-----w- C:\N360_BACKUP

2010-05-20 22:58 . 2010-06-13 20:12 -------- d-----w- c:\users\steve\AppData\Local\CrashDumps

2010-05-20 16:57 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-05-20 16:57 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-05-20 16:54 . 2010-05-20 16:54 -------- d-----w- c:\programdata\NortonInstaller

2010-05-20 16:46 . 2010-06-13 13:56 -------- d-----w- c:\programdata\Norton

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-13 20:34 . 2010-04-11 19:07 -------- d-----w- c:\programdata\1785115329

2010-06-13 14:43 . 2010-06-13 14:43 321024 ----a-w- c:\programdata\dmocx32.dll

2010-06-13 14:43 . 2010-06-13 14:43 1107968 --sha-w- c:\users\steve\AppData\Roaming\276A.tmp

2010-06-13 14:18 . 2010-06-13 14:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-06-13 14:18 . 2010-06-13 14:18 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-06-11 23:06 . 2010-06-11 23:05 1107968 --sha-w- c:\users\belanger #2\AppData\Roaming\3C00.tmp

2010-06-11 21:56 . 2007-02-12 00:27 104176 ----a-w- c:\users\belanger #2\AppData\Local\GDIPFONTCACHEV1.DAT

2010-06-08 03:35 . 2006-12-16 21:49 -------- d-----w- c:\program files\Microsoft Works

2010-06-07 23:40 . 2006-12-16 21:51 -------- d-----w- c:\program files\Google

2010-05-25 11:08 . 2010-05-25 11:08 0 ----a-w- c:\users\steve\AppData\Roaming\BC8C.tmp

2010-05-25 11:08 . 2010-05-25 11:08 0 ----a-w- c:\users\steve\AppData\Roaming\A440.tmp

2010-05-13 07:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-05-12 15:21 . 2009-10-02 23:27 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-03-30 22:57 . 2010-03-30 22:57 203264 ----a-w- c:\windows\system32\fltLib32.dll

2010-03-30 22:57 . 2010-03-30 22:57 130048 ----a-w- c:\windows\system32\findnetprinters32.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112]

"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]

"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]

"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2008-12-24 1540288]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-04-03 136080]

 

c:\users\belanger #2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(B):72,d6,fe,21,d3,1a,ca,01

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3074645540-534623877-3370066440-1000]

"EnableNotificationsRef"=dword:00000002

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3074645540-534623877-3370066440-500]

"EnableNotificationsRef"=dword:00000002

 

R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2008-04-03 121744]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-12 102448]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

 

BHO-{046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - c:\programdata\brcoinst32.dll

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-13 16:58

Windows 6.0.6002 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(724)

c:\windows\System32\findnetprinters32.dll

.

Completion time: 2010-06-13 17:14:40

ComboFix-quarantined-files.txt 2010-06-13 21:14

 

Pre-Run: 116,903,280,640 bytes free

Post-Run: 116,912,435,200 bytes free

 

- - End Of File - - 72A326157E161FAE519FB0993BC00F99

Share this post


Link to post
Share on other sites
Juliet   

Well I ran out and got 2 sticks of 1gb DDR2 so now the computer is running 2gb ram. It seems normal i think! :) Everything seems to be opening faster.

Yes, you should notice a good difference.

 

 

I ran Startup Inspector to find anything I don't need at startup. I noticed that this is on the list of startup items. I removed it and it just came back when I restarted.

 

http://www.bleepingcomputer.com/startups/RTHDBPL-25560.html

 

Thanks so much for everything so far!

 

Did you run it before or after running ComboFix?

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

Go to My Computer->Tools->Folder Options->View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck - Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)
Please go to: VirusTotal[/color]
  • Posted Image

     

     

  • Click the Browse button and search for the following file: c:\programdata\dmocx32.dll
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

NEXT**

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, so please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

 

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...n=1260122209224

Other available links

Kaspersky Online Scanner or from here

http://www.kaspersky.com/virusscanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition

    files.

  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)

    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

File requested scanned

Kaspersky log

New HJT log taken after the above scans have run

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Did you run it before or after running ComboFix?

After ComboFix.

 

The computer seems to be running like a charm :)

 

Enclosed are the logs. Thanks for all this help again!

 

Scanned file at this link:

 

http://www.virustotal.com/analisis/b95726e45c94682d3f420d2cefeb27a78ab860c6869d2348da132f6dfff6e2d8-1276545105

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, June 14, 2010

Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 2 (build 6002)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, June 14, 2010 14:47:05

Records in database: 4276006

--------------------------------------------------------------------------------

 

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

 

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

 

Scan statistics:

Objects scanned: 146880

Threats found: 10

Infected objects found: 60

Suspicious objects found: 0

Scan duration: 04:25:41

 

 

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\ProgramData\AudioSes32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\AuthFWGP32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\authui32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\AuxiliaryDisplayClassInstaller32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\avifil3232.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\axaltocm32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\bae32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\batmeter32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\bidispl32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\blackbox32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\brcoinst32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\bthci32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\catsrvps32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\CddbLangDE32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\certmgr32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\cewmdm32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\chsbrkr32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\cic32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\cmpbk3232.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\cofiredm32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\colorui32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\credui32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\cryptdlg32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\ctl3dv232.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\d3d10core32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\d3d8thk32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\dataclen32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\dbnetlib32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\DDACLSys32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\ddrawex32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\devmgr32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\DfrgRes32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\DfsShlEx32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\DHCPQEC32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\diagperf32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\ds16gt32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\EAPQEC32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\EpPicPrt32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\esentprf32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\evr32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\E_FD4BFCA32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\fdBth32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\fltLib32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\framedyn32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\FwRemoteSvr32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\GameUXLegacyGDFs32.dll.vir Infected: Trojan.Win32.BHO.ahcj 1

C:\Qoobox\Quarantine\C\ProgramData\gptext32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\halmacpi32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\HotStartUserAgent32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\iasdatastore32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\iasnap32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\iassvcs32.dll.vir Infected: Trojan.Win32.BHO.ahdy 1

C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\@u34508796v1.vir Infected: Trojan.Win32.Pincav.aaml 1

C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\wu34508796v1.vir Infected: Trojan.Win32.Pincav.aaoe 1

C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\wu34508796v2.vir Infected: Trojan.Win32.Pincav.abnk 1

C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\_u34508796v1.vir Infected: Trojan.Win32.Pincav.aane 1

C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\_u34508796v2.vir Infected: Trojan.Win32.Pincav.aanv 1

C:\Qoobox\Quarantine\C\ProgramData\SysWoW32\_u34508796v3.vir Infected: Trojan.Win32.Pincav.aaqx 1

C:\Qoobox\Quarantine\C\Users\belanger #2\AppData\Roaming\E8F5.tmp.vir Infected: Trojan.Win32.Agent2.cruq 1

C:\Windows\System32\findnetprinters32.dll Infected: Trojan.Win32.BHO.ahfx 1

 

Selected area has been scanned.

 

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:20:57 PM, on 6/14/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18928)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec AntiVirus\VPTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\Windows\system32\DllHost.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [RTHDBPL] C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 6449 bytes

Edited by Bubba5056

Share this post


Link to post
Share on other sites
Juliet   

The computer seems to be running like a charm

Good deal, we should be at the end now.

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll

O4 - HKCU\..\Run: [RTHDBPL] C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

Download OTM by OldTimer Here & save it to your desktop.

  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

 

:Files
C:\Windows\system32\crtdll32.dll
C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe
:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDBPL"=-
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]

  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

 

 

Post:

OTM log

new HJT log

Share this post


Link to post
Share on other sites

okay here's the logs:

 

All processes killed

Error: Unable to interpret <:FilesC:\Windows\system32\crtdll32.dllC:\Users\steve\AppData\Roaming\SystemProc\lsass.exe:reg[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RTHDBPL"=-:Commands[purity][resethosts][emptytemp][CREATERESTOREPOINT][EMPTYFLASH][Reboot]> in the current context!

 

OTM by OldTimer - Version 3.1.12.2 log created on 06152010_183819

 

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:47:23 PM, on 6/15/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18928)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec AntiVirus\VPTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\Windows\system32\DllHost.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 6481 bytes

Share this post


Link to post
Share on other sites

I figured I messed up the OTM instructions. I copied and pasted that text and everything pasted on just one line.

 

So I ran HJT again and fixed:

 

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\ProgramData\brcoinst32.dll (it said file is missing but I "fixed" anyways)

 

The other entry was not present.

 

Next I ran OTM and seperated the text on the proper lines and it produced a different log. Here's the new OTM log and new HJT log:

 

 

All processes killed

========== FILES ==========

C:\Windows\system32\crtdll32.dll moved successfully.

C:\Users\steve\AppData\Roaming\SystemProc\lsass.exe moved successfully.

========== REGISTRY ==========

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\"RTHDBPL"|-:Commands /E :invalid edit format. Invalid data type.

 

OTM by OldTimer - Version 3.1.12.2 log created on 06152010_185012

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:52:57 PM, on 6/15/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18928)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec AntiVirus\VPTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\explorer.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll (file missing)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 6161 bytes

Edited by Bubba5056

Share this post


Link to post
Share on other sites
Juliet   

Looking better now.

 

 

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

 

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

 

After all of the fixes are complete it is very important that you enable Real-time Protection again

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll (file missing)

 

 

Now reboot the computer.

 

In your next reply post:

new HJT log

 

 

how's the computer now?

Share this post


Link to post
Share on other sites

I did the fix, restarted the computer, and here is the new log. That Q2 is still there.

 

The computer is running perfect!

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 3:44:27 AM, on 6/16/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18928)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Windows\RtHDVCpl.exe

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec AntiVirus\VPTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\Windows\system32\DllHost.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723} - C:\Windows\system32\crtdll32.dll (file missing)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 6458 bytes

Edited by Bubba5056

Share this post


Link to post
Share on other sites
Juliet   

That pesky varmint.

 

Tell me how the computer is now.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix should still be on desktop.

 

Right click and select delete.

 

Now we'll download a updated copy.

 

 

Download ComboFix from either of these locations:

Link 1

Link 2

 

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{046FAFF5-E7CD-4ADE-AC6D-472E0EE0D723}]

Reglock::

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

 

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

If there are internet issues afterward:

 

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

 

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

 

Please ostthe new ComboFix.txt

Share this post


Link to post
Share on other sites

The computer is running perfectly.

 

 

 

ComboFix 10-06-15.03 - steve 06/16/2010 10:31:18.2.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1917.1169 [GMT -4:00]

Running from: c:\users\steve\Desktop\ComboFix.exe

Command switches used :: c:\users\steve\Desktop\CFScript.txt

AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\programdata\SysWoW32

c:\programdata\SysWoW32\mu34508796v4

c:\programdata\SysWoW32\mu34508796v4.kwd

c:\programdata\SysWoW32\mu34508796v5

c:\programdata\SysWoW32\mu34508796v5.kwd

c:\programdata\SysWoW32\mu34508796v6

c:\programdata\SysWoW32\mu34508796v6.kwd

c:\programdata\SysWoW32\mu34508796v7

c:\programdata\SysWoW32\mu34508796v7.kwd

c:\programdata\SysWoW32\wu34508796v0

c:\programdata\SysWoW32\wu34508796v0.kwd

c:\programdata\SysWoW32\wu34508796v1

c:\programdata\SysWoW32\wu34508796v1.kwd

c:\programdata\SysWoW32\wu34508796v2

c:\programdata\SysWoW32\wu34508796v2.kwd

c:\programdata\SysWoW32\wu34508796v3

c:\programdata\SysWoW32\wu34508796v3.kwd

c:\programdata\unrar.exe

c:\users\belanger #2\AppData\Roaming\3C00.tmp

c:\users\steve\AppData\Roaming\02000000b2cda569867C.manifest

c:\users\steve\AppData\Roaming\02000000b2cda569867O.manifest

c:\users\steve\AppData\Roaming\02000000b2cda569867P.manifest

c:\users\steve\AppData\Roaming\02000000b2cda569867S.manifest

c:\users\steve\AppData\Roaming\276A.tmp

c:\users\steve\AppData\Roaming\D2F3.tmp

c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907}

c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907}\chrome.manifest

c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907}\chrome\xulcache.jar

c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907}\defaults\preferences\xulcache.js

c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\extensions\{002fc1bc-8cdf-47db-a7cf-42ec35bea907}\install.rdf

c:\users\steve\AppData\Roaming\SystemProc

c:\users\steve\AppData\Roaming\SystemProc\upd.exe

c:\windows\GnuHashes.ini

 

.

((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))

.

 

2010-06-16 14:38 . 2010-06-16 14:38 -------- d-----w- c:\users\steve\AppData\Local\temp

2010-06-16 14:38 . 2010-06-16 14:38 -------- d-----w- c:\users\Guest\AppData\Local\temp

2010-06-16 14:38 . 2010-06-16 14:38 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-06-16 14:38 . 2010-06-16 14:38 -------- d-----w- c:\users\belanger #2\AppData\Local\temp

2010-06-15 22:38 . 2010-06-15 22:38 -------- d-----w- C:\_OTM

2010-06-15 22:31 . 2010-06-15 22:31 -------- d-----w- c:\programdata\Office Genuine Advantage

2010-06-15 03:44 . 2010-06-15 03:44 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-14 19:58 . 2010-06-14 19:58 -------- d-----w- c:\windows\Sun

2010-06-14 01:24 . 2010-06-14 01:24 -------- d-----w- c:\users\steve\AppData\Local\Apple Computer

2010-06-14 01:17 . 2010-06-15 22:43 -------- d-----w- c:\users\steve\AppData\Roaming\wsInspector

2010-06-14 01:15 . 2010-06-14 01:15 -------- d-----w- c:\program files\Startup Inspector for Windows

2010-06-14 00:48 . 2010-06-14 00:48 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2010-06-14 00:04 . 2010-06-14 00:04 -------- d-----w- c:\program files\Microsoft

2010-06-14 00:03 . 2010-06-14 00:03 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-06-14 00:03 . 2010-06-14 00:04 -------- d-----w- c:\program files\Windows Live

2010-06-14 00:02 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2010-06-14 00:02 . 2010-06-14 00:02 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2010-06-14 00:00 . 2010-06-14 00:00 -------- d-----w- c:\program files\Common Files\Windows Live

2010-06-13 23:32 . 2010-06-13 23:32 -------- d-----w- c:\windows\PCHEALTH

2010-06-13 23:32 . 2010-06-13 23:32 -------- d-----w- c:\program files\Microsoft.NET

2010-06-13 23:26 . 2010-06-13 23:26 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2010-06-13 23:24 . 2010-06-13 23:24 -------- d-----w- c:\users\steve\AppData\Local\Microsoft Help

2010-06-13 23:19 . 2009-02-24 22:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys

2010-06-13 22:43 . 2010-06-13 22:43 -------- d-----w- c:\users\steve\AppData\Local\Mozilla

2010-06-13 17:21 . 2010-06-13 17:21 -------- d-----w- C:\57bfed0428aa0ff76eb42624936629b1

2010-06-13 17:20 . 2010-06-13 17:20 -------- d-----w- c:\windows\CheckSur

2010-06-13 17:03 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll

2010-06-13 17:03 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-06-13 17:02 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll

2010-06-13 14:54 . 2010-06-13 14:54 388096 ----a-r- c:\users\steve\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-13 14:43 . 2010-06-13 14:43 321024 ----a-w- c:\programdata\dmocx32.dll

2010-06-13 14:20 . 2010-06-13 14:20 -------- d-----w- c:\users\steve\AppData\Local\Symantec

2010-06-13 14:18 . 2010-06-13 14:18 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-06-13 14:13 . 2010-06-13 14:18 -------- d-----w- c:\program files\Symantec

2010-06-13 14:13 . 2010-06-13 14:21 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-06-13 14:13 . 2010-06-13 14:20 -------- d-----w- c:\programdata\Symantec

2010-06-13 14:13 . 2010-06-13 14:13 -------- d-----w- c:\program files\Symantec AntiVirus

2010-06-11 22:38 . 2010-06-11 22:38 -------- d-----w- c:\users\belanger #2\AppData\Roaming\Malwarebytes

2010-06-11 22:37 . 2010-06-11 22:37 388096 ----a-r- c:\users\belanger #2\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-11 22:36 . 2010-06-11 22:36 -------- d-----w- c:\program files\Trend Micro

2010-06-11 22:32 . 2010-06-12 01:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-06-11 22:32 . 2010-06-11 23:19 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-11 22:27 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-11 22:26 . 2010-06-11 22:26 -------- d-----w- c:\programdata\Malwarebytes

2010-06-11 22:26 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-11 22:26 . 2010-06-11 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-11 22:23 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll

2010-06-11 21:56 . 2010-06-11 21:56 -------- d-----w- c:\users\belanger #2\AppData\Roaming\Leader Technologies

2010-06-07 23:58 . 2010-06-07 23:58 -------- d-----w- c:\users\belanger #2\AppData\Local\Symantec

2010-06-06 17:30 . 2010-06-06 17:30 -------- d-----w- C:\N360_BACKUP

2010-05-20 22:58 . 2010-06-15 22:50 -------- d-----w- c:\users\steve\AppData\Local\CrashDumps

2010-05-20 16:57 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-05-20 16:57 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll

2010-05-20 16:54 . 2010-05-20 16:54 -------- d-----w- c:\programdata\NortonInstaller

2010-05-20 16:46 . 2010-06-13 13:56 -------- d-----w- c:\programdata\Norton

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-15 03:45 . 2006-12-16 21:42 -------- d-----w- c:\program files\CONEXANT

2010-06-15 03:40 . 2006-12-16 21:47 -------- d-----w- c:\programdata\Microsoft Help

2010-06-14 01:05 . 2007-02-08 23:57 104248 ----a-w- c:\users\steve\AppData\Local\GDIPFONTCACHEV1.DAT

2010-06-14 00:56 . 2006-12-16 21:49 -------- d-----w- c:\program files\Microsoft Works

2010-06-14 00:22 . 2007-02-20 22:44 -------- d-----w- c:\program files\Common Files\aol

2010-06-14 00:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-06-13 23:34 . 2006-11-02 12:35 -------- d-----w- c:\program files\MSBuild

2010-06-13 22:52 . 2006-12-16 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-13 22:50 . 2007-02-20 22:44 -------- d-----w- c:\programdata\AOL

2010-06-13 22:48 . 2007-02-20 22:57 -------- d-----w- c:\users\steve\AppData\Roaming\AOL

2010-06-13 22:02 . 2010-06-13 22:02 0 ---ha-w- c:\users\steve\wrhqyuvyhi.tmp

2010-06-13 21:16 . 2010-04-11 19:07 -------- d-----w- c:\programdata\1785115329

2010-06-13 14:18 . 2010-06-13 14:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-06-13 14:18 . 2010-06-13 14:18 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-06-11 21:56 . 2007-02-12 00:27 104176 ----a-w- c:\users\belanger #2\AppData\Local\GDIPFONTCACHEV1.DAT

2010-06-07 23:40 . 2006-12-16 21:51 -------- d-----w- c:\program files\Google

2010-05-25 11:08 . 2010-05-25 11:08 0 ----a-w- c:\users\steve\AppData\Roaming\BC8C.tmp

2010-05-25 11:08 . 2010-05-25 11:08 0 ----a-w- c:\users\steve\AppData\Roaming\A440.tmp

2010-05-15 17:32 . 2010-05-15 17:32 501872 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb3A78.tmp.exe

2010-05-12 15:21 . 2009-10-02 23:27 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-04 05:59 . 2010-06-13 17:11 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 05:55 . 2010-06-13 17:11 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-05-04 05:55 . 2010-06-13 17:11 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-05-04 04:31 . 2010-06-13 17:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2010-05-01 14:13 . 2010-06-13 17:11 2037248 ----a-w- c:\windows\system32\win32k.sys

2010-04-17 04:04 . 2010-04-17 04:04 306032 ----a-w- c:\windows\WLXPGSS.SCR

2010-03-30 22:57 . 2010-03-30 22:57 203264 ----a-w- c:\windows\system32\fltLib32.dll

2010-03-30 22:57 . 2010-03-30 22:57 130048 ----a-w- c:\windows\system32\findnetprinters32.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112]

"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]

"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]

"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2008-12-24 1540288]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-04-03 136080]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

 

c:\users\belanger #2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiSpywareOverride"=dword:00000001

"VistaSp2"=hex(B):72,d6,fe,21,d3,1a,ca,01

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3074645540-534623877-3370066440-1000]

"EnableNotificationsRef"=dword:00000002

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3074645540-534623877-3370066440-500]

"EnableNotificationsRef"=dword:00000002

 

R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2008-04-03 121744]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-12 102448]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

FF - ProfilePath - c:\users\steve\AppData\Roaming\Mozilla\Firefox\Profiles\xgrs4d5e.default\

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-16 10:38

Windows 6.0.6002 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

c:\users\steve\AppData\Local\Temp\catchme.dll 53248 bytes executable

 

scan completed successfully

hidden files: 1

 

**************************************************************************

.

Completion time: 2010-06-16 10:42:36

ComboFix-quarantined-files.txt 2010-06-16 14:42

ComboFix2.txt 2010-06-13 21:14

 

Pre-Run: 98,835,304,448 bytes free

Post-Run: 98,968,510,464 bytes free

 

- - End Of File - - 44554B4102529A1A614F9FE2D2E7BC82

Share this post


Link to post
Share on other sites
Juliet   

The computer is running perfectly.

Good deal.

 

 

 

  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

 

:Files
c:\users\steve\wrhqyuvyhi.tmp
c:\users\steve\AppData\Roaming\BC8C.tmp
c:\users\steve\AppData\Roaming\A440.tmp
C:\Windows\System32\findnetprinters32.dll
:Commands
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

 

 

In your next reply post:

OTM log

new HJT log.

Share this post


Link to post
Share on other sites

========== FILES ==========

c:\users\steve\wrhqyuvyhi.tmp moved successfully.

c:\users\steve\AppData\Roaming\BC8C.tmp moved successfully.

c:\users\steve\AppData\Roaming\A440.tmp moved successfully.

LoadLibrary failed for C:\Windows\System32\findnetprinters32.dll

C:\Windows\System32\findnetprinters32.dll moved successfully.

========== COMMANDS ==========

 

OTM by OldTimer - Version 3.1.12.2 log created on 06162010_164628

 

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 4:53:17 PM, on 6/16/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18928)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec AntiVirus\VPTray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Users\steve\Desktop\HijackThis.exe

C:\Windows\system32\DllHost.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5082

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 6378 bytes

Share this post


Link to post
Share on other sites
Juliet   

Looks good to me, I think we're ready to do final clean up and send you on your way.

 

 

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

 

Go to Start > Run > copy and paste the full text path in the run box

 

Start > Run & typing in ComboFix /Uninstall

 

Note the space between the x and the /U, it needs to be there.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

Your good to go, good job!

 

 

Please take the time to read over a few of my preventive tips.

 

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 3

The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

 

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

 

How to prevent Malware: Created by Miekiemoes

 

Here are some additional utilities that will further enhance your safety.

# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

 

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-

Please note that these products can also be run as free without a licience as a scan on demand scanner.

 

Backup regularly

 

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

 

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

 

Avoid P2P

 

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

 

Please read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

 

Free Antivirus-AntiSpyware-Firewall Software

 

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

 

Slow Computer May Not Be Malware Related, Help! My computer is slow!

http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

 

 

PC Safety and Security--What Do I Need?

http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html

 

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

This site offers people who have been (or are) victims of malware the opportunity to document their story.

 

Extra note:

Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Share this post


Link to post
Share on other sites
Juliet   

Glad we could help. :)Posted Image

 

Since this issue appears resolved ... this Topic is closed.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×