Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Redirects and Occassionaly Unable to login


  • This topic is locked This topic is locked
42 replies to this topic

#1 BPeace

BPeace

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 30 December 2008 - 10:14 PM

This is my first post. I would appreciate any help that you can provide.

I am unable to login to the machine more than 50% of the time (the login screen never comes up). When it does, I am unable to enter my password unless the following error message appears:

GoogleUpdate.exe - Application Error
The Exception Breakpoint
A breakpoint has been reached.
(0x80000003) occurred in the application at location 0x00406eef

If I am able to login, clicking on any search results in Google and Yahoo will redirect me to another site. Also, I am unable to navigate to some sites (including bleepingcomputer.com - I am posting using another machine)

It appears that the problem started happening about a month ago when TrendMicro Internet Security was unable to navigate to the update site. I shutdown the computer until now. I uninstalled TrendMicro and replaced it with Panda Global Protection 2009. The install went smoothly and some infections were cleared up, but the Google Search Redirects remained a problem and the Panda was unable to update the virus definitions.

Here are the contents of the DSS log...


DDS (Version 1.1.0) - NTFSx86
Run by bpeace at 20:56:25.34 on Tue 12/30/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.481 [GMT -6:00]

AV: Panda Global Protection 2009 *On-access scanning enabled* (Updated)
FW: Panda Personal Firewall 2009 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\PROGRAM FILES\PANDA SECURITY\PANDA GLOBAL PROTECTION 2009\WebProxy.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost -k Panda
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Global Protection 2009\AVENGINE.EXE
c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20080827-1548\soffice.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Global Protection 2009\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Global Protection 2009\PavBckPT.exe
C:\Documents and Settings\bpeace\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = %SystemRoot%\blank.htm
uStart Page = hxxp://www.msn.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page = %SystemRoot%\blank.htm
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &ESPN: {ae6f2894-af10-4c9c-b16e-1dfc6ff8c0c6} - c:\program files\espn\toolbar\DIGToolBar.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DW4] "c:\program files\the weather channel fw\desktop weather\DesktopWeather.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [SODCPreLoad] c:\program files\ibm\lotus\symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20080827-1548\preload.exe c:\docume~1\bpeace\ibm\lotus\symphony\.sodc\
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DIGStream] c:\program files\digstream\digstream.exe
mRun: [DIGServices] c:\program files\espnruntime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [APVXDWIN] "c:\program files\panda security\panda global protection 2009\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda global protection 2009\Inicio.exe"
StartupFolder: c:\docume~1\bpeace\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\handspring\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imaget~1.lnk - c:\program files\sony corporation\image transfer\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: utexas.edu\community.mccombs
Trusted Zone: utexas.edu\mail.mccombs
Notify: avldr - avldr.dll
AppInit_DLLs: karna.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bpeace\applic~1\mozilla\firefox\profiles\22ia36f3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2008-12-30 28544]
R1 APPFLT;App Filter Plugin;\??\c:\windows\system32\drivers\APPFLT.SYS [2008-12-30 73728]
R1 DSAFLT;DSA Filter Plugin;\??\c:\windows\system32\drivers\DSAFLT.SYS [2008-12-30 52992]
R1 FNETMON;NetMon Filter Plugin;\??\c:\windows\system32\drivers\fnetmon.SYS [2008-12-30 22072]
R1 IDSFLT;Ids Filter Plugin;\??\c:\windows\system32\drivers\IDSFLT.SYS [2008-12-30 193792]
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\c:\windows\system32\drivers\NETFLTDI.SYS [2008-12-30 158848]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2008-12-30 41144]
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\c:\windows\system32\drivers\WNMFLT.SYS [2008-12-30 46720]
R2 PAVDRV;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2008-12-30 84024]
R2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\PavProc.sys [2008-12-30 179640]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys []
R3 NETIMFLT01060034;PANDA NDIS IM Filter Miniport v1.6.0.34;c:\windows\system32\drivers\neti1634.sys [2008-12-30 197888]
R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys []
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [2005-6-13 19968]

============== File Associations ===============

JSEFile=c:\progra~1\pandas~1\pandag~1\PAVSCRIP.EXE "%1" %*
VBEFile=c:\progra~1\pandas~1\pandag~1\PAVSCRIP.EXE "%1" %*
VBSFile=c:\progra~1\pandas~1\pandag~1\PAVSCRIP.EXE "%1" %*

=============== Created Last 30 ================

2008-12-30 16:28 84,024 a------- c:\windows\system32\drivers\pavdrv51.sys
2008-12-30 16:28 261 a------- c:\windows\system32\PavCPL.dat
2008-12-30 16:28 243,116 a------- c:\windows\system32\drivers\APPFCONT.DAT.bck
2008-12-30 16:28 243,116 a------- c:\windows\system32\drivers\APPFCONT.DAT
2008-12-30 16:28 1,132 a------- c:\windows\system32\drivers\APPFLTR.CFG.bck
2008-12-30 16:28 1,132 a------- c:\windows\system32\drivers\APPFLTR.CFG
2008-12-30 16:27 193,792 a------- c:\windows\system32\drivers\idsflt.sys
2008-12-30 16:27 52,992 a------- c:\windows\system32\drivers\dsaflt.sys
2008-12-30 16:27 46,720 a------- c:\windows\system32\drivers\wnmflt.sys
2008-12-30 16:27 158,848 a------- c:\windows\system32\drivers\NETFLTDI.SYS
2008-12-30 16:27 73,728 a------- c:\windows\system32\drivers\APPFLT.SYS
2008-12-30 16:27 22,072 a------- c:\windows\system32\drivers\fnetmon.sys
2008-12-30 16:27 54,832 a------- c:\windows\system32\pavcpl.cpl
2008-12-30 16:26 193,280 a------- c:\windows\system32\TpUtil.dll
2008-12-30 16:26 55,552 a------- c:\windows\system32\pavipc.dll
2008-12-30 16:26 <DIR> --d----- c:\windows\system32\PAV
2008-12-30 16:25 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2008-12-30 16:25 179,640 a----r-- c:\windows\system32\drivers\PavProc.sys
2008-12-30 16:25 41,144 a----r-- c:\windows\system32\drivers\ShlDrv51.sys
2008-12-30 16:25 <DIR> --d----- c:\program files\common files\Panda Security
2008-12-30 16:07 2,887,980 a------- c:\documents and settings\bpeace\ComboFix.exe
2008-12-30 15:52 <DIR> --dshr-- C:\cmdcons
2008-12-30 14:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Backup
2008-12-30 14:18 107,568 a------- c:\windows\system32\SYSTOOLS.DLL
2008-12-30 14:18 87,296 a------- c:\windows\system32\PavLspHook.dll
2008-12-30 14:18 520,448 a------- c:\windows\system32\PavSHook.dll
2008-12-30 14:18 197,888 a------- c:\windows\system32\drivers\neti1634.sys
2008-12-30 14:18 58,672 a------- c:\windows\system32\avldr.dll
2008-12-30 14:18 <DIR> --d----- c:\program files\Panda Security
2008-12-30 14:18 <DIR> --d----- c:\docume~1\bpeace\applic~1\Panda Security
2008-12-30 14:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Panda Security
2008-12-14 15:53 3,412 a------- C:\Bryan B Peace.d06
2008-12-14 15:53 56,908 a------- C:\Bryan Peace 2006 Tax Return.T06
2008-12-14 15:20 118 a------- c:\windows\system32\MRT.INI
2008-12-01 20:32 4,224 ac------ c:\windows\system32\dllcache\beep.sys
2008-12-01 20:32 4,224 a------- c:\windows\system32\drivers\beep.sys

==================== Find3M ====================

2008-12-01 10:35 9,216 a------- c:\windows\brastk.exe
2008-11-10 20:39 10,752 a------- c:\windows\DCEBoot.exe
2008-11-10 20:38 34,304 a------- c:\windows\system32\drivers\svchost.exe
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 10:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 04:15 247,326 a------- c:\windows\system32\strmdll.dll
2006-08-25 20:06 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 20:58:39.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:23 AM

Posted 09 January 2009 - 02:07 PM

Hi BPeace,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have run any tool or have made a major change to the system since your last post. Also tell me how is the current condition of your computer.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Set the list of files/folders created to 3 mount and click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized).
  • Please copy and paste the content of just log.txt to your reply. No need for info.txt

    Note 1: If you have difficulty finding the log, the logs is in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.

You might want to save this page on your favorites, so you can find it again when you return.

#3 BPeace

BPeace
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 11 January 2009 - 10:25 AM

Thank you for your help, farbar!

Here is the log that you requested...
Logfile of random's system information tool 1.05 (written by random/random)
Run by bpeace at 2009-01-11 09:20:24
Microsoft Windows XP Professional Service Pack 2
System drive C: has 27 GB (18%) free of 149 GB
Total RAM: 1022 MB (42% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Basic clean-up.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1215707775.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{3E13ADAA-8904-49F5-84F8-495BDB40E6D3}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 440384]
{AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - &ESPN - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll [2005-03-30 287744]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [2005-06-17 131072]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1404928]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-08-25 339968]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2004-08-13 122939]
"UpdateManager"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2004-01-07 110592]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2004-10-12 57344]
"DIGStream"=C:\Program Files\DIGStream\digstream.exe [2005-05-18 282624]
"DIGServices"=C:\Program Files\ESPNRunTime\DIGServices.exe [2005-05-19 101888]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 57344]
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-11 69632]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-10 116040]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-07-22 185896]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-07-30 289064]
"APVXDWIN"=C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE [2008-07-16 857344]
"SCANINICIO"=C:\Program Files\Panda Security\Panda Global Protection 2009\Inicio.exe [2008-07-07 50432]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2006-11-30 4662776]
"DW4"=C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe []
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-06-20 1207080]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"SODCPreLoad"=C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20080827-1548\preload.exe [2008-09-13 40960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE

C:\Documents and Settings\bpeace\Start Menu\Programs\Startup
HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="karna.dat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr]
C:\WINDOWS\system32\avldr.dll [2008-03-18 58672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Linksys\LogViewer\LogViewer.exe"="C:\Program Files\Linksys\LogViewer\LogViewer.exe:*:Enabled:LogViewer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\IBM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.ibm.rcp.jcl.desktop.win32.x86_6.2.0.200807242116\jre\bin\expeditorw.exe"="C:\Program Files\IBM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.ibm.rcp.jcl.desktop.win32.x86_6.2.0.200807242116\jre\bin\expeditorw.exe:*:Enabled:Lotus Expeditor"
"C:\WINDOWS\system32\drivers\svchost.exe"="C:\WINDOWS\system32\drivers\svchost.exe:*:Enabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

======File associations======

.js - open - C:\PROGRA~1\PANDAS~1\PANDAG~1\PAVSCRIP.EXE "%1" %*
.vbs - open - C:\PROGRA~1\PANDAS~1\PANDAG~1\PAVSCRIP.EXE "%1" %*

======List of files/folders created in the last 3 months======

2009-01-11 09:20:24 ----D---- C:\rsit
2009-01-11 09:20:24 ----D---- C:\Program Files\trend micro
2009-01-08 11:54:26 ----D---- C:\Program Files\iolo
2009-01-08 11:51:43 ----A---- C:\WINDOWS\system32\mfc45.dll
2009-01-08 11:51:38 ----D---- C:\Documents and Settings\bpeace\Application Data\iolo
2009-01-08 11:51:38 ----D---- C:\Documents and Settings\All Users\Application Data\iolo
2008-12-30 20:03:24 ----SHD---- C:\WINDOWS\CSC
2008-12-30 16:26:38 ----A---- C:\WINDOWS\system32\TpUtil.dll
2008-12-30 16:26:38 ----A---- C:\WINDOWS\system32\pavipc.dll
2008-12-30 16:26:25 ----D---- C:\WINDOWS\system32\PAV
2008-12-30 16:25:07 ----D---- C:\Program Files\Common Files\Panda Security
2008-12-30 15:53:05 ----ASH---- C:\BOOT.BAK
2008-12-30 15:52:52 ----RSHD---- C:\cmdcons
2008-12-30 14:19:12 ----D---- C:\Documents and Settings\All Users\Application Data\Backup
2008-12-30 14:18:30 ----A---- C:\WINDOWS\system32\SYSTOOLS.DLL
2008-12-30 14:18:30 ----A---- C:\WINDOWS\system32\PavLspHook.dll
2008-12-30 14:18:28 ----A---- C:\WINDOWS\system32\PavSHook.dll
2008-12-30 14:18:18 ----A---- C:\WINDOWS\system32\avldr.dll
2008-12-30 14:18:16 ----D---- C:\Program Files\Panda Security
2008-12-30 14:18:16 ----D---- C:\Documents and Settings\bpeace\Application Data\Panda Security
2008-12-30 14:18:16 ----D---- C:\Documents and Settings\All Users\Application Data\Panda Security
2008-12-14 15:24:14 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-14 15:24:04 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-14 15:20:46 ----A---- C:\WINDOWS\system32\MRT.INI
2008-12-14 15:18:03 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-14 15:17:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-11-12 18:22:04 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 18:21:27 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-12 18:00:53 ----A---- C:\WINDOWS\brastk.exe
2008-11-11 08:26:20 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-10 20:39:43 ----A---- C:\WINDOWS\DCEBoot.exe
2008-10-26 15:59:15 ----D---- C:\spookmaster
2008-10-24 21:17:23 ----D---- C:\WINDOWS\Prefetch
2008-10-24 14:33:07 ----A---- C:\WINDOWS\system32\xpsp2res.dll
2008-10-24 14:33:03 ----A---- C:\WINDOWS\system32\qmgr.dll
2008-10-24 14:30:26 ----A---- C:\WINDOWS\system32\advapi32.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\lsasrv.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\lpdsvc.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\locator.exe
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\localspl.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\lmhsvc.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\kernel32.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\imagehlp.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\ftp.exe
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\format.com
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\dhcpcsvc.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\csrsrv.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\comdlg32.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\comctl32.dll
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\cmd.exe
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\cacls.exe
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\autoconv.exe
2008-10-24 14:30:25 ----A---- C:\WINDOWS\system32\autochk.exe
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\rasdlg.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\rasauto.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\rasapi32.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\printui.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\perfctrs.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\olecnv32.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\oleaut32.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\nwprovau.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\ntvdm.exe
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\ntprint.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\ntlsapi.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\ntdll.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\nslookup.exe
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\msv1_0.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\msgsvc.dll
2008-10-24 14:30:24 ----A---- C:\WINDOWS\system32\mgmtapi.dll
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\syssetup.dll
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\srvsvc.dll
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\smss.exe
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\setupapi.dll
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\sessmgr.exe
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\services.exe
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\schannel.dll
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\scardsvr.exe
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\savedump.exe
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\samsrv.dll
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\samlib.dll
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\rshx32.dll
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\rastapi.dll
2008-10-24 14:30:23 ----A---- C:\WINDOWS\system32\rasman.dll
2008-10-24 14:30:22 ----A---- C:\WINDOWS\system32\wkssvc.dll
2008-10-24 14:30:22 ----A---- C:\WINDOWS\system32\win32spl.dll
2008-10-24 14:30:22 ----A---- C:\WINDOWS\system32\userinit.exe
2008-10-24 14:30:22 ----A---- C:\WINDOWS\system32\untfs.dll
2008-10-24 14:30:22 ----A---- C:\WINDOWS\system32\ulib.dll
2008-10-24 14:30:22 ----A---- C:\WINDOWS\system32\tcpmonui.dll
2008-10-24 14:30:13 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2008-10-24 14:30:13 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2008-10-24 14:30:13 ----A---- C:\WINDOWS\system32\hal.dll
2008-10-24 02:02:17 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-22 02:10:55 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-22 02:10:41 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-22 02:10:20 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-22 02:07:46 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-22 02:06:55 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-22 02:02:23 ----HDC---- C:\WINDOWS\$NtUninstallKB953155$

======List of files/folders modified in the last 3 months======

2009-01-11 09:20:24 ----RD---- C:\Program Files
2009-01-11 09:18:16 ----D---- C:\WINDOWS\system32\drivers
2009-01-11 09:18:11 ----D---- C:\WINDOWS\system32\inetsrv
2009-01-11 09:18:06 ----D---- C:\Documents and Settings\All Users\Application Data\DIGStream
2009-01-11 09:16:49 ----D---- C:\WINDOWS\Temp
2009-01-11 09:16:17 ----D---- C:\WINDOWS\system32
2009-01-10 03:16:05 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-09 23:38:54 ----D---- C:\WINDOWS\Registration
2009-01-09 23:29:41 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-08 14:01:32 ----D---- C:\Program Files\Mozilla Firefox
2009-01-08 09:55:30 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-30 20:03:52 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-30 20:03:31 ----D---- C:\Documents and Settings
2008-12-30 20:03:24 ----D---- C:\WINDOWS
2008-12-30 16:28:06 ----HD---- C:\WINDOWS\inf
2008-12-30 16:27:33 ----SD---- C:\WINDOWS\Tasks
2008-12-30 16:27:10 ----SHD---- C:\WINDOWS\Installer
2008-12-30 16:25:07 ----D---- C:\Program Files\Common Files
2008-12-30 15:53:06 ----RASH---- C:\boot.ini
2008-12-30 15:52:52 ----A---- C:\WINDOWS\UPGRADE.TXT
2008-12-30 15:52:51 ----D---- C:\WINDOWS\setup.pss
2008-12-30 14:23:11 ----A---- C:\WINDOWS\win.ini
2008-12-30 14:18:16 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-30 14:15:52 ----D---- C:\Program Files\Trend Micro1
2008-12-30 13:44:49 ----D---- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-12-28 15:17:16 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-28 15:16:57 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-14 15:24:19 ----A---- C:\WINDOWS\imsins.BAK
2008-12-14 15:22:23 ----D---- C:\Program Files\Internet Explorer
2008-12-14 15:22:08 ----D---- C:\WINDOWS\ie7updates
2008-12-13 00:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-09 17:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-03 10:59:51 ----D---- C:\Program Files\PokerStars.NET
2008-12-03 10:59:40 ----D---- C:\Program Files\Google
2008-12-03 10:59:23 ----D---- C:\Program Files\TaxCut06
2008-12-03 10:58:50 ----D---- C:\Program Files\GMATPrep
2008-12-03 10:56:43 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-12 18:00:28 ----D---- C:\WINDOWS\security
2008-11-12 17:59:45 ----D---- C:\WINDOWS\system32\Restore
2008-11-11 08:27:06 ----D---- C:\Program Files\Lavasoft
2008-11-11 08:27:05 ----D---- C:\Documents and Settings\bpeace\Application Data\Lavasoft
2008-11-11 08:27:04 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-11 08:25:31 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-10 21:46:30 ----D---- C:\WINDOWS\network diagnostic
2008-11-07 13:28:09 ----D---- C:\WINDOWS\Help
2008-10-25 02:02:27 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-25 02:01:56 ----D---- C:\Program Files\Messenger
2008-10-24 21:44:21 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-10-24 21:16:56 ----D---- C:\WINDOWS\system32\wbem
2008-10-24 21:16:56 ----D---- C:\WINDOWS\AppPatch
2008-10-24 21:16:55 ----D---- C:\WINDOWS\system32\Setup
2008-10-24 21:16:46 ----RSD---- C:\WINDOWS\Fonts
2008-10-24 15:42:16 ----D---- C:\WINDOWS\WinSxS
2008-10-24 15:41:44 ----D---- C:\WINDOWS\system32\usmt
2008-10-24 15:41:34 ----D---- C:\WINDOWS\system32\oobe
2008-10-24 15:41:33 ----D---- C:\WINDOWS\system32\npp
2008-10-24 15:41:22 ----D---- C:\WINDOWS\system32\en-US
2008-10-24 15:37:33 ----D---- C:\WINDOWS\system32\Com
2008-10-24 15:34:26 ----D---- C:\WINDOWS\system
2008-10-24 15:34:26 ----D---- C:\WINDOWS\srchasst
2008-10-24 15:34:24 ----D---- C:\WINDOWS\PeerNet
2008-10-24 15:34:21 ----D---- C:\WINDOWS\mui
2008-10-24 15:34:19 ----D---- C:\WINDOWS\msagent
2008-10-24 15:34:00 ----D---- C:\WINDOWS\ime
2008-10-24 15:33:48 ----D---- C:\Program Files\Windows NT
2008-10-24 15:33:48 ----D---- C:\Program Files\Windows Media Player
2008-10-24 15:33:47 ----D---- C:\Program Files\Outlook Express
2008-10-24 15:33:46 ----D---- C:\Program Files\NetMeeting
2008-10-24 15:33:43 ----D---- C:\Program Files\Movie Maker
2008-10-24 15:33:27 ----D---- C:\Program Files\Common Files\System
2008-10-24 15:32:27 ----D---- C:\WINDOWS\system32\scripting
2008-10-24 15:32:27 ----D---- C:\WINDOWS\system32\en
2008-10-24 15:32:25 ----D---- C:\WINDOWS\system32\bits
2008-10-24 15:31:41 ----D---- C:\WINDOWS\l2schemas
2008-10-24 14:38:24 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-10-24 14:29:21 ----D---- C:\WINDOWS\ehome
2008-10-23 07:01:36 ----A---- C:\WINDOWS\system32\gdi32.dll
2008-10-22 03:47:07 ----A---- C:\WINDOWS\system32\tzchange.exe
2008-10-16 14:38:40 ----A---- C:\WINDOWS\system32\wininet.dll
2008-10-16 14:38:39 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-10-16 14:38:39 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-10-16 14:38:39 ----A---- C:\WINDOWS\system32\url.dll
2008-10-16 14:38:39 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-10-16 14:38:39 ----A---- C:\WINDOWS\system32\occache.dll
2008-10-16 14:38:39 ----A---- C:\WINDOWS\system32\mstime.dll
2008-10-16 14:38:38 ----A---- C:\WINDOWS\system32\msrating.dll
2008-10-16 14:38:38 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-10-16 14:38:37 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-10-16 14:38:37 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-10-16 14:38:37 ----A---- C:\WINDOWS\system32\jsproxy.dll
2008-10-16 14:38:37 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-10-16 14:38:37 ----A---- C:\WINDOWS\system32\iernonce.dll
2008-10-16 14:38:37 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-10-16 14:38:35 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2008-10-16 14:38:35 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-10-16 14:38:35 ----A---- C:\WINDOWS\system32\ieaksie.dll
2008-10-16 14:38:35 ----A---- C:\WINDOWS\system32\ieakeng.dll
2008-10-16 14:38:35 ----A---- C:\WINDOWS\system32\icardie.dll
2008-10-16 14:38:35 ----A---- C:\WINDOWS\system32\extmgr.dll
2008-10-16 14:38:34 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-10-16 14:38:34 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-10-16 14:38:34 ----A---- C:\WINDOWS\system32\advpack.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wups2.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:08:58 ----A---- C:\WINDOWS\system32\wups.dll
2008-10-16 14:07:44 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-16 14:07:14 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\muweb.dll
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-10-16 07:11:09 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-10-16 07:11:09 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2008-10-15 10:57:55 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-15 01:04:53 ----A---- C:\WINDOWS\system32\ieakui.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-07 35840]
R1 APPFLT;App Filter Plugin; \??\C:\WINDOWS\system32\Drivers\APPFLT.SYS []
R1 DSAFLT;DSA Filter Plugin; \??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS []
R1 FNETMON;NetMon Filter Plugin; \??\C:\WINDOWS\system32\Drivers\fnetmon.SYS []
R1 IDSFLT;Ids Filter Plugin; \??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 NETFLTDI;Panda Net Driver [TDI Layer]; \??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS []
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 ShldDrv;Panda File Shield Driver; C:\WINDOWS\System32\DRIVERS\ShlDrv51.sys [2008-03-04 41144]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R1 WNMFLT;Wifi Monitor Filter Plugin; \??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS []
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-08-13 40544]
R2 MASPINT;MASPINT; C:\WINDOWS\system32\drivers\MASPINT.sys [2000-03-29 8096]
R2 PAVDRV;pavdrv; C:\WINDOWS\system32\DRIVERS\pavdrv51.sys [2008-04-28 84024]
R2 PavProc;Panda Process Protection Driver; \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-13 25723]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-13 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-13 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-13 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-13 86202]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-13 14715]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-13 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-13 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-13 100603]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
R3 AvFlt;Antivirus Filter Driver; C:\WINDOWS\system32\drivers\av5flt.sys []
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 NETIMFLT01060034;PANDA NDIS IM Filter Miniport v1.6.0.34; C:\WINDOWS\system32\DRIVERS\neti1634.sys [2008-06-26 197888]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 PavSRK.sys;PavSRK.sys; \??\C:\WINDOWS\system32\PavSRK.sys []
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2001-08-17 19200]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2002-02-15 50960]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2002-03-21 16112]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2002-03-08 22512]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 PavTPK.sys;PavTPK.sys; \??\C:\WINDOWS\system32\PavTPK.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 sonypvs1;Sony Digital Imaging Video2; C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 102220]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2005-10-20 12800]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 VisorUsb;Handspring USB; C:\WINDOWS\system32\DRIVERS\VisorUsb.sys [2001-08-30 19968]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 APC UPS Service;APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [2004-01-21 155770]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
R2 Gwmsrv;Panda Goodware Cache Manager; C:\WINDOWS\system32\svchost -k Panda []
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 15872]
R2 ioloFileInfoList;iolo FileInfoList Service; C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-02-26 628584]
R2 ioloProductUpdate;iolo Product Update Service; C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-02-26 628584]
R2 ioloSystemService;iolo System Service; C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-02-26 628584]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 335872]
R2 MSSQL$SQLSERVER;MSSQL$SQLSERVER; C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe [2002-12-17 7520337]
R2 MSSQLServerOLAPService;MSSQLServerOLAPService; C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe [2000-08-05 1732667]
R2 Panda Software Controller;Panda Software Controller; C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe [2008-07-16 181504]
R2 PAVFNSVR;Panda Function Service; C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe [2008-07-10 169216]
R2 PavPrSrv;Panda Process Protection Service; C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe [2008-02-04 62768]
R2 PAVSRV;Panda On-Access Anti-Malware Service; C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe [2008-07-04 288512]
R2 PSHost;Panda Host Service; c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE [2008-06-12 226608]
R2 PSIMSVC;Panda IManager Service; C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe [2008-06-19 108288]
R2 PskSvcRetail;Panda PSK service; C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe [2008-06-25 28928]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 15872]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 15872]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-08-25 516096]
S2 gupdate1c8c5975767ec82;Google Update Service (gupdate1c8c5975767ec82); C:\Program Files\Google\Update\GoogleUpdate.exe [2008-08-29 133104]
S2 TPSrv;Panda TPSrv; C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe [2008-07-17 157440]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-04 19456]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2002-03-15 81920]
S3 SQLAgent$SQLSERVER;SQLAgent$SQLSERVER; C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe [2002-12-17 311872]
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe [1998-06-05 34036]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:23 AM

Posted 11 January 2009 - 12:09 PM

Hi again,

Important note: You forgot to give me feedback about my first question. What I need from you is to read the post and the instructions fully and carefully. Do the steps in the order they are written and don't proceed to the next step unless you make sure the previous step is done. If you face any problem post back before proceeding.
  • Tell me if you have access to another PC we can eventually use to download tools. If you have another computer you can download SDFix, run it to extract the files then transfer C:\SDFix folder to the infected computer and put it on C drive. You can also download Hijackthis installer using another computer. The same is for the mbam-setup.exe

  • Go to start > Run copy/paste the following line in the run box and click OK.

    sc stop gupdate1c8c5975767ec82
    sc delete gupdate1c8c5975767ec82


  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4 
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

    Please download SDFix by AndyManchesta and save it to your desktop.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
    Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Click here to download HijackThis Installer.
    • Save HJTInstall.exe to your Desktop.
    • Double click on the HJTInstall.exe icon to start the installation.
    • When a window pops up asking you the directory to install the program please accept the proposed default directory.
    The program will automatically place a shortcut on your desktop and if further use of the program is required, you can click on the shortcut to run the program.

  • Please run Hijackthis. Click "Do a system scan and save a logfile" copy and paste the content of the log to your reply.
Please copy/paste in your next reply:
  • The SDFix log.
  • The log of MBAM.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#5 BPeace

BPeace
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 11 January 2009 - 04:27 PM

Thank you, again, for your help!

I apologize for not giving you feedback in my initial response. I have not made any major changes since my first post - I installed iolo's Drive Scrubber and tried to run Malwarebytes a couple of days ago - I gave up and decided to wait for a response to my post.

Listed below are the results...

1. I have another computer that I have used to download the fixes.
2. The commands ran without any problems.
3. The regfix.reg command executed successfully.
4. I extracted SDFix on another computer and copied it to the infected computer, rebooted in "Safe Mode" and ran RunThis.bat - entered Y. It ran for about 15 minutes, and I rebooted when prompted. After the reboot, I logged into the the same account (not in Safe Mode). It has been running for approximately an hour. Should I let it continue or do I need to do something else?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:23 AM

Posted 11 January 2009 - 04:40 PM

Well It should not run that long. What do you see?

#7 BPeace

BPeace
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 11 January 2009 - 04:45 PM

Here is the message in the message in the SDFix application window...

Finishing Malware Check

Please Be Patient As This Part May Take Serveral Minutes...

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:23 AM

Posted 11 January 2009 - 04:53 PM

OK open Task Manager (Ctrl+Alt+Del) see under Applications what applications are running or not responding.

See also under processes what processes are running (they should have more than 0 under CPU usage, note that System Idle process should be disregarded).

#9 BPeace

BPeace
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 11 January 2009 - 05:00 PM

SDFix is the only application running.

The following processes show up in the list intermittently with 1 CPU...

intetinfo.exe
sqlserver.exe
csrss.exe
TPSrv.exe
PavFnSrv.exe
svchost.exe

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:23 AM

Posted 11 January 2009 - 05:05 PM

Disconnect from internet.
Open task manager, right click sqlserver.exe and select End Process. Tell me how it went.

#11 BPeace

BPeace
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 11 January 2009 - 05:09 PM

I unplugged my Ethernet cable and ended the process successfully.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:23 AM

Posted 11 January 2009 - 05:12 PM

Please end these Panda processes too:

TPSrv.exe
PavFnSrv.exe

#13 BPeace

BPeace
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 11 January 2009 - 05:21 PM

I tried to end TPSrv.exe and received the following error:

The operation could not be completed.

A device attached to the system is not functioning.

I got the same error for PavFnSrv.exe

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:23 AM

Posted 11 January 2009 - 05:28 PM

OK it is now taking unusually too long and there is no process related to SDfix running. Please open task manager. Under applications tab select SDfix and click End Task.

Then if no log opens reboot again. Use windows search to find report.txt and post it to your reply.

#15 BPeace

BPeace
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 11 January 2009 - 05:31 PM

Open task manager (ctrl+alt+del) right-click and and select End Process to kill any instances of the processes with <processname>.cfexe like sed.cfexe, VFind.cfexe, swreg.cfexe , grep.cfexe,
Do the same with cmd.execf or catchme.cfexe.
End those processes one by one and wait. If Combofix run don't end the other named processes even if they are running on the task manager.


If nothing helped Close Combofix.
Then go to start > Run
Copy and paste c:\combofix.txt
Press Enter, If a logfile opened post the content of it.

Edited by farbar, 12 January 2009 - 01:35 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users