Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Hijacked,infected Or Paranoid


  • Please log in to reply
16 replies to this topic

#1 PGee

PGee

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 25 February 2008 - 09:59 PM

Am I Hijacked,infected or paranoid

This is my first post. Please excuse my mistakes
I have been using these programs for a while now,
Avarst home,Ad-Aware,Spybot,Ewido,AVG Root kit,Zone Alarm,[uninstalled]

All of these have not been finding anything in my system for awhile
I have recently installed Spyware Terminator which found a few Trojans
and malware
After reading your Forum and I installed Drweb- Cureit
which found a Trojan dropper and deleted it
Problems
When I have been downloading with Free Download Manager It always
downloads a lot more than the program file size.Uninstalled
When I use IE Explorer, Changed to 7, it has up to 50 Outbound connections with a lot of
traffic and when I use Firefox, always, it averages 6 to 8 Outbound connections.
All my programs have manual updates selected except WMP 9
Ihad SureAntispywae on my desktop but not installed and was unablr to open,rename,move
or delet it forabout a week. Deleted now
Two old small programs I keep but don,t use have have had their
exe and dll files modified recently. Also a search folder has turned up in a folder
on my (I:)Disc. and a Program Start Folder has install on my (G:) Disc
Whats going on?

Any help you can give will be greatly appreciated and
Thank you in advance for you work in this forum
PGee

Here is the Hijack This log file.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:08 a.m., on 26/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maintenance\Larvasoft\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\config.msi\from w-syst32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CoolSwitch] c:\config.msi\from w-syst32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: KernelFaultCheck.lnk = ?
O4 - Global Startup: PrinTray.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: FreshDownload - {82B1A1B8-8FDE-4D7A-BE89-291A1D99E069} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-loc/...ScannerCtrl.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192577012584
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...143/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Maintenance\Larvasoft\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6927 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:14 AM

Posted 05 March 2008 - 07:24 PM

Hello PGee,

Welcome to Bleeping Computer :thumbsup:

Sorry about the delay.:blink: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 PGee

PGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 06 March 2008 - 07:01 AM

Hi Tea cup,
Yes Please, your help would be great.
I,m just off to bed but will do a HT log before I go.

#4 PGee

PGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 06 March 2008 - 07:21 AM

I have been following your guides on HT, scanned With Ad Aware,
S&D,Stinger. Doc Wed Curit found a few bugs.

Also have cleaned things up a bit and
Merged 2 Partitions But still think there is a big beasty
in there somewhere.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:31 PM, on 6/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maintenance\Larvasoft\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\config.msi\from w-syst32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdm2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CoolSwitch] c:\config.msi\from w-syst32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: KernelFaultCheck.lnk = ?
O4 - Global Startup: PrinTray.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: FreshDownload - {82B1A1B8-8FDE-4D7A-BE89-291A1D99E069} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-loc/...ScannerCtrl.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192577012584
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...143/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Maintenance\Larvasoft\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6304 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:14 AM

Posted 06 March 2008 - 12:50 PM

Hello there,

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 PGee

PGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 06 March 2008 - 07:11 PM

Hi Tea,

I have deleted earlier downloads of ComboFix.
At the first attempt at running Combofix after downloding from your Bleeping Computer link,
a note said that the file was corrupt.The download from the following link has worked ok.

When starting HijackThis a note said that
Error # 5 Invalid procedure or argument, had occured.
HijackThis then continued

Kind regards
PGee


ComboFix 08-03-06.2 - rocket 2008-03-07 10:34:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1139 [GMT 11:00]
Running from: C:\Documents and Settings\rocket\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-06 17:57 . 2008-03-06 17:57 <DIR> d-------- C:\Documents and Settings\rocket\Application Data\vlc
2008-03-06 17:55 . 2008-03-06 18:00 <DIR> d-------- C:\Documents and Settings\rocket\Application Data\dvdcss
2008-03-06 17:53 . 2008-03-06 17:53 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-03 20:11 . 2008-03-03 20:20 4,507 --a------ C:\WINDOWS\imsins.BAK
2008-03-02 23:01 . 2007-12-31 23:07 294,400 -----c--- C:\WINDOWS\system32\dllcache\msctf.dll
2008-03-02 23:01 . 2007-12-18 20:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-03-02 23:01 . 2007-12-07 13:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-02 23:00 . 2007-11-22 22:43 78,720 -----c--- C:\WINDOWS\system32\dllcache\sdbus.sys
2008-03-02 23:00 . 2007-11-22 22:23 12,032 -----c--- C:\WINDOWS\system32\dllcache\sffdisk.sys
2008-03-02 23:00 . 2007-11-22 22:23 11,008 -----c--- C:\WINDOWS\system32\dllcache\sffp_sd.sys
2008-03-02 23:00 . 2007-11-22 22:23 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-03-02 23:00 . 2007-11-22 22:23 10,240 -----c--- C:\WINDOWS\system32\dllcache\sffp_mmc.sys
2008-03-02 22:58 . 2007-12-07 13:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-02 22:58 . 2007-04-17 20:28 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-02 22:58 . 2007-02-10 00:26 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-02 22:58 . 2007-12-07 13:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-02 22:58 . 2007-12-07 13:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-02 22:58 . 2007-12-07 13:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-02 22:58 . 2007-12-07 13:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-02 22:58 . 2007-12-06 22:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-01 14:25 . 2008-03-06 21:08 <DIR> d-------- C:\Program Files\Profilli 2
2008-02-29 14:17 . 2008-02-29 14:17 <DIR> d-------- C:\Documents and Settings\rocket\Application Data\Uniblue
2008-02-24 23:59 . 2008-02-25 00:00 <DIR> d-------- C:\Documents and Settings\goldy\Application Data\Spyware Terminator
2008-02-20 18:06 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-02-20 18:05 . 2008-02-27 20:47 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-20 16:07 . 2008-02-20 16:03 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-17 22:25 . 2008-02-17 22:25 <DIR> d-------- C:\Documents and Settings\Padministrator\.gimp-2.2
2008-02-17 21:41 . 2008-02-17 21:42 <DIR> d-------- C:\Documents and Settings\Padministrator\Vscans
2008-02-17 18:57 . 2008-02-17 22:36 <DIR> d-------- C:\Documents and Settings\Padministrator\.housecall6.6
2008-02-16 22:35 . 2008-02-16 22:41 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-02-16 10:37 . 2008-02-16 10:37 <DIR> d-------- C:\Documents and Settings\rocket\DoctorWeb
2008-02-15 17:03 . 2008-03-05 10:04 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-02-15 13:35 . 2007-12-05 00:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-15 13:35 . 2004-01-09 20:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-15 13:35 . 2007-12-04 23:54 95,608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2008-02-15 13:35 . 2007-12-05 01:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-15 13:35 . 2007-12-05 01:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-15 13:35 . 2007-12-05 01:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-15 13:35 . 2007-12-05 01:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-15 13:35 . 2007-12-05 01:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-15 13:34 . 2008-02-15 13:34 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-14 17:50 . 2008-03-07 10:30 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-02-14 14:23 . 2008-02-14 14:23 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\Talkback
2008-02-14 14:22 . 2008-02-14 14:23 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\Thunderbird
2008-02-14 11:45 . 2008-02-14 11:45 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\OpenOffice.org2
2008-02-14 08:17 . 2008-02-17 23:02 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\Spyware Terminator
2008-02-13 19:58 . 2008-03-07 10:25 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-02-13 19:58 . 2008-03-07 10:25 <DIR> d-------- C:\Documents and Settings\rocket\Application Data\Spyware Terminator
2008-02-13 19:58 . 2008-03-05 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-02-12 15:39 . 2008-02-12 15:39 <DIR> d-------- C:\Documents and Settings\goldy\Application Data\Comodo
2008-02-12 00:14 . 2008-02-12 00:52 <DIR> d-------- C:\Search Indexer
2008-02-10 14:00 . 2008-02-10 14:00 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\ImgBurn
2008-02-10 13:41 . 2008-02-10 13:41 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\Comodo
2008-02-06 16:11 . 2008-02-15 22:37 943 --a------ C:\WINDOWS\CFWIN.INI
2008-02-06 15:51 . 2008-02-10 18:14 164 --a------ C:\WINDOWS\CompuPrt.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 23:19 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-06 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-05 01:33 --------- d-----w C:\Documents and Settings\rocket\Application Data\OpenOffice.org2
2008-03-03 09:32 --------- d-----w C:\Documents and Settings\rocket\Application Data\Windows Desktop Search
2008-03-01 03:38 --------- d-----w C:\Program Files\Pro Imaging Powertoys
2008-02-29 12:53 --------- d-----w C:\Documents and Settings\rocket\Application Data\Free Download Manager
2008-02-29 05:12 --------- d-----w C:\Program Files\Comuter maintenance
2008-02-29 03:24 --------- d-----w C:\Documents and Settings\rocket\Application Data\Thunderbird
2008-02-23 13:41 --------- d-----w C:\Documents and Settings\rocket\Application Data\gtk-2.0
2008-02-23 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-23 01:40 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-23 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 05:04 --------- d-----w C:\Program Files\AutoPatcher
2008-02-19 08:50 --------- d-----w C:\Program Files\Free Download Manager
2008-02-16 11:38 --------- d-----w C:\Program Files\COMODO
2008-02-15 06:24 --------- d-----w C:\Program Files\MSECache
2008-02-13 10:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-12 11:14 --------- d-----w C:\Program Files\LexmarkX73
2008-02-11 00:26 --------- d-----w C:\Program Files\Resources
2008-02-09 08:58 --------- d-----w C:\Program Files\Malicious Software Removal Tool
2008-02-08 12:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 06:46 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-31 06:46 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-30 10:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-01-22 12:56 --------- d-----w C:\Program Files\Canon
2008-01-18 12:47 --------- d-----w C:\Documents and Settings\rocket\Application Data\CD-LabelPrint
2008-01-13 11:10 139,008 ----a-w C:\WINDOWS\system32\guard32.dll.vir
2008-01-09 22:18 --------- d-----w C:\Program Files\Windows Journal Viewer
2008-01-09 22:15 --------- d-----w C:\Program Files\ImgBurn
2008-01-09 22:15 --------- d-----w C:\Program Files\DVD Decrypter
2008-01-08 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\comodo
2008-01-08 11:03 81,272 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-01-08 11:03 23,672 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-01-08 11:03 --------- d-----w C:\Documents and Settings\rocket\Application Data\Comodo
2007-12-31 12:07 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-06-01 03:40 897,024 ----a-w C:\Program Files\PaintDotNet.exe
2007-05-07 14:02 93,746 ----a-w C:\Program Files\PaintDotNet.Strings.3.ZH-CN.resources
2007-05-07 14:02 109,127 ----a-w C:\Program Files\PaintDotNet.Strings.3.JA.resources
2007-05-07 14:02 104,646 ----a-w C:\Program Files\PaintDotNet.Strings.3.FR.resources
2007-05-07 14:02 104,312 ----a-w C:\Program Files\PaintDotNet.Strings.3.KO.resources
2007-05-07 14:02 103,282 ----a-w C:\Program Files\PaintDotNet.Strings.3.DE.resources
2007-05-07 14:02 102,250 ----a-w C:\Program Files\PaintDotNet.Strings.3.ES.resources
2007-05-07 14:02 101,681 ----a-w C:\Program Files\PaintDotNet.Strings.3.PT-BR.resources
2006-12-11 04:24 1,827 ----a-w C:\Program Files\License.txt
2006-11-25 20:05 172,032 ----a-w C:\Program Files\ICSharpCode.SharpZipLib.dll
2005-11-26 14:53 49,152 ----a-w C:\Program Files\Interop.WIA.dll
2007-07-13 01:45 5,884,960 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-13 01:45 97,824 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UIWatcher"="C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe" [2002-08-02 18:02 598528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2003-04-15 21:55 36864 C:\WINDOWS\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 19:34 53248 C:\WINDOWS\SOUNDMAN.EXE]
"CoolSwitch"="c:\config.msi\from w-syst32\taskswitch.exe" [2007-07-09 21:22 45632]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 00:00 79224]
"COMODO Firewall Pro"="C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe" [2008-01-08 22:03 1481472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoRecentDocsNetHood"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 16:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-01-08 22:03]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-01-08 22:03]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-05 10:04]
R2 ComodoBackupService;ComodoBackupService;C:\Program Files\COMODO\BackUp\CmdBkSvc.exe [2008-02-10 13:25]
R2 WFCXVCAP;WinFast TV Video Capture Driver;C:\WINDOWS\system32\drivers\wfcxvcap.sys [2006-01-26 19:19]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;C:\WINDOWS\system32\drivers\wfcxdtun.sys [2006-01-26 19:18]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;C:\WINDOWS\system32\drivers\wfcxtcap.sys [2006-01-26 19:16]
R3 wfcxxbar;WinFast TV Crossbar Driver;C:\WINDOWS\system32\drivers\wfcxxbar.sys [2006-01-26 19:17]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 PORTMON;PORTMON;C:\Documents and Settings\rocket\My Documents\Microsoft Folder\SysinternalsSuite\PORTMSYS.SYS []
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 17:55]
S4 AX;AX;C:\DOCUME~1\rocket\LOCALS~1\Temp\AX.exe []
S4 EFG;EFG;C:\DOCUME~1\rocket\LOCALS~1\Temp\EFG.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 22:21:56 C:\WINDOWS\Tasks\System Restore.job"
- C:\WINDOWS\system32\Restore\rstrui.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 10:40:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-07 10:41:29
ComboFix2.txt 2008-03-05 10:50:18
ComboFix3.txt 2008-03-05 02:17:29
ComboFix4.txt 2008-02-29 06:00:02
ComboFix5.txt 2008-02-19 01:13:32
.
2007-06-28 23:59:30 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:59 AM, on 7/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maintenance\Larvasoft\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\config.msi\from w-syst32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdm2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CoolSwitch] c:\config.msi\from w-syst32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: KernelFaultCheck.lnk = ?
O4 - Global Startup: PrinTray.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: FreshDownload - {82B1A1B8-8FDE-4D7A-BE89-291A1D99E069} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-loc/...ScannerCtrl.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192577012584
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...143/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Maintenance\Larvasoft\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6251 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:14 AM

Posted 06 March 2008 - 07:36 PM

Hello,


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.


* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\guard32.dll.vir
C:\WINDOWS\imsins.BAK


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 PGee

PGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 07 March 2008 - 06:11 AM

Hi Tea,
Here are the two scans.
Just some more info
Previously Ihad run a scan with registryboosteraff.exe.
It had picked up 185 registry problems and offered to fix only 15.

COMODO Firewall picked up the installing of KB915865.exe on the 2.03.08.
Something I was not doing, so I moved the files to Comodo,s Quarantine.
Bleeping Computer refers to this file as a w32 Darwin worm?
I found the install log for KB915865 In C:\Windows and have included it at the end.
Maybe it will help.
The log makes referance to files on G:\, but thay are not there.

When I ceated the G:\ Partition a "Start Menu" folder had installed its self into the folder
"BACKED UP FILES"on G:\. When I try and delet it I get, THIS IS A SYSTEM FOLDER AND CAN NOT BE DELETED.
I can delet the shortcuts under Programs, but different shortcuts reappear.
Maybe a different problem.

And also when I install IE7 it also installed itself onto G:\
I have been trying to solve problems for years and after reading Bleeping Computer
for a long while I bow to the great amount of knowlage you guys must have.
Thank you for your help

PGee

ComboFix 08-03-06.2 - rocket 2008-03-07 15:20:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1089 [GMT 11:00]
Running from: C:\Documents and Settings\rocket\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rocket\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\guard32.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\guard32.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-06 17:57 . 2008-03-06 17:57 <DIR> d-------- C:\Documents and Settings\rocket\Application Data\vlc
2008-03-06 17:55 . 2008-03-06 18:00 <DIR> d-------- C:\Documents and Settings\rocket\Application Data\dvdcss
2008-03-06 17:53 . 2008-03-06 17:53 <DIR> d-------- C:\Program Files\VideoLAN
2008-03-02 23:01 . 2007-12-31 23:07 294,400 -----c--- C:\WINDOWS\system32\dllcache\msctf.dll
2008-03-02 23:01 . 2007-12-18 20:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-03-02 23:01 . 2007-12-07 13:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-02 23:00 . 2007-11-22 22:43 78,720 -----c--- C:\WINDOWS\system32\dllcache\sdbus.sys
2008-03-02 23:00 . 2007-11-22 22:23 12,032 -----c--- C:\WINDOWS\system32\dllcache\sffdisk.sys
2008-03-02 23:00 . 2007-11-22 22:23 11,008 -----c--- C:\WINDOWS\system32\dllcache\sffp_sd.sys
2008-03-02 23:00 . 2007-11-22 22:23 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-03-02 23:00 . 2007-11-22 22:23 10,240 -----c--- C:\WINDOWS\system32\dllcache\sffp_mmc.sys
2008-03-02 22:58 . 2007-12-07 13:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-02 22:58 . 2007-04-17 20:28 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-02 22:58 . 2007-02-10 00:26 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-02 22:58 . 2007-12-07 13:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-02 22:58 . 2007-12-07 13:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-02 22:58 . 2007-12-07 13:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-02 22:58 . 2007-12-07 13:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-02 22:58 . 2007-12-06 22:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-01 14:25 . 2008-03-06 21:08 <DIR> d-------- C:\Program Files\Profilli 2
2008-02-29 14:17 . 2008-02-29 14:17 <DIR> d-------- C:\Documents and Settings\rocket\Application Data\Uniblue
2008-02-24 23:59 . 2008-02-25 00:00 <DIR> d-------- C:\Documents and Settings\goldy\Application Data\Spyware Terminator
2008-02-20 18:06 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-02-20 18:05 . 2008-02-27 20:47 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-20 16:07 . 2008-02-20 16:03 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-17 22:25 . 2008-02-17 22:25 <DIR> d-------- C:\Documents and Settings\Padministrator\.gimp-2.2
2008-02-17 21:41 . 2008-02-17 21:42 <DIR> d-------- C:\Documents and Settings\Padministrator\Vscans
2008-02-17 18:57 . 2008-02-17 22:36 <DIR> d-------- C:\Documents and Settings\Padministrator\.housecall6.6
2008-02-16 22:35 . 2008-02-16 22:41 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-02-16 10:37 . 2008-02-16 10:37 <DIR> d-------- C:\Documents and Settings\rocket\DoctorWeb
2008-02-15 17:03 . 2008-03-05 10:04 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-02-15 13:35 . 2007-12-05 00:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-15 13:35 . 2004-01-09 20:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-15 13:35 . 2007-12-04 23:54 95,608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2008-02-15 13:35 . 2007-12-05 01:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-15 13:35 . 2007-12-05 01:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-15 13:35 . 2007-12-05 01:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-15 13:35 . 2007-12-05 01:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-15 13:35 . 2007-12-05 01:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-15 13:34 . 2008-02-15 13:34 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-14 17:50 . 2008-03-07 11:49 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-02-14 14:23 . 2008-02-14 14:23 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\Talkback
2008-02-14 14:22 . 2008-02-14 14:23 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\Thunderbird
2008-02-14 11:45 . 2008-02-14 11:45 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\OpenOffice.org2
2008-02-14 08:17 . 2008-02-17 23:02 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\Spyware Terminator
2008-02-13 19:58 . 2008-03-07 11:47 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-02-13 19:58 . 2008-03-07 11:47 <DIR> d-------- C:\Documents and Settings\rocket\Application Data\Spyware Terminator
2008-02-13 19:58 . 2008-03-05 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-02-12 15:39 . 2008-02-12 15:39 <DIR> d-------- C:\Documents and Settings\goldy\Application Data\Comodo
2008-02-12 00:14 . 2008-02-12 00:52 <DIR> d-------- C:\Search Indexer
2008-02-10 14:00 . 2008-02-10 14:00 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\ImgBurn
2008-02-10 13:41 . 2008-02-10 13:41 <DIR> d-------- C:\Documents and Settings\Padministrator\Application Data\Comodo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 04:11 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-06 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-05 01:33 --------- d-----w C:\Documents and Settings\rocket\Application Data\OpenOffice.org2
2008-03-03 09:32 --------- d-----w C:\Documents and Settings\rocket\Application Data\Windows Desktop Search
2008-03-01 03:38 --------- d-----w C:\Program Files\Pro Imaging Powertoys
2008-02-29 12:53 --------- d-----w C:\Documents and Settings\rocket\Application Data\Free Download Manager
2008-02-29 05:12 --------- d-----w C:\Program Files\Comuter maintenance
2008-02-29 03:24 --------- d-----w C:\Documents and Settings\rocket\Application Data\Thunderbird
2008-02-23 13:41 --------- d-----w C:\Documents and Settings\rocket\Application Data\gtk-2.0
2008-02-23 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-23 01:40 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-23 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 05:04 --------- d-----w C:\Program Files\AutoPatcher
2008-02-19 08:50 --------- d-----w C:\Program Files\Free Download Manager
2008-02-16 11:38 --------- d-----w C:\Program Files\COMODO
2008-02-15 06:24 --------- d-----w C:\Program Files\MSECache
2008-02-13 10:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-12 11:14 --------- d-----w C:\Program Files\LexmarkX73
2008-02-11 00:26 --------- d-----w C:\Program Files\Resources
2008-02-09 08:58 --------- d-----w C:\Program Files\Malicious Software Removal Tool
2008-02-08 12:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 06:46 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-31 06:46 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-30 10:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-01-22 12:56 --------- d-----w C:\Program Files\Canon
2008-01-18 12:47 --------- d-----w C:\Documents and Settings\rocket\Application Data\CD-LabelPrint
2008-01-09 22:18 --------- d-----w C:\Program Files\Windows Journal Viewer
2008-01-09 22:15 --------- d-----w C:\Program Files\ImgBurn
2008-01-09 22:15 --------- d-----w C:\Program Files\DVD Decrypter
2008-01-08 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\comodo
2008-01-08 11:03 81,272 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-01-08 11:03 23,672 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-01-08 11:03 --------- d-----w C:\Documents and Settings\rocket\Application Data\Comodo
2007-12-31 12:07 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-06-01 03:40 897,024 ----a-w C:\Program Files\PaintDotNet.exe
2007-05-07 14:02 93,746 ----a-w C:\Program Files\PaintDotNet.Strings.3.ZH-CN.resources
2007-05-07 14:02 109,127 ----a-w C:\Program Files\PaintDotNet.Strings.3.JA.resources
2007-05-07 14:02 104,646 ----a-w C:\Program Files\PaintDotNet.Strings.3.FR.resources
2007-05-07 14:02 104,312 ----a-w C:\Program Files\PaintDotNet.Strings.3.KO.resources
2007-05-07 14:02 103,282 ----a-w C:\Program Files\PaintDotNet.Strings.3.DE.resources
2007-05-07 14:02 102,250 ----a-w C:\Program Files\PaintDotNet.Strings.3.ES.resources
2007-05-07 14:02 101,681 ----a-w C:\Program Files\PaintDotNet.Strings.3.PT-BR.resources
2006-12-11 04:24 1,827 ----a-w C:\Program Files\License.txt
2006-11-25 20:05 172,032 ----a-w C:\Program Files\ICSharpCode.SharpZipLib.dll
2005-11-26 14:53 49,152 ----a-w C:\Program Files\Interop.WIA.dll
2007-07-13 01:45 5,884,960 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-13 01:45 97,824 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UIWatcher"="C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe" [2002-08-02 18:02 598528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2003-04-15 21:55 36864 C:\WINDOWS\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 19:34 53248 C:\WINDOWS\SOUNDMAN.EXE]
"CoolSwitch"="c:\config.msi\from w-syst32\taskswitch.exe" [2007-07-09 21:22 45632]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-05 00:00 79224]
"COMODO Firewall Pro"="C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe" [2008-01-08 22:03 1481472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoRecentDocsNetHood"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 16:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-01-08 22:03]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-01-08 22:03]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-05 10:04]
R2 ComodoBackupService;ComodoBackupService;C:\Program Files\COMODO\BackUp\CmdBkSvc.exe [2008-02-10 13:25]
R2 WFCXVCAP;WinFast TV Video Capture Driver;C:\WINDOWS\system32\drivers\wfcxvcap.sys [2006-01-26 19:19]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;C:\WINDOWS\system32\drivers\wfcxdtun.sys [2006-01-26 19:18]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;C:\WINDOWS\system32\drivers\wfcxtcap.sys [2006-01-26 19:16]
R3 wfcxxbar;WinFast TV Crossbar Driver;C:\WINDOWS\system32\drivers\wfcxxbar.sys [2006-01-26 19:17]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 PORTMON;PORTMON;C:\Documents and Settings\rocket\My Documents\Microsoft Folder\SysinternalsSuite\PORTMSYS.SYS []
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 17:55]
S4 AX;AX;C:\DOCUME~1\rocket\LOCALS~1\Temp\AX.exe []
S4 EFG;EFG;C:\DOCUME~1\rocket\LOCALS~1\Temp\EFG.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 22:21:56 C:\WINDOWS\Tasks\System Restore.job"
- C:\WINDOWS\system32\Restore\rstrui.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 15:24:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-07 15:26:07
ComboFix-quarantined-files.txt 2008-03-07 04:26:03
ComboFix2.txt 2008-03-06 23:41:30
ComboFix3.txt 2008-03-05 10:50:18
ComboFix4.txt 2008-03-05 02:17:29
ComboFix5.txt 2008-02-29 06:00:02
.
2007-06-28 23:59:30 --- E O F ---

This Happened again

When starting HijackThis a note said that
Error # 5 Invalid procedure or argument, had occured.
HijackThis then continued


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:59 PM, on 7/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maintenance\Larvasoft\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\config.msi\from w-syst32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdm2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CoolSwitch] c:\config.msi\from w-syst32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: KernelFaultCheck.lnk = ?
O4 - Global Startup: PrinTray.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: FreshDownload - {82B1A1B8-8FDE-4D7A-BE89-291A1D99E069} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-loc/...ScannerCtrl.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192577012584
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...143/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Maintenance\Larvasoft\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6250 bytes


[KB915865.log]
2.265: ================================================================================
2.265: 2008/03/02 23:35:43.359 (local)
2.265: g:\38f65edc0d77c52ba7\update\update.exe (version 6.2.29.0)
2.265: Hotfix started with following command line: /quiet /norestart /er
5.281: In Function TestVolatileFlag, line 11873, RegOpenKeyEx failed with error 0x2
5.281: In Function TestVolatileFlag, line 11905, RegOpenKeyEx failed with error 0x2
5.281: ---- Old Information In The Registry ------
5.296: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
5.296: Destination:
5.296: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
5.296: Destination:
5.296: ---- New Information In The Registry ------
5.296: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
5.296: Destination:
5.296: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
5.296: Destination:
5.328: SetProductTypes: InfProductBuildType=BuildType.Sel
5.328: SetAltOsLoaderPath: No section uses DirId 65701; done.
5.531: DoInstallation: FetchSourceURL for g:\38f65edc0d77c52ba7\update\update_SP2GDR.inf failed
5.531: CreateUninstall = 0,Directory = C:\WINDOWS\$NtUninstallKB915865$
5.546: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed: 0xe0000102
5.546: BuildCabinetManifest: update.url absent
5.546: Starting AnalyzeComponents
5.546: AnalyzePhaseZero used 0 ticks
5.546: No c:\windows\INF\updtblk.inf file.
5.546: OEM file scan used 0 ticks
5.609: AnalyzePhaseOne: used 63 ticks
5.609: AnalyzeComponents: Hotpatch analysis disabled; skipping.
5.609: AnalyzeComponents: Hotpatching is disabled.
5.609: FindFirstFile c:\windows\$hf_mig$\*.*
6.296: KB915865 Setup encountered an error: The update.ver file is not correct.
6.343: KB915865 Setup encountered an error: The update.ver file is not correct.
6.437: KB915865 Setup encountered an error: The update.ver file is not correct.
6.828: KB915865 Setup encountered an error: The update.ver file is not correct.
6.937: KB915865 Setup encountered an error: The update.ver file is not correct.
7.375: KB915865 Setup encountered an error: The update.ver file is not correct.
7.406: KB915865 Setup encountered an error: The update.ver file is not correct.
7.453: KB915865 Setup encountered an error: The update.ver file is not correct.
7.500: KB915865 Setup encountered an error: The update.ver file is not correct.
7.578: KB915865 Setup encountered an error: The update.ver file is not correct.
7.578: KB915865 Setup encountered an error: The update.ver file is not correct.
7.656: KB915865 Setup encountered an error: The update.ver file is not correct.
7.718: KB915865 Setup encountered an error: The update.ver file is not correct.
7.718: KB915865 Setup encountered an error: The update.ver file is not correct.
7.718: KB915865 Setup encountered an error: The update.ver file is not correct.
7.765: KB915865 Setup encountered an error: The update.ver file is not correct.
7.765: KB915865 Setup encountered an error: The update.ver file is not correct.
7.890: AnalyzeForBranching used 0 ticks.
7.890: AnalyzePhaseTwo used 0 ticks
7.890: AnalyzePhaseThree used 0 ticks
7.890: AnalyzePhaseFive used 0 ticks
7.890: AnalyzePhaseSix used 0 ticks
7.890: AnalyzeComponents used 2344 ticks
7.890: Downloading 0 files
7.890: bPatchMode = FALSE
7.890: Inventory complete: ReturnStatus=0, 2359 ticks
7.890: Num Ticks for invent : 2359
7.937: VerifyTargetFileSize: Unable to verify size as Source = NULL for file c:\windows\inf\HFX5.tmp
7.984: Copied file: c:\windows\inf\branches.inf
13.906: Allocation size of drive C: is 4096 bytes, free space = 9941118976 bytes
13.953: Drive C: free 9480MB req: 5MB w/uninstall 0MB
13.953: CabinetBuild complete
13.953: Num Ticks for Cabinet build : 6063
13.953: DynamicStrings section not defined or empty.
13.953: FileInUse:: Detection disabled.
14.953: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed: 0xe0000102
15.109: PFE2: Not avoiding Per File Exceptions.
16.187: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\update\update_SP2QFE.inf -> c:\windows\$hf_mig$\KB915865\update\update_SP2QFE.inf.
16.234: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\spuninst.exe -> c:\windows\$hf_mig$\KB915865\spuninst.exe.
16.234: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\spmsg.dll -> c:\windows\$hf_mig$\KB915865\spmsg.dll.
16.265: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\update\spcustom.dll -> c:\windows\$hf_mig$\KB915865\update\spcustom.dll.
16.281: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\update\KB915865.CAT -> c:\windows\$hf_mig$\KB915865\update\KB915865.CAT.
16.296: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\update\update.exe -> c:\windows\$hf_mig$\KB915865\update\update.exe.
16.328: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\update\updspapi.dll -> c:\windows\$hf_mig$\KB915865\update\updspapi.dll.
16.343: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\update\update.ver -> c:\windows\$hf_mig$\KB915865\update\update.ver.
16.359: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\update\updatebr.inf -> c:\windows\$hf_mig$\KB915865\update\updatebr.inf.
16.375: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\update\eula.txt -> c:\windows\$hf_mig$\KB915865\update\eula.txt.
16.390: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\38f65edc0d77c52ba7\update\branches.inf -> c:\windows\$hf_mig$\KB915865\update\branches.inf.
16.406: DoInstallation: Installing assemblies with source root path: g:\38f65edc0d77c52ba7\
16.406: Num Ticks for Copying files : 2453
16.406: Num Ticks for Reg update and deleting 0 size files : 0
16.484: ---- Old Information In The Registry ------
16.484: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
16.484: Destination:
16.484: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
16.484: Destination:
16.484: Source:C:\WINDOWS\_000001_.tmp.dll
16.484: Destination:
16.484: ---- New Information In The Registry ------
16.484: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
16.484: Destination:
16.484: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
16.484: Destination:
16.500: Source:C:\WINDOWS\_000001_.tmp.dll
16.500: Destination:
16.500: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
16.562: RebootNecessary = 0,WizardInput = 1 , DontReboot = 1, ForceRestart = 0
1.859: ================================================================================
1.875: 2008/03/03 20:30:17.953 (local)
1.875: g:\7c7b8542e94988b3cc180d5183\update\update.exe (version 6.2.29.0)
1.875: Hotfix started with following command line: /quiet /norestart /er
9.171: In Function TestVolatileFlag, line 11873, RegOpenKeyEx failed with error 0x2
9.171: In Function TestVolatileFlag, line 11905, RegOpenKeyEx failed with error 0x2
9.171: ---- Old Information In The Registry ------
9.187: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
9.187: Destination:
9.187: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
9.187: Destination:
9.187: ---- New Information In The Registry ------
9.187: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
9.187: Destination:
9.187: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
9.187: Destination:
9.218: SetProductTypes: InfProductBuildType=BuildType.Sel
9.218: SetAltOsLoaderPath: No section uses DirId 65701; done.
10.218: DoInstallation: FetchSourceURL for g:\7c7b8542e94988b3cc180d5183\update\update_SP2GDR.inf failed
10.218: CreateUninstall = 0,Directory = C:\WINDOWS\$NtUninstallKB915865$
10.218: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed: 0xe0000102
10.234: BuildCabinetManifest: update.url absent
10.234: Starting AnalyzeComponents
10.234: AnalyzePhaseZero used 0 ticks
10.234: No c:\windows\INF\updtblk.inf file.
10.234: OEM file scan used 0 ticks
10.265: AnalyzePhaseOne: used 31 ticks
10.265: AnalyzeComponents: Hotpatch analysis disabled; skipping.
10.265: AnalyzeComponents: Hotpatching is disabled.
10.265: FindFirstFile c:\windows\$hf_mig$\*.*
11.218: KB915865 Setup encountered an error: The update.ver file is not correct.
11.250: KB915865 Setup encountered an error: The update.ver file is not correct.
11.359: KB915865 Setup encountered an error: The update.ver file is not correct.
11.750: KB915865 Setup encountered an error: The update.ver file is not correct.
11.859: KB915865 Setup encountered an error: The update.ver file is not correct.
12.281: KB915865 Setup encountered an error: The update.ver file is not correct.
12.312: KB915865 Setup encountered an error: The update.ver file is not correct.
12.375: KB915865 Setup encountered an error: The update.ver file is not correct.
12.421: KB915865 Setup encountered an error: The update.ver file is not correct.
12.500: KB915865 Setup encountered an error: The update.ver file is not correct.
12.500: KB915865 Setup encountered an error: The update.ver file is not correct.
12.578: KB915865 Setup encountered an error: The update.ver file is not correct.
12.640: KB915865 Setup encountered an error: The update.ver file is not correct.
12.640: KB915865 Setup encountered an error: The update.ver file is not correct.
12.656: KB915865 Setup encountered an error: The update.ver file is not correct.
12.687: KB915865 Setup encountered an error: The update.ver file is not correct.
12.687: KB915865 Setup encountered an error: The update.ver file is not correct.
12.796: AnalyzeForBranching used 0 ticks.
12.796: AnalyzePhaseTwo used 0 ticks
12.796: AnalyzePhaseThree used 0 ticks
12.796: AnalyzePhaseFive used 0 ticks
12.796: AnalyzePhaseSix used 0 ticks
12.796: AnalyzeComponents used 2562 ticks
12.796: Downloading 0 files
12.796: bPatchMode = FALSE
12.796: Inventory complete: ReturnStatus=0, 2578 ticks
12.796: Num Ticks for invent : 2578
12.843: VerifyTargetFileSize: Unable to verify size as Source = NULL for file c:\windows\inf\HFXB.tmp
15.765: Copied file: c:\windows\inf\branches.inf
21.562: Allocation size of drive C: is 4096 bytes, free space = 9922924544 bytes
21.656: Drive C: free 9463MB req: 5MB w/uninstall 0MB
21.656: CabinetBuild complete
21.656: Num Ticks for Cabinet build : 8860
21.656: DynamicStrings section not defined or empty.
21.656: FileInUse:: Detection disabled.
22.656: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed: 0xe0000102
23.109: PFE2: Not avoiding Per File Exceptions.
26.625: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\update\update_SP2QFE.inf -> c:\windows\$hf_mig$\KB915865\update\update_SP2QFE.inf.
27.468: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\spuninst.exe -> c:\windows\$hf_mig$\KB915865\spuninst.exe.
28.140: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\spmsg.dll -> c:\windows\$hf_mig$\KB915865\spmsg.dll.
29.296: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\update\spcustom.dll -> c:\windows\$hf_mig$\KB915865\update\spcustom.dll.
29.328: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\update\KB915865.CAT -> c:\windows\$hf_mig$\KB915865\update\KB915865.CAT.
30.078: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\update\update.exe -> c:\windows\$hf_mig$\KB915865\update\update.exe.
31.093: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\update\updspapi.dll -> c:\windows\$hf_mig$\KB915865\update\updspapi.dll.
31.109: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\update\update.ver -> c:\windows\$hf_mig$\KB915865\update\update.ver.
31.140: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\update\updatebr.inf -> c:\windows\$hf_mig$\KB915865\update\updatebr.inf.
31.156: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\update\eula.txt -> c:\windows\$hf_mig$\KB915865\update\eula.txt.
31.171: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied g:\7c7b8542e94988b3cc180d5183\update\branches.inf -> c:\windows\$hf_mig$\KB915865\update\branches.inf.
31.187: DoInstallation: Installing assemblies with source root path: g:\7c7b8542e94988b3cc180d5183\
31.187: Num Ticks for Copying files : 9531
31.187: Num Ticks for Reg update and deleting 0 size files : 0
31.218: ---- Old Information In The Registry ------
31.234: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
31.234: Destination:
31.234: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
31.234: Destination:
31.234: Source:C:\WINDOWS\_000001_.tmp.dll
31.234: Destination:
31.234: ---- New Information In The Registry ------
31.234: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
31.234: Destination:
31.234: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
31.234: Destination:
31.234: Source:C:\WINDOWS\_000001_.tmp.dll
31.234: Destination:
31.234: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
31.265: RebootNecessary = 0,WizardInput = 1 , DontReboot = 1, ForceRestart = 0

THIS FILE ALSO REFFERS TO G:\

[KB915800.log]
1.140: ================================================================================
1.140: 2008/03/02 23:36:23.937 (local)
1.140: g:\6602c3563b4e9debde65f70b7bd93e\update\update.exe (version 6.2.29.0)
1.156: Hotfix started with following command line: /quiet /norestart /er
29.343: In Function TestVolatileFlag, line 11873, RegOpenKeyEx failed with error 0x2
29.343: In Function TestVolatileFlag, line 11905, RegOpenKeyEx failed with error 0x2
29.343: ---- Old Information In The Registry ------
29.343: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
29.343: Destination:
29.343: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
29.343: Destination:
29.343: Source:C:\WINDOWS\_000001_.tmp.dll
29.343: Destination:
29.343: ---- New Information In The Registry ------
29.343: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
29.343: Destination:
29.343: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
29.343: Destination:
29.343: Source:C:\WINDOWS\_000001_.tmp.dll
29.343: Destination:
29.359: SetProductTypes: InfProductBuildType=BuildType.Sel
29.359: SetAltOsLoaderPath: No section uses DirId 65701; done.
29.453: DoInstallation: FetchSourceURL for g:\6602c3563b4e9debde65f70b7bd93e\update\update_SP2QFE.inf failed
29.453: CreateUninstall = 0,Directory = C:\WINDOWS\$NtUninstallKB915800$
29.453: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed: 0xe0000102
29.453: BuildCabinetManifest: update.url absent
29.453: Starting AnalyzeComponents
29.453: AnalyzePhaseZero used 0 ticks
29.453: No c:\windows\INF\updtblk.inf file.
29.453: OEM file scan used 0 ticks
29.640: AnalyzePhaseOne: used 187 ticks
29.640: AnalyzeComponents: Hotpatch analysis disabled; skipping.
29.640: AnalyzeComponents: Hotpatching is disabled.
29.640: FindFirstFile c:\windows\$hf_mig$\*.*
29.797: KB915800 Setup encountered an error: The update.ver file is not correct.
29.797: KB915800 Setup encountered an error: The update.ver file is not correct.
29.812: KB915800 Setup encountered an error: The update.ver file is not correct.
29.859: KB915800 Setup encountered an error: The update.ver file is not correct.
29.859: KB915800 Setup encountered an error: The update.ver file is not correct.
29.906: KB915800 Setup encountered an error: The update.ver file is not correct.
29.922: KB915800 Setup encountered an error: The update.ver file is not correct.
29.922: KB915800 Setup encountered an error: The update.ver file is not correct.
29.937: KB915800 Setup encountered an error: The update.ver file is not correct.
29.953: KB915800 Setup encountered an error: The update.ver file is not correct.
29.953: KB915800 Setup encountered an error: The update.ver file is not correct.
29.953: KB915800 Setup encountered an error: The update.ver file is not correct.
29.968: KB915800 Setup encountered an error: The update.ver file is not correct.
29.968: KB915800 Setup encountered an error: The update.ver file is not correct.
29.968: KB915800 Setup encountered an error: The update.ver file is not correct.
29.968: KB915800 Setup encountered an error: The update.ver file is not correct.
29.984: KB915800 Setup encountered an error: The update.ver file is not correct.
30.000: AnalyzeForBranching used 0 ticks.
30.000: AnalyzePhaseTwo used 0 ticks
30.000: AnalyzePhaseThree used 0 ticks
30.000: AnalyzePhaseFive used 0 ticks
30.000: AnalyzePhaseSix used 0 ticks
30.000: AnalyzeComponents used 547 ticks
30.000: Downloading 0 files
30.000: bPatchMode = FALSE
30.000: Inventory complete: ReturnStatus=0, 547 ticks
30.000: Num Ticks for invent : 547
30.031: VerifyTargetFileSize: Unable to verify size as Source = NULL for file c:\windows\inf\HFX8.tmp
30.062: Copied file: c:\windows\inf\branches.inf
34.250: Allocation size of drive C: is 4096 bytes, free space = 9940684800 bytes
34.265: Drive C: free 9480MB req: 5MB w/uninstall 0MB
34.265: CabinetBuild complete
34.265: Num Ticks for Cabinet build : 4265
34.265: DynamicStrings section not defined or empty.
34.265: FileInUse:: Detection disabled.
35.265: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed: 0xe0000102
35.343: PFE2: Not avoiding Per File Exceptions.
35.547: DoInstallation: Installing assemblies with source root path: g:\6602c3563b4e9debde65f70b7bd93e\
35.547: Num Ticks for Copying files : 1282
35.547: Num Ticks for Reg update and deleting 0 size files : 0
35.547: DoInstallation: ApplyAdminSystemAclsRecursive for c:\windows\$hf_mig$\KB915800 failed; error=0x00000003
35.547: ---- Old Information In The Registry ------
35.562: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
35.562: Destination:
35.562: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
35.562: Destination:
35.562: Source:C:\WINDOWS\_000001_.tmp.dll
35.562: Destination:
35.562: ---- New Information In The Registry ------
35.562: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
35.562: Destination:
35.562: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
35.562: Destination:
35.562: Source:C:\WINDOWS\_000001_.tmp.dll
35.562: Destination:
35.562: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
35.593: RebootNecessary = 0,WizardInput = 1 , DontReboot = 1, ForceRestart = 0
1.250: ================================================================================
1.266: 2008/03/03 20:31:01.515 (local)
1.266: g:\5cc04a68c8c796a30bda5a22c3\update\update.exe (version 6.2.29.0)
1.266: Hotfix started with following command line: /quiet /norestart /er
5.204: In Function TestVolatileFlag, line 11873, RegOpenKeyEx failed with error 0x2
5.204: In Function TestVolatileFlag, line 11905, RegOpenKeyEx failed with error 0x2
5.204: ---- Old Information In The Registry ------
5.204: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
5.204: Destination:
5.204: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
5.204: Destination:
5.204: Source:C:\WINDOWS\_000001_.tmp.dll
5.204: Destination:
5.204: ---- New Information In The Registry ------
5.204: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
5.204: Destination:
5.204: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
5.204: Destination:
5.219: Source:C:\WINDOWS\_000001_.tmp.dll
5.219: Destination:
5.219: SetProductTypes: InfProductBuildType=BuildType.Sel
5.219: SetAltOsLoaderPath: No section uses DirId 65701; done.
5.407: DoInstallation: FetchSourceURL for g:\5cc04a68c8c796a30bda5a22c3\update\update_SP2QFE.inf failed
5.407: CreateUninstall = 0,Directory = C:\WINDOWS\$NtUninstallKB915800$
5.407: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed: 0xe0000102
5.407: BuildCabinetManifest: update.url absent
5.407: Starting AnalyzeComponents
5.407: AnalyzePhaseZero used 0 ticks
5.407: No c:\windows\INF\updtblk.inf file.
5.407: OEM file scan used 0 ticks
5.579: AnalyzePhaseOne: used 172 ticks
5.579: AnalyzeComponents: Hotpatch analysis disabled; skipping.
5.579: AnalyzeComponents: Hotpatching is disabled.
5.579: FindFirstFile c:\windows\$hf_mig$\*.*
5.735: KB915800 Setup encountered an error: The update.ver file is not correct.
5.750: KB915800 Setup encountered an error: The update.ver file is not correct.
5.766: KB915800 Setup encountered an error: The update.ver file is not correct.
5.813: KB915800 Setup encountered an error: The update.ver file is not correct.
5.829: KB915800 Setup encountered an error: The update.ver file is not correct.
5.875: KB915800 Setup encountered an error: The update.ver file is not correct.
5.891: KB915800 Setup encountered an error: The update.ver file is not correct.
5.907: KB915800 Setup encountered an error: The update.ver file is not correct.
5.907: KB915800 Setup encountered an error: The update.ver file is not correct.
5.922: KB915800 Setup encountered an error: The update.ver file is not correct.
5.922: KB915800 Setup encountered an error: The update.ver file is not correct.
5.938: KB915800 Setup encountered an error: The update.ver file is not correct.
5.954: KB915800 Setup encountered an error: The update.ver file is not correct.
5.954: KB915800 Setup encountered an error: The update.ver file is not correct.
5.954: KB915800 Setup encountered an error: The update.ver file is not correct.
5.954: KB915800 Setup encountered an error: The update.ver file is not correct.
5.969: KB915800 Setup encountered an error: The update.ver file is not correct.
5.985: AnalyzeForBranching used 0 ticks.
5.985: AnalyzePhaseTwo used 0 ticks
5.985: AnalyzePhaseThree used 0 ticks
5.985: AnalyzePhaseFive used 0 ticks
5.985: AnalyzePhaseSix used 0 ticks
5.985: AnalyzeComponents used 578 ticks
5.985: Downloading 0 files
5.985: bPatchMode = FALSE
5.985: Inventory complete: ReturnStatus=0, 578 ticks
5.985: Num Ticks for invent : 578
6.032: VerifyTargetFileSize: Unable to verify size as Source = NULL for file c:\windows\inf\HFXE.tmp
6.610: Copied file: c:\windows\inf\branches.inf
11.032: Allocation size of drive C: is 4096 bytes, free space = 9922408448 bytes
11.032: Drive C: free 9462MB req: 5MB w/uninstall 0MB
11.032: CabinetBuild complete
11.032: Num Ticks for Cabinet build : 5047
11.032: DynamicStrings section not defined or empty.
11.032: FileInUse:: Detection disabled.
12.032: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed: 0xe0000102
12.438: PFE2: Not avoiding Per File Exceptions.
14.547: DoInstallation: Installing assemblies with source root path: g:\5cc04a68c8c796a30bda5a22c3\
14.547: Num Ticks for Copying files : 3515
14.547: Num Ticks for Reg update and deleting 0 size files : 0
14.563: DoInstallation: ApplyAdminSystemAclsRecursive for c:\windows\$hf_mig$\KB915800 failed; error=0x00000003
14.563: ---- Old Information In The Registry ------
14.563: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
14.563: Destination:
14.563: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
14.563: Destination:
14.563: Source:C:\WINDOWS\_000001_.tmp.dll
14.563: Destination:
14.563: ---- New Information In The Registry ------
14.563: Source:C:\DOCUME~1\rocket\LOCALS~1\TEMPOR~1\Content.IE5\index.dat
14.563: Destination:
14.563: Source:C:\DOCUME~1\rocket\LOCALS~1\History\History.IE5\index.dat
14.563: Destination:
14.579: Source:C:\WINDOWS\_000001_.tmp.dll
14.579: Destination:
14.579: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
14.610: RebootNecessary = 0,WizardInput = 1 , DontReboot = 1, ForceRestart = 0

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:14 AM

Posted 07 March 2008 - 12:46 PM

Hello,

What's on G:\ ? Removable storage, like a flash drive?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 PGee

PGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 07 March 2008 - 04:23 PM

Sorry should have mentioned.
80 Gig harddrive partition with G:\ & I:\

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:14 AM

Posted 07 March 2008 - 07:22 PM

Hello,

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 PGee

PGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 08 March 2008 - 05:00 AM

The 2 scans
I have also done a full scan with MAM with nothing found
Cheers
PGee

Malwarebytes' Anti-Malware 1.07
Database version: 467

Scan type: Quick Scan
Objects scanned: 27236
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:17 PM, on 8/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maintenance\Larvasoft\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\config.msi\from w-syst32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdm2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CoolSwitch] c:\config.msi\from w-syst32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: KernelFaultCheck.lnk = ?
O4 - Global Startup: PrinTray.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: FreshDownload - {82B1A1B8-8FDE-4D7A-BE89-291A1D99E069} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/iss-loc/...ScannerCtrl.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192577012584
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...143/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Maintenance\Larvasoft\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6078 bytes

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:14 AM

Posted 08 March 2008 - 11:26 AM

Hello,

How is it running? Could I please see an uninstall list?

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 PGee

PGee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 08 March 2008 - 04:16 PM

Hello Tea,
Uninstall List.
I have also included a Startup list.
Regards
PGee

avast! Antivirus
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
Free Download Manager 2.5
HijackThis 2.0.2
Hotfix for Windows XP (KB934428-v3)
Hotfix for Windows XP (KB936357-v2)
ImgBurn (Remove Only)
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Windows Script 5.7
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Spyware Terminator
SpywareBlaster v3.5.1
Update for Windows XP (KB896256)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB946501-v2)
Update for Windows XP (KB946627)
VideoLAN VLC media player 0.8.6d
Windows Internet Explorer 7
Windows Media Hotfix - KB895181
Windows Media Player 9 Hotfix - KB892313
Windows PowerShell™ 1.0
Windows XP Hotfix - KB889673




StartupList report, 9/03/2008, 8:07:36 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16608)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maintenance\Larvasoft\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe
C:\Program Files\COMODO\BackUp\CmdBkSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\config.msi\from w-syst32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[G:\BACKED UP FILES\C Docsw 0807\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
[G:\BACKED UP FILES\C Docsw 0807\Start Menu\Programs\Startup]
*No files*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
KernelFaultCheck.lnk = ?
PrinTray.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

VTTimer = VTTimer.exe
SoundMan = SOUNDMAN.EXE
CoolSwitch = c:\config.msi\from w-syst32\taskswitch.exe
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
COMODO Firewall Pro = "C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cfp.exe" -s

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

UIWatcher = C:\Program Files\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
mst Defrag = C:\Program Files\Comuter maintenance\mstDefrag.exe /minimize

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /HideWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= C:\WINDOWS\system32\guard32.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: NO!)
.pif: not hidden (arrow overlay: NO!)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: not hidden (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\FREEDO~1\iefdm2.dll - {CC59E0F9-7E43-44FA-9FAA-8377850BF205}

--------------------------------------------------

Enumerating Task Scheduler jobs:

System Restore.job

--------------------------------------------------

Enumerating Download Program Files:

[McAfee Wi-FiScan]
CODEBASE = http://download.mcafee.com/molbin/iss-loc/...ScannerCtrl.cab
OSD = C:\WINDOWS\Downloaded Program Files\WscWlanScannerCtrl_cab.osd

[F-Secure Online Scanner 3.1]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-secure.com/ols/fscax.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/windowsupd...b?1192577012584

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/...143/mcfscan.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Ad-Aware 2007 Service: "C:\Program Files\Maintenance\Larvasoft\aawservice.exe" (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
AVG Anti-Rootkit: System32\DRIVERS\avgarkt.sys (system)
Avg Anti-Rootkit Clean Driver: System32\DRIVERS\AvgArCln.sys (system)
AX: C:\DOCUME~1\rocket\LOCALS~1\Temp\AX.exe (disabled)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\DOCUME~1\rocket\LOCALS~1\Temp\catchme.sys (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COMODO Firewall Pro Helper Service: "C:\Documents and Settings\All Users\Documents\COMODO\Firewall\cmdagent.exe" (autostart)
COMODO Firewall Pro Sandbox Driver: System32\DRIVERS\cmdguard.sys (system)
COMODO Firewall Pro Helper Driver: System32\DRIVERS\cmdhlp.sys (system)
ComodoBackupService: C:\Program Files\COMODO\BackUp\CmdBkSvc.exe (autostart)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EFG: C:\DOCUME~1\rocket\LOCALS~1\Temp\EFG.exe (disabled)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Windows Presentation Foundation Font Cache 3.0.0.0: C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: system32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
Windows CardSpace: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
COMODO Firewall Pro Firewall Driver: System32\DRIVERS\inspect.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Lexmark X73 MFP Scanner: System32\Drivers\Lxarscan.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net.Tcp Port Sharing Service: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" (disabled)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCASp50 NDIS Protocol Driver: System32\Drivers\PCASp50.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
PORTMON: \??\C:\Documents and Settings\rocket\My Documents\Microsoft Folder\SysinternalsSuite\PORTMSYS.SYS (manual start)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Link-Layer Topology Discovery Responder: system32\DRIVERS\rspndr.sys (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Spyware Terminator Driver 2: \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys (system)
Spyware Terminator Realtime Shield Service: "C:\Program Files\Spyware Terminator\sp_rsser.exe" (autostart)
System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Still Serial Digital Camera Driver: system32\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{09C84527-906B-4D7B-A643-F68BE814A7EC} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TSP: \??\C:\WINDOWS\system32\drivers\klif.sys (manual start)
Microsoft AGPv3.5 Filter: System32\DRIVERS\uagp35.sys (system)
Ulead Burning Helper: C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
User Profile Hive Cleanup: C:\Program Files\UPHClean\uphclean.exe (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: system32\DRIVERS\viaagp1.sys (system)
viagfx: system32\DRIVERS\vtmini.sys (manual start)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
WinFast DTV BDA Tuner/Demod Driver: system32\drivers\wfcxdtun.sys (manual start)
WinFast DTV BDA Transport Stream Capture Driver: system32\drivers\wfcxtcap.sys (manual start)
WinFast TV Video Capture Driver: system32\drivers\wfcxvcap.sys (autostart)
WinFast TV Crossbar Driver: system32\drivers\wfcxxbar.sys (manual start)
WFIOCTL: \??\C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Search: %systemroot%\system32\SearchIndexer.exe /Embedding (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck xmnt2002 /bat="C:\WINDOWS\TEMP\PQ_BATCH.PQB" /win="C:\WINDOWS" /dbg="C:\WINDOWS\TEMP\PQ_DEBUG.TXT" /ver=262144 /prd="PartitionMagic"

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 35,764 bytes
Report generated in 0.360 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:14 AM

Posted 08 March 2008 - 04:29 PM

Hello,

Do you know if KB915865.exe is still present? Have you tried to delete it? Tell me what problems you're having today, if any.

thanks
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users