Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

having google-redirect n other probs


  • This topic is locked This topic is locked
20 replies to this topic

#1 xlredmanlx

xlredmanlx

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 12 July 2009 - 07:57 PM

Hey,

Links on websites have the address "google-redirect" and it leads me to different website then what it should be. Also, I was getting globalroot/systemroot/system32 errors with a message saying that this file is not designed to use in Window programs and I need to contact my administrator or contact the original program provider to install the file. On top of that I get errors saying that my windows isn't genuine. I followed the steps in the sticky'd thread and pasted below is the DDS.txt info


DDS (Ver_09-06-26.01) - NTFSx86
Run by Brian at 20:51:51.32 on Sun 07/12/2009
Internet Explorer: 7.0.6000.16851 BrowserJavaVersion: 1.6.0_05
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3070.1901 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090712-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\sdra64.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Brian\AppData\Local\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\lxblcoms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Users\Brian\AppData\Local\Autobahn\mlb-nexdef-autobahn.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\svchost.exe -k bthaudiosvc
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Brian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! ¤u¨ă¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Yahoo! ¤u¨ă¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Octoshape Streaming Services] "c:\users\brian\appdata\local\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [autochk] rundll32.exe c:\windows\servic~2\locals~1\protect.dll,_IWMPEvents@16
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...0000d2.0000025e
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [SymLnch] "c:\program files\common files\symantec shared\symsetup\{c1c185ca-c531-49f5-a6fa-b838405a049d}_15_5_0_23\support\symlnch\symlnch.exe" "c:\progra~1\common~1\symant~1\symsetup\{c1c18~1\Setup.exe" " /X"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\brian\appdata\roaming\microsoft\windows\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\users\brian\appdata\roaming\micros~1\windows\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\users\brian\appdata\roaming\micros~1\windows\startm~1\programs\startup\mlbtvn~1.lnk - c:\users\brian\appdata\local\autobahn\mlb-nexdef-autobahn.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} - hxxp://bowwow48.viewmydog.com/cab/Live.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} -
STS: Stardock Vista ControlPanel Extension: {ec654325-1273-c2a9-2b7c-45d29bce68fd} - c:\progra~1\stardock\object~1\desksc~1\DesktopControlPanel.dll
STS: StardockDreamController: {ec654325-1273-c2a9-2b7c-45d29bce68ff} - c:\progra~1\stardock\object~1\desksc~1\DreamControl.dll
STS: Deskscapes Class: {ec654325-1273-c2a9-2b7c-45d29bce68fb} - c:\progra~1\stardock\object~1\desksc~1\deskscapes.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\brian\appdata\roaming\mozilla\firefox\profiles\p3nxepvv.brian1\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\brian\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0810164_sua_000\npoctoshape.dll
FF - plugin: c:\users\brian\appdata\roaming\mozilla\plugins\npoctoshape.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-12 114768]
R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2007-5-22 18088]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-12 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-7-12 51792]
R2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe -k bthaudiosvc [2006-11-2 22016]
R2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe -service --> c:\windows\system32\lxblcoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-8 24652]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2007-8-29 13225]
S3 BthAudioHF;BthAudioHF Service;c:\windows\system32\drivers\BthAudioHF.sys [2007-8-14 30208]

=============== Created Last 30 ================

2009-07-12 20:40 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-07-12 20:24 320,000 a------- c:\windows\system32\CF9999.exe
2009-07-12 20:21 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-07-12 20:21 <DIR> --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-07-12 20:07 <DIR> --d----- C:\sh4ldr
2009-07-12 20:07 <DIR> --d----- c:\program files\Enigma Software Group
2009-07-12 19:29 200 a------- c:\windows\system32\SBFC.dat
2009-07-12 16:12 94,208 a------- c:\windows\system32\MSSTKPRP.DLL
2009-07-12 16:12 565,760 a------- c:\windows\system32\Msvcp50.dll
2009-07-12 16:12 89,600 a------- c:\windows\system32\MSCAL.OCX
2009-07-12 16:12 306,688 a------- c:\windows\IsUninst.exe
2009-07-12 15:52 <DIR> --d----- c:\programdata\PCPitstop
2009-07-12 15:52 <DIR> --d----- c:\progra~2\PCPitstop
2009-07-12 15:52 <DIR> --d----- c:\program files\PCPitstop
2009-07-12 14:22 283,836,354 a------- c:\windows\MEMORY.DMP
2009-07-12 14:16 <DIR> --d----- c:\programdata\PCSettings
2009-07-12 14:16 <DIR> --d----- c:\progra~2\PCSettings
2009-07-12 14:15 <DIR> --d----- c:\programdata\Norton
2009-07-12 14:15 <DIR> --d----- c:\progra~2\Norton
2009-07-12 14:15 <DIR> --d----- c:\programdata\NortonInstaller
2009-07-12 14:15 <DIR> --d----- c:\progra~2\NortonInstaller
2009-07-12 14:13 <DIR> --d----- c:\programdata\Symantec Temporary Files
2009-07-12 14:13 <DIR> --d----- c:\progra~2\Symantec Temporary Files
2009-07-12 14:12 <DIR> --d----- c:\program files\common files\Logitech
2009-07-11 19:40 93 a------- c:\windows\system32\hjgruitbojixtn.dat
2009-07-11 19:39 18,944 a------- c:\windows\system32\hjgruiipkdehpp.dll
2009-07-11 19:36 23,084 a------- c:\windows\system32\hjgruitxavuppd.dat
2009-07-11 19:36 43,520 a------- c:\windows\system32\hjgruiwomlctsc.dll
2009-07-11 19:36 24,064 a--sh--- c:\users\brian\protect.dll
2009-07-11 19:36 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-07-11 19:35 <DIR> --dsh--- c:\windows\system32\lowsec
2009-07-11 19:35 213,024 a------- c:\windows\system32\drivers\str.sys
2009-06-30 16:08 <DIR> --d----- c:\programdata\acccore
2009-06-30 16:08 <DIR> --d----- c:\progra~2\acccore
2009-06-13 13:18 428,032 a------- c:\windows\system32\EncDec.dll
2009-06-13 13:18 292,352 a------- c:\windows\system32\psisdecd.dll
2009-06-13 13:18 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-06-13 13:18 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-13 13:18 177,152 a------- c:\windows\system32\mpg2splt.ax
2009-06-13 13:18 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-13 13:18 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-06-13 13:18 57,856 a------- c:\windows\system32\MSDvbNP.ax

==================== Find3M ====================

2009-07-12 20:41 1,660 a------- c:\windows\bthservsdp.dat
2009-07-12 19:41 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-12 19:41 86,016 a------- c:\windows\inf\infstor.dat
2009-07-12 19:41 51,200 a------- c:\windows\inf\infpub.dat
2009-06-23 23:06 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-04-24 12:22 827,392 a------- c:\windows\system32\wininet.dll
2009-04-24 12:14 56,320 a------- c:\windows\system32\iesetup.dll
2009-04-24 12:14 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 12:14 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-04-24 12:11 72,704 a------- c:\windows\system32\admparse.dll
2009-04-24 09:53 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-24 08:25 48,128 a------- c:\windows\system32\mshtmler.dll
2009-04-23 09:01 788,992 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:56 696,832 a------- c:\windows\system32\localspl.dll
2009-04-21 08:04 2,028,032 a------- c:\windows\system32\win32k.sys
2008-12-11 04:15 174 a--sh--- c:\program files\desktop.ini
2008-06-11 03:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-09 23:29 32 a------- c:\programdata\ezsid.dat
2008-03-09 23:29 32 a------- c:\progra~2\ezsid.dat
2007-09-20 14:49 0 a------- c:\users\brian\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 20:52:17.08 ===============

BC AdBot (Login to Remove)

 


#2 xlredmanlx

xlredmanlx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 12 July 2009 - 08:31 PM

another problem I want to add. I get a "Windows software protection" error saying An unauthorized change was made to windows. You will no longer receive notifications, including those about your license or activation. Use the link below to find out how to fix your system. Error 0xC004D401. The security processor reported a system file mismatch error.

?

Hello xlredmanlx,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 13 July 2009 - 04:11 PM.


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:16 AM

Posted 22 July 2009 - 10:57 PM

Hello xlredmanlx,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 xlredmanlx

xlredmanlx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 22 July 2009 - 11:37 PM

Thanks for the response. My computer is having problems so I booted in safe-mode. I can try to boot up regular and run HijackThis and post the results. Let me know. Also I ran exterminate from pcpitstop and it found these on my computer:

trojan-spy.win32.bot.gen
trojan.fakeavalert
explorer32.hijacker

Hope that helps

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:39 AM, on 7/23/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\sdra64.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Users\Brian\Desktop\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Monopod] C:\Users\Brian\AppData\Local\Temp\b.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...0000d2.0000025e
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://bowwow48.viewmydog.com/cab/Live.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll (file missing)
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxbl_device - - C:\Windows\system32\lxblcoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10999 bytes

Edited by xlredmanlx, 22 July 2009 - 11:43 PM.


#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:16 AM

Posted 22 July 2009 - 11:44 PM

Hello there,

You're welcome. :thumbup2:

This is fine for now.....but I would ask that you try to run this tool in Normal Mode first. If you can't then it's all right, in this case, for you to run it in Safe Mode :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log, in normal mode if you can.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to redman.exe and try it again. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 xlredmanlx

xlredmanlx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 23 July 2009 - 12:29 AM

ok i tried to run hijackthis with regular boot but it didnt work out. I ran combofix in safemode. It said there was a presence of rootkit activity and listed 8 files. I wrote them down incase you need them. After listing the file it rebooted into regular mode and did its 50 stage thing. After that it delete a bunch of files and folders. Then it rebooted again and while it was creating a log I got a blue screen and when i rebooted the log file isnt there. It said it would be in C:/combofix.txt but it isnt there. I am still in regular boot so i ran hijackthis just now and here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:40 AM, on 7/23/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\msb.exe
C:\Windows\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Users\Brian\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...0000d2.0000025e
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://bowwow48.viewmydog.com/cab/Live.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll (file missing)
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxbl_device - - C:\Windows\system32\lxblcoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10166 bytes

#7 xlredmanlx

xlredmanlx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 23 July 2009 - 12:31 AM

actually I lied. I had to run combofix.exe as redman.exe. I found a ComboFix.txt in a folder named redman. Below is what's in the txt file.

ComboFix 09-07-22.03 - Brian 07/23/2009 1:01:35.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3070.2302 [GMT -4:00]
Running from: C:\Users\Brian\Desktop\redman.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$RECYCLE.BIN\S-1-5-21-2152478756-3922319563-605102323-500
C:\$RECYCLE.BIN\S-1-5-21-4034710983-1027958399-2821828826-500
C:\$RECYCLE.BIN\S-1-5-21-4069864700-1634436031-387971522-500
C:\Windows\msa.exe
C:\Windows\system32\drivers\str.sys
C:\Windows\system32\drivers\UACiraejvldln.sys
C:\Windows\system32\drivers\vsfocejeqxjxld.sys
C:\Windows\system32\hjgruitbojixtn.dat
C:\Windows\system32\hjgruitxavuppd.dat
C:\Windows\system32\lowsec
C:\Windows\system32\lowsec\local.ds
C:\Windows\system32\lowsec\user.ds
C:\Windows\system32\sdra64.exe
C:\Windows\system32\UACbihgfxtjnk.dat
C:\Windows\system32\UACdcnmavgmcy.dll
C:\Windows\system32\UAChkavddufiu.db
C:\Windows\system32\uacinit.dll
C:\Windows\system32\UACjspupcsasw.dll
C:\Windows\system32\UACmainfcvdgm.dll
C:\Windows\system32\UACmmoayepgvh.dll
C:\Windows\system32\UACswtuwvssms.dll
C:\Windows\system32\vsfoceheoikjsc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_vsfocepcownmlp


((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-23 05:10:19 . 2009-07-23 05:16:19 0 d-----w- C:\Users\Brian\AppData\Local\temp
2009-07-23 04:01:29 . 2009-07-23 05:14:30 278560 --sha-w- C:\Windows\system32\drivers\fidbox2.dat
2009-07-23 04:01:29 . 2009-07-23 05:13:51 2544672 --sha-w- C:\Windows\system32\drivers\fidbox.dat
2009-07-23 03:57:39 . 2009-07-23 04:21:23 94643 ----a-w- C:\Windows\system32\drivers\klick.dat
2009-07-23 03:57:39 . 2009-07-23 04:21:23 105395 ----a-w- C:\Windows\system32\drivers\klin.dat
2009-07-23 03:55:26 . 2009-07-23 05:14:40 0 d-----w- C:\PROGRA~2\Kaspersky Lab
2009-07-23 03:55:26 . 2009-07-23 03:55:26 0 d-----w- C:\Program Files\Kaspersky Lab
2009-07-23 00:38:06 . 2009-07-23 00:25:19 137728 ----a-w- C:\Windows\msb.exe
2009-07-15 04:12:51 . 2009-06-15 15:29:22 156160 ----a-w- C:\Windows\system32\t2embed.dll
2009-07-15 04:12:51 . 2009-06-15 15:23:49 24064 ----a-w- C:\Windows\system32\lpk.dll
2009-07-15 04:12:51 . 2009-06-15 15:22:30 72704 ----a-w- C:\Windows\system32\fontsub.dll
2009-07-15 04:12:51 . 2009-06-15 15:21:52 10240 ----a-w- C:\Windows\system32\dciman32.dll
2009-07-15 04:12:51 . 2009-06-15 15:20:53 34304 ----a-w- C:\Windows\system32\atmlib.dll
2009-07-15 04:12:51 . 2009-06-15 13:03:44 289792 ----a-w- C:\Windows\system32\atmfd.dll
2009-07-13 00:40:56 . 2009-07-13 00:40:56 0 d-----w- C:\Program Files\Alwil Software
2009-07-13 00:21:21 . 2009-07-13 00:21:21 0 d-----w- C:\PROGRA~2\Kaspersky Lab Setup Files
2009-07-13 00:07:58 . 2009-07-13 00:07:59 0 d-----w- C:\sh4ldr
2009-07-13 00:07:42 . 2009-07-13 00:07:42 0 d-----w- C:\Program Files\Enigma Software Group
2009-07-12 23:29:02 . 2009-07-23 04:26:28 654 ----a-w- C:\Windows\system32\SBFC.dat
2009-07-12 20:12:48 . 1998-06-18 04:00:00 94208 ----a-w- C:\Windows\system32\MSSTKPRP.DLL
2009-07-12 20:12:47 . 1997-01-23 01:26:26 565760 ----a-w- C:\Windows\system32\Msvcp50.dll
2009-07-12 20:12:46 . 1999-07-22 22:14:10 306688 ----a-w- C:\Windows\IsUninst.exe
2009-07-12 19:52:39 . 2009-07-23 04:22:12 0 d-----w- C:\PROGRA~2\PCPitstop
2009-07-12 19:52:24 . 2009-07-12 19:52:25 0 d-----w- C:\Program Files\PCPitstop
2009-07-12 18:16:01 . 2009-07-12 18:16:01 0 d-----w- C:\PROGRA~2\PCSettings
2009-07-12 18:15:58 . 2009-07-12 19:08:33 0 d-----w- C:\PROGRA~2\Norton
2009-07-12 18:15:14 . 2009-07-12 23:38:46 0 d-----w- C:\PROGRA~2\NortonInstaller
2009-07-12 18:13:38 . 2009-07-12 18:13:38 0 d-----w- C:\PROGRA~2\Symantec Temporary Files
2009-07-12 18:12:48 . 2009-07-12 18:12:48 0 d-----w- C:\Program Files\Common Files\Logitech
2009-07-12 18:12:39 . 2009-07-12 18:12:39 0 d-----w- C:\Users\Brian\AppData\Local\Downloaded Installations
2009-06-30 20:08:54 . 2009-06-30 20:08:54 0 d-----w- C:\PROGRA~2\acccore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 05:15:00 . 2009-07-23 04:01:29 22204 --sha-w- C:\Windows\system32\drivers\fidbox.idx
2009-07-23 05:13:38 . 2009-07-23 04:01:29 2032 --sha-w- C:\Windows\system32\drivers\fidbox2.idx
2009-07-23 05:11:44 . 2007-08-29 23:04:02 1660 ----a-w- C:\Windows\bthservsdp.dat
2009-07-23 04:21:24 . 2008-01-29 22:29:38 33808 ----a-w- C:\Windows\system32\drivers\klbg.sys
2009-07-23 03:48:44 . 2008-09-11 19:49:38 0 ----a-w- C:\Windows\system32\drivers\lvuvc.hs
2009-07-23 03:46:02 . 2007-08-30 18:30:29 680 ----a-w- C:\Users\Brian\AppData\Local\d3d9caps.dat
2009-07-23 00:27:40 . 2008-03-07 22:59:13 0 d-----w- C:\Program Files\Microsoft Silverlight
2009-07-22 23:47:11 . 2007-09-01 01:55:08 0 d-----w- C:\PROGRA~2\Google Updater
2009-07-16 01:20:52 . 2007-08-29 20:04:31 93184 ----a-w- C:\Users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-15 12:02:32 . 2006-11-02 11:18:33 0 d-----w- C:\Program Files\Windows Mail
2009-07-15 12:01:52 . 2007-05-07 17:17:14 0 d-----w- C:\PROGRA~2\Microsoft Help
2009-07-15 12:00:07 . 2007-05-07 17:16:38 0 d-----w- C:\Program Files\Microsoft Works
2009-07-14 03:25:11 . 2007-09-24 19:31:58 0 d-----w- C:\Program Files\Key Remapper
2009-07-13 00:37:55 . 2007-05-07 17:26:33 0 d-----w- C:\Program Files\Common Files\Symantec Shared
2009-07-13 00:36:24 . 2008-05-15 20:48:59 0 d-----w- C:\PROGRA~2\Symantec
2009-07-12 19:40:26 . 2008-08-25 21:04:28 0 d-----w- C:\Users\Brian\AppData\Roaming\Symantec
2009-06-30 20:09:11 . 2007-08-29 20:48:29 0 d-----w- C:\Program Files\AIM6
2009-06-30 20:08:56 . 2007-08-29 20:49:39 0 d-----w- C:\PROGRA~2\Viewpoint
2009-06-16 03:05:48 . 2007-09-01 01:55:06 0 d-----w- C:\Program Files\Google
2009-06-16 01:14:47 . 2007-08-29 20:47:53 0 d-----w- C:\PROGRA~2\AOL Downloads
2009-06-14 18:10:06 . 2008-11-29 18:25:41 0 d-----w- C:\Program Files\Common Files\Research In Motion
2009-05-31 23:53:15 . 2008-12-25 04:03:49 256 ----a-w- C:\Windows\system32\pool.bin
2009-05-30 19:23:24 . 2008-01-07 04:36:55 0 d-----w- C:\Program Files\AOD
2009-05-25 22:16:35 . 2009-05-25 22:16:35 26694 ----a-r- C:\Users\Brian\AppData\Roaming\Microsoft\Installer\{8976EE26-04BC-4435-A6F7-42C2B08B08E6}\BlackBerry.exe
2009-04-30 12:52:28 . 2009-06-13 17:18:33 292352 ----a-w- C:\Windows\system32\psisdecd.dll
2009-04-30 12:44:44 . 2009-06-13 17:18:31 1244672 ----a-w- C:\Windows\system32\mcmde.dll
2009-04-30 12:42:03 . 2009-06-13 17:18:34 428032 ----a-w- C:\Windows\system32\EncDec.dll
2009-04-24 16:22:31 . 2009-06-11 09:46:32 827392 ----a-w- C:\Windows\system32\wininet.dll
2009-04-24 16:14:17 . 2009-06-11 09:46:31 56320 ----a-w- C:\Windows\system32\iesetup.dll
2009-04-24 16:14:08 . 2009-06-11 09:46:32 78336 ----a-w- C:\Windows\system32\ieencode.dll
2009-04-24 16:11:56 . 2009-06-11 09:46:32 72704 ----a-w- C:\Windows\system32\admparse.dll
2009-04-24 13:53:27 . 2009-06-11 09:46:31 26624 ----a-w- C:\Windows\system32\ieUnatt.exe
2009-04-24 12:25:41 . 2009-06-11 09:46:31 48128 ----a-w- C:\Windows\system32\mshtmler.dll
2009-07-22 02:51:45 . 2009-02-12 03:26:54 134648 ----a-w- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
2009-04-01 02:47:26 . 2008-05-15 20:56:07 324976 ----a-w- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35:32 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:36:04 201728]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2009-05-19 05:23:16 49968]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-01 01:55:10 68856]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 15:34:02 5724184]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="C:\Program Files\Internet Explorer\iexplore.exe" [2009-04-24 16:25:27 634648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-23 04:21:24 208616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2007-03-07 18:09:52 44168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\Windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\Windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=C:\Windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Brian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
path=C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
backup=C:\Windows\pss\MLB.TV NexDef Plug-in.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Brian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Rainlendar2 - Shortcut.lnk]
path=C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainlendar2 - Shortcut.lnk
backup=C:\Windows\pss\Rainlendar2 - Shortcut.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CC30DD4B-197B-47C7-943A-270591DCDD41}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B803FFE0-DC22-4826-9A8A-D4E819E9DB28}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5BDBFC9A-E203-4565-BDEF-9C4992728E77}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5DC12EB2-3138-4C44-B6D8-AB833BE89667}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8D1102E8-1E72-4C17-A00F-33668FFCD129}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D27726D2-59C2-47E1-ABB6-0061D2ED489A}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6833F444-B376-4EDA-BF33-04D7A368E9D9}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C62083F6-5FB9-411E-B8A6-4993A243DEB8}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4C7E4FBB-3DD6-4627-89CB-4FD17E42F3E4}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5394BA6A-CCC6-439D-92F9-38E8E03A9128}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{608D6EA8-0B64-4570-B89E-1A582F5C1666}"= UDP:C:\Windows\System32\lxblcoms.exe:Lexmark Communications System
"{3628B914-F9A2-4C22-8CF0-EE9EF1BBB376}"= TCP:C:\Windows\System32\lxblcoms.exe:Lexmark Communications System
"{ECB280F1-D20B-4461-89D3-9DC6795F41D6}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0C48C61C-29CA-48E1-BB83-833C2C230E1B}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{FB29E6CC-1969-49CF-B7E7-0002D1842EA8}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{67DF79FA-B083-492C-890D-391AEB2F9597}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{2701DFA3-687D-4122-BA06-FD68B684FBBB}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{98EE7FEB-5DBE-41BF-A87E-5005DE59EBFD}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{B8EEEFD4-F658-4693-A55A-7FF81ABD2B38}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3980DAD0-80DD-4446-89A3-41130CABF410}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E6AA59D4-3A46-4DBB-B8FD-2440D14CF502}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CA7307CE-0783-4C45-98D2-294A412E70D9}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{155EA725-E506-4F30-8A22-754087A768B6}"= UDP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{CA081EB9-EC2D-4101-A3A4-978263FB0117}"= TCP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{4E95043B-253B-4E4B-83D2-46C51349CBFF}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{5A1008A2-B69D-43B7-A1F4-A294EC11168D}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{835E1692-D31C-46D5-9F4A-CB6E50706F9E}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{831B932C-8F03-4AB2-96F4-1BAA7366A4C1}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{E7612DA1-1677-45A5-A5E2-CA09B1802607}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{D0BAB7FA-C08C-44C3-A9FB-B851E534DB72}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{715370B3-1FE7-4327-B08D-3D7493DCB984}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{71E32F09-6ACC-4244-A717-2A6B8E9F2496}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{6A61A342-146B-44F2-BB68-C037477E8E1B}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{F766C029-E60B-4D93-BBC1-1B0390278727}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6600B84D-22CF-4BD1-993C-73D8BA2D1AFB}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{3CA0A1F9-6652-4CF9-831B-733AE5B5CEE8}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{47CA0216-6DCF-45F2-8247-ED16F9611371}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{88CBF88A-58E7-4F4A-BD0A-473065736654}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{D9B315B8-13C3-46FF-8A35-28711F516B47}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{E9B8797B-2EB8-4B8A-AD2F-D4E8626B908A}"= UDP:C:\Users\Brian\AppData\Local\Temp\7zS8F17.tmp\SymNRT.exe:Norton Removal Tool
"{0055CDFE-6A2A-4830-9DF0-4523FAD9AF02}"= TCP:C:\Users\Brian\AppData\Local\Temp\7zS8F17.tmp\SymNRT.exe:Norton Removal Tool

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\Windows\System32\drivers\klbg.sys [1/29/2008 6:29:38 PM 33808]
R1 atitray;atitray;C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04:54 AM 18088]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [7/9/2008 6:28:26 PM 20496]
R2 HFGService;Handsfree Headset Service;C:\Windows\system32\svchost.exe -k bthaudiosvc [11/2/2006 4:35:16 AM 22016]
R2 lxbl_device;lxbl_device;C:\Windows\system32\lxblcoms.exe -service --> C:\Windows\system32\lxblcoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [11/8/2007 1:34:14 AM 24652]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\Windows\System32\drivers\klfltdev.sys [3/13/2008 7:02:46 PM 26640]
R3 Razerlow;Razerlow USB Filter Driver;C:\Windows\System32\drivers\Razerlow.sys [8/29/2007 4:30:25 PM 13225]
S3 BthAudioHF;BthAudioHF Service;C:\Windows\System32\drivers\BthAudioHF.sys [8/14/2007 2:45:00 AM 30208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthaudiosvc REG_MULTI_SZ HFGService
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} - hxxp://bowwow48.viewmydog.com/cab/Live.cab
FF - ProfilePath - C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\p3nxepvv.Brian1\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: C:\Users\Brian\AppData\Local\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: C:\Users\Brian\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 01:16:11
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsfocepcownmlp]
"imagepath"="\systemroot\system32\drivers\vsfocejeqxjxld.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsfocepcownmlp]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\vsfocejeqxjxld.sys"
.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:16 AM

Posted 23 July 2009 - 12:46 AM

Nasty old rootkit. :thumbup2: How is it running please? I got your PM and wanted to know before you had to go for the night. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 xlredmanlx

xlredmanlx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 23 July 2009 - 12:50 AM

Seems to be running fine now. I'm going to run a full system scan with Kaspersky AV overnight. Thanks for the help. I'll post again tomorrow and let you know how it all turns out.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:16 AM

Posted 23 July 2009 - 12:57 AM

Okay......I didn't have more than a cursory glance at the logs, so I'll post again when I do. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 xlredmanlx

xlredmanlx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 23 July 2009 - 07:27 PM

Hey,

So the computer runs well. Just its acting very weird. I have Kaspersky AV and it doesn't start up with windows or even work if I try to load it manually. I thinking of uninstalling and buying a new AV? Any suggestions? Also, internet explorer keeps popping up with advertisements. I use firefox.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:16 AM

Posted 23 July 2009 - 09:12 PM

Hello,

Let's do this first, please:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsfocepcownmlp]

Driver::
vsfocejeqxjxld


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea

Edited by teacup61, 23 July 2009 - 09:17 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 xlredmanlx

xlredmanlx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 23 July 2009 - 09:52 PM

Hey,

I dragged that file into combofix and it ran and rebooted. Here is log:

ComboFix 09-07-22.03 - Brian 07/23/2009 22:33.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3070.2056 [GMT -4:00]
Running from: c:\users\Brian\Desktop\redman.exe
Command switches used :: c:\users\Brian\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
---- Previous Run -------
.
c:\windows\msa.exe
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\UACiraejvldln.sys
c:\windows\system32\drivers\vsfocejeqxjxld.sys
c:\windows\system32\hjgruitbojixtn.dat
c:\windows\system32\hjgruitxavuppd.dat
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\UACbihgfxtjnk.dat
c:\windows\system32\UACdcnmavgmcy.dll
c:\windows\system32\UAChkavddufiu.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjspupcsasw.dll
c:\windows\system32\UACmainfcvdgm.dll
c:\windows\system32\UACmmoayepgvh.dll
c:\windows\system32\UACswtuwvssms.dll
c:\windows\system32\vsfoceheoikjsc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_vsfocepcownmlp


((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-24 02:38 . 2009-07-24 02:42 -------- d-----w- c:\users\Brian\AppData\Local\temp
2009-07-24 00:45 . 2009-07-24 02:30 -------- d-----w- c:\users\Brian\.housecall6.6
2009-07-23 10:53 . 2009-07-23 10:53 -------- d-sh--w- C:\found.000
2009-07-23 03:55 . 2009-07-24 00:43 -------- d-----w- c:\progra~2\Kaspersky Lab
2009-07-15 04:12 . 2009-06-15 15:29 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 04:12 . 2009-06-15 15:23 24064 ----a-w- c:\windows\system32\lpk.dll
2009-07-15 04:12 . 2009-06-15 15:22 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 04:12 . 2009-06-15 15:21 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-15 04:12 . 2009-06-15 15:20 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-07-15 04:12 . 2009-06-15 13:03 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-13 00:40 . 2009-07-13 00:40 -------- d-----w- c:\program files\Alwil Software
2009-07-13 00:07 . 2009-07-13 00:07 -------- d-----w- C:\sh4ldr
2009-07-13 00:07 . 2009-07-13 00:07 -------- d-----w- c:\program files\Enigma Software Group
2009-07-12 23:29 . 2009-07-23 04:26 654 ----a-w- c:\windows\system32\SBFC.dat
2009-07-12 20:12 . 1998-06-18 04:00 94208 ----a-w- c:\windows\system32\MSSTKPRP.DLL
2009-07-12 20:12 . 1997-01-23 01:26 565760 ----a-w- c:\windows\system32\Msvcp50.dll
2009-07-12 20:12 . 1999-07-22 22:14 306688 ----a-w- c:\windows\IsUninst.exe
2009-07-12 19:52 . 2009-07-24 00:15 -------- d-----w- c:\progra~2\PCPitstop
2009-07-12 19:52 . 2009-07-12 19:52 -------- d-----w- c:\program files\PCPitstop
2009-07-12 18:16 . 2009-07-12 18:16 -------- d-----w- c:\progra~2\PCSettings
2009-07-12 18:15 . 2009-07-12 19:08 -------- d-----w- c:\progra~2\Norton
2009-07-12 18:15 . 2009-07-12 23:38 -------- d-----w- c:\progra~2\NortonInstaller
2009-07-12 18:13 . 2009-07-12 18:13 -------- d-----w- c:\progra~2\Symantec Temporary Files
2009-07-12 18:12 . 2009-07-12 18:12 -------- d-----w- c:\program files\Common Files\Logitech
2009-07-12 18:12 . 2009-07-12 18:12 -------- d-----w- c:\users\Brian\AppData\Local\Downloaded Installations
2009-06-30 20:08 . 2009-06-30 20:08 -------- d-----w- c:\progra~2\acccore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 02:38 . 2007-08-29 23:04 1660 ----a-w- c:\windows\bthservsdp.dat
2009-07-24 00:48 . 2007-09-01 01:55 -------- d-----w- c:\progra~2\Google Updater
2009-07-24 00:41 . 2007-05-07 17:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-24 00:41 . 2008-05-15 20:48 -------- d-----w- c:\progra~2\Symantec
2009-07-24 00:41 . 2008-08-25 21:04 -------- d-----w- c:\users\Brian\AppData\Roaming\Symantec
2009-07-23 03:48 . 2008-09-11 19:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-07-23 03:46 . 2007-08-30 18:30 680 ----a-w- c:\users\Brian\AppData\Local\d3d9caps.dat
2009-07-23 00:27 . 2008-03-07 22:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-16 01:20 . 2007-08-29 20:04 93184 ----a-w- c:\users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-15 12:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-15 12:01 . 2007-05-07 17:17 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-15 12:00 . 2007-05-07 17:16 -------- d-----w- c:\program files\Microsoft Works
2009-07-14 03:25 . 2007-09-24 19:31 -------- d-----w- c:\program files\Key Remapper
2009-06-30 20:09 . 2007-08-29 20:48 -------- d-----w- c:\program files\AIM6
2009-06-30 20:08 . 2007-08-29 20:49 -------- d-----w- c:\progra~2\Viewpoint
2009-06-16 03:05 . 2007-09-01 01:55 -------- d-----w- c:\program files\Google
2009-06-16 01:14 . 2007-08-29 20:47 -------- d-----w- c:\progra~2\AOL Downloads
2009-06-14 18:10 . 2008-11-29 18:25 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-05-31 23:53 . 2008-12-25 04:03 256 ----a-w- c:\windows\system32\pool.bin
2009-05-30 19:23 . 2008-01-07 04:36 -------- d-----w- c:\program files\AOD
2009-05-25 22:16 . 2009-05-25 22:16 26694 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{8976EE26-04BC-4435-A6F7-42C2B08B08E6}\BlackBerry.exe
2009-04-30 12:52 . 2009-06-13 17:18 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-04-30 12:44 . 2009-06-13 17:18 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-04-30 12:42 . 2009-06-13 17:18 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-07-22 02:51 . 2009-02-12 03:26 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-04-01 02:47 . 2008-05-15 20:56 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-23_05.16.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 16:47 . 2009-07-24 00:48 55234 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-07-24 00:48 89592 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-08-29 19:57 . 2009-07-24 00:48 13876 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4069864700-1634436031-387971522-1000_UserData.bin
- 2007-08-29 19:54 . 2009-07-23 05:15 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-08-29 19:54 . 2009-07-24 00:48 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-08-29 19:54 . 2009-07-24 00:48 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-29 19:54 . 2009-07-23 05:15 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-29 19:54 . 2009-07-23 05:15 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-08-29 19:54 . 2009-07-24 00:48 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-07-23 03:57 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-07-24 00:34 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-07-24 00:34 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2009-07-23 03:57 51200 c:\windows\inf\infpub.dat
+ 2009-07-24 02:39 . 2009-07-24 02:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-07-23 05:12 . 2009-07-23 05:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-07-23 05:12 . 2009-07-23 05:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-24 02:39 . 2009-07-24 02:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-07-23 05:07 618410 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-07-24 00:52 618410 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-07-23 05:07 103818 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-07-24 00:52 103818 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:25 . 2009-07-24 00:34 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2009-07-23 03:57 143360 c:\windows\inf\infstrng.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-01 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2009-04-24 634648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Brian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
path=c:\users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Brian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Rainlendar2 - Shortcut.lnk]
path=c:\users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainlendar2 - Shortcut.lnk
backup=c:\windows\pss\Rainlendar2 - Shortcut.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CC30DD4B-197B-47C7-943A-270591DCDD41}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B803FFE0-DC22-4826-9A8A-D4E819E9DB28}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5BDBFC9A-E203-4565-BDEF-9C4992728E77}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5DC12EB2-3138-4C44-B6D8-AB833BE89667}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8D1102E8-1E72-4C17-A00F-33668FFCD129}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D27726D2-59C2-47E1-ABB6-0061D2ED489A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6833F444-B376-4EDA-BF33-04D7A368E9D9}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C62083F6-5FB9-411E-B8A6-4993A243DEB8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4C7E4FBB-3DD6-4627-89CB-4FD17E42F3E4}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5394BA6A-CCC6-439D-92F9-38E8E03A9128}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{608D6EA8-0B64-4570-B89E-1A582F5C1666}"= UDP:c:\windows\System32\lxblcoms.exe:Lexmark Communications System
"{3628B914-F9A2-4C22-8CF0-EE9EF1BBB376}"= TCP:c:\windows\System32\lxblcoms.exe:Lexmark Communications System
"{ECB280F1-D20B-4461-89D3-9DC6795F41D6}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0C48C61C-29CA-48E1-BB83-833C2C230E1B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{FB29E6CC-1969-49CF-B7E7-0002D1842EA8}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{67DF79FA-B083-492C-890D-391AEB2F9597}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{2701DFA3-687D-4122-BA06-FD68B684FBBB}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{98EE7FEB-5DBE-41BF-A87E-5005DE59EBFD}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{B8EEEFD4-F658-4693-A55A-7FF81ABD2B38}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3980DAD0-80DD-4446-89A3-41130CABF410}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E6AA59D4-3A46-4DBB-B8FD-2440D14CF502}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CA7307CE-0783-4C45-98D2-294A412E70D9}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{155EA725-E506-4F30-8A22-754087A768B6}"= UDP:c:\program files\FrostWire\FrostWire.exe:LimeWire
"{CA081EB9-EC2D-4101-A3A4-978263FB0117}"= TCP:c:\program files\FrostWire\FrostWire.exe:LimeWire
"{4E95043B-253B-4E4B-83D2-46C51349CBFF}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{5A1008A2-B69D-43B7-A1F4-A294EC11168D}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{835E1692-D31C-46D5-9F4A-CB6E50706F9E}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{831B932C-8F03-4AB2-96F4-1BAA7366A4C1}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{E7612DA1-1677-45A5-A5E2-CA09B1802607}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{D0BAB7FA-C08C-44C3-A9FB-B851E534DB72}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{715370B3-1FE7-4327-B08D-3D7493DCB984}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{71E32F09-6ACC-4244-A717-2A6B8E9F2496}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6A61A342-146B-44F2-BB68-C037477E8E1B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F766C029-E60B-4D93-BBC1-1B0390278727}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6600B84D-22CF-4BD1-993C-73D8BA2D1AFB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{3CA0A1F9-6652-4CF9-831B-733AE5B5CEE8}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{47CA0216-6DCF-45F2-8247-ED16F9611371}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{88CBF88A-58E7-4F4A-BD0A-473065736654}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{D9B315B8-13C3-46FF-8A35-28711F516B47}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{E9B8797B-2EB8-4B8A-AD2F-D4E8626B908A}"= UDP:c:\users\Brian\AppData\Local\Temp\7zS8F17.tmp\SymNRT.exe:Norton Removal Tool
"{0055CDFE-6A2A-4830-9DF0-4523FAD9AF02}"= TCP:c:\users\Brian\AppData\Local\Temp\7zS8F17.tmp\SymNRT.exe:Norton Removal Tool
"{D7A7357B-3124-46A7-9715-19552251BF7B}"= UDP:c:\users\Brian\AppData\Local\temp\7zS55BD.tmp\SymNRT.exe:Norton Removal Tool
"{3FA55C91-D46C-4D4E-8F2A-C69B78B7304C}"= TCP:c:\users\Brian\AppData\Local\temp\7zS55BD.tmp\SymNRT.exe:Norton Removal Tool

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe -k bthaudiosvc [11/2/2006 4:35 AM 22016]
R2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe -service --> c:\windows\system32\lxblcoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/8/2007 1:34 AM 24652]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\System32\drivers\Razerlow.sys [8/29/2007 4:30 PM 13225]
S3 BthAudioHF;BthAudioHF Service;c:\windows\System32\drivers\BthAudioHF.sys [8/14/2007 2:45 AM 30208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthaudiosvc REG_MULTI_SZ HFGService
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} - hxxp://bowwow48.viewmydog.com/cab/Live.cab
FF - ProfilePath - c:\users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\p3nxepvv.Brian1\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Brian\AppData\Local\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\users\Brian\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 22:42
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(8536)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
c:\progra~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
c:\progra~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
c:\progra~1\Stardock\OBJECT~1\DESKSC~1\deskscape.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\lxblcoms.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\ehome\ehmsas.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
.
**************************************************************************
.
Completion time: 2009-07-24 22:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-24 02:46

Pre-Run: 254,295,322,624 bytes free
Post-Run: 254,623,961,088 bytes free

317 --- E O F --- 2009-07-22 07:00




I ran hijackthis after and here is that log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:19 PM, on 7/23/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Brian\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/P...0000d2.0000025e
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://bowwow48.viewmydog.com/cab/Live.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll (file missing)
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxbl_device - - C:\Windows\system32\lxblcoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9159 bytes





Now I'm going to DL that program.. thx

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:16 AM

Posted 23 July 2009 - 10:15 PM

Post when you're ready. :thumbup2: How is it running now?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 xlredmanlx

xlredmanlx
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 23 July 2009 - 10:21 PM

I ran malware bytes and it deleted 5 files. It seems to be running better. I used the uninstall programs from these forums to uninstall kaspersky AV and I DLed Avira AntiVir as my anti virus. I'll keep you posted. Hopefully my comp is all better now. I appreciate the help. Thanks again

Edited by xlredmanlx, 23 July 2009 - 10:22 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users