Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible backdoor trojan !!


  • This topic is locked This topic is locked
10 replies to this topic

#1 mute20

mute20

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 20 August 2009 - 10:32 AM

Recently i was infected with a virus that included being cryptor i was able to get it removed with mbam with help from other forum on this site. But everytime i scan i pick up more stuff like today i got about 12 worms. I think i might have a backdoor trojan here is my log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:33 AM, on 8/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\Malwarebytes' Anti-Malware\winlogon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = "http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnVir Task Manager Free] "C:\Program Files\AnVir Task Manager Free\AnVir.exe" Minimized
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{E15D73B4-8E88-4BCA-A90C-81C633482980}: NameServer = 64.59.144.16,64.59.144.17
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 11239 bytes

BC AdBot (Login to Remove)

 


#2 mute20

mute20
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 24 August 2009 - 09:39 PM

Help when ever i reconnect to the internet my computer seems to be controlled by an outside person who terminates my mbam,locks super anti spyware. I have scanned numerous times with both mbam, and super anti spy ware which have not found anything at all. When i disconnect my computer from the internet after having to hard reboot i can scan without problem.

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:14 AM

Posted 31 August 2009 - 05:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 mute20

mute20
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 03 September 2009 - 06:59 PM

Reformatted posting log


DDS (Ver_09-07-30.01) - NTFSx86
Run by Compaq_Owner at 17:02:44.81 on Thu 09/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.575 [GMT -7:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Windows Defender\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q405&bd=presario&pf=desktop&parm1=seconduser
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Octoshape Streaming Services] "c:\documents and settings\compaq_owner\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\n167v7g0.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\documents and settings\compaq_owner\application data\mozilla\firefox\profiles\n167v7g0.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\compaq_owner\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\compaq_owner\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-8-29 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-8-29 25160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-8-28 980512]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-8-29 715392]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-09-03 17:02 <DIR> --d----- c:\program files\Trend Micro
2009-09-02 15:00 <DIR> --d----- c:\windows\system32\xlive
2009-09-02 15:00 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-09-02 14:57 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-09-02 14:57 <DIR> --d----- c:\windows\Logs
2009-09-01 10:28 35,190 a------- c:\windows\scunin.dat
2009-09-01 10:28 967 a------- c:\windows\ScUnin.pif
2009-09-01 10:28 94,208 a------- c:\windows\ScUnin.exe
2009-09-01 10:26 <DIR> --d----- c:\program files\Starcraft
2009-09-01 07:54 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-31 23:54 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-31 23:53 <DIR> --d----- C:\09f9f2f3388bd9e60e94
2009-08-31 23:53 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-31 23:53 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-31 23:53 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-31 23:53 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-31 23:53 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-31 23:53 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-31 23:53 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-31 22:51 <DIR> --dsh--- c:\documents and settings\compaq_owner\IECompatCache
2009-08-31 16:23 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-31 14:39 <DIR> --d----- c:\program files\uTorrent
2009-08-31 14:38 <DIR> --d----- c:\docume~1\compaq~1\applic~1\uTorrent
2009-08-31 13:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2009-08-31 11:02 <DIR> --d----- C:\b7cec813d8ba2806246b5f4ee3a745d7
2009-08-31 10:55 268,648 a------- c:\windows\system32\mucltui.dll
2009-08-31 10:55 208,744 a------- c:\windows\system32\muweb.dll
2009-08-31 10:55 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-08-30 21:37 <DIR> --d----- c:\program files\ESET
2009-08-30 16:10 130 a------- c:\windows\cfplogvw.INI
2009-08-30 11:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-08-30 09:32 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-08-30 09:17 <DIR> --d----- c:\program files\World of Warcraft
2009-08-29 16:01 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-08-29 15:26 <DIR> --d----- c:\program files\THQ
2009-08-29 15:25 443,752 a------- c:\windows\system32\d3dx10_33.dll
2009-08-29 15:25 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-08-29 15:25 3,495,784 a------- c:\windows\system32\d3dx9_33.dll
2009-08-29 15:20 <DIR> --dsh--- c:\windows\ftpcache
2009-08-29 13:42 <DIR> --d----- C:\temp
2009-08-29 09:37 <DIR> --d----- c:\program files\Steam
2009-08-29 09:05 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-29 09:05 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-29 01:37 <DIR> --d----- c:\docume~1\compaq~1\applic~1\GlarySoft
2009-08-29 01:36 <DIR> --d----- c:\program files\Glary Utilities
2009-08-29 01:31 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-08-29 01:10 <DIR> --d----- c:\program files\iPod
2009-08-29 01:10 <DIR> --d----- c:\program files\iTunes
2009-08-29 01:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-29 01:09 <DIR> --d----- c:\program files\Bonjour
2009-08-29 00:58 <DIR> --d----- c:\program files\Siber Systems
2009-08-29 00:41 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Octoshape
2009-08-29 00:25 <DIR> --d----- c:\program files\CCleaner
2009-08-29 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-08-29 00:05 179,792 a------- c:\windows\system32\guard32.dll
2009-08-29 00:05 132,168 a------- c:\windows\system32\drivers\cmdguard.sys
2009-08-29 00:05 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-08-29 00:04 <DIR> --d----- c:\program files\COMODO
2009-08-28 23:57 <DIR> --d----- c:\program files\IObit
2009-08-28 23:57 <DIR> --d----- c:\docume~1\compaq~1\applic~1\IObit
2009-08-28 23:50 <DIR> --d----- c:\program files\NVIDIA Corporation
2009-08-28 23:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2009-08-28 23:49 485,920 a------- c:\windows\system32\nvudisp.exe
2009-08-28 23:49 19,495 a------- c:\windows\system32\nvdisp.nvu
2009-08-28 23:49 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-08-28 23:49 <DIR> --d----- C:\NVIDIA
2009-08-28 23:40 <DIR> --d----- c:\windows\system32\scripting
2009-08-28 23:40 <DIR> --d----- c:\windows\system32\en
2009-08-28 23:40 <DIR> --d----- c:\windows\system32\bits
2009-08-28 23:40 <DIR> --d----- c:\windows\l2schemas
2009-08-28 23:37 <DIR> --d----- c:\windows\network diagnostic
2009-08-28 23:34 <DIR> --d----- c:\windows\EHome
2009-08-28 23:28 180,360 -------- c:\windows\system32\drivers\ntmtlfax.sys
2009-08-28 23:27 44,928 -------- c:\windows\system32\drivers\agpcpq.sys
2009-08-28 23:27 42,368 -------- c:\windows\system32\drivers\agp440.sys
2009-08-28 23:27 4,255 -------- c:\windows\system32\drivers\adv01nt5.dll
2009-08-28 23:27 3,967 -------- c:\windows\system32\drivers\adv02nt5.dll
2009-08-28 23:27 3,775 -------- c:\windows\system32\drivers\adv11nt5.dll
2009-08-28 23:27 3,711 -------- c:\windows\system32\drivers\adv09nt5.dll
2009-08-28 23:27 3,647 -------- c:\windows\system32\drivers\adv07nt5.dll
2009-08-28 23:27 3,615 -------- c:\windows\system32\drivers\adv05nt5.dll
2009-08-28 23:27 3,135 -------- c:\windows\system32\drivers\adv08nt5.dll
2009-08-28 23:27 136,192 -------- c:\windows\system32\aaclient.dll
2009-08-28 23:06 <DIR> --d----- c:\program files\a-squared Free
2009-08-28 22:41 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Malwarebytes
2009-08-28 22:41 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-28 22:41 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-28 22:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-28 22:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 22:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-28 22:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-28 22:35 <DIR> --d----- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
2009-08-28 22:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-28 22:33 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-28 22:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-08-28 22:26 <DIR> --d----- c:\docume~1\compaq~1\applic~1\AVGTOOLBAR
2009-08-28 22:25 <DIR> --d----- c:\program files\AVG
2009-08-28 22:08 <DIR> --dsh--- c:\documents and settings\compaq_owner\PrivacIE
2009-08-28 22:07 <DIR> --dsh--- c:\documents and settings\compaq_owner\IETldCache
2009-08-28 22:03 100,352 -------- c:\windows\system32\dllcache\iecompat.dll
2009-08-28 22:03 <DIR> --d----- c:\windows\ie8updates
2009-08-28 22:03 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-08-28 22:03 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-28 22:03 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-08-28 22:03 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-08-28 22:03 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-08-28 22:03 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-08-28 22:02 <DIR> -cd-h--- c:\windows\ie8
2009-08-28 21:59 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-28 21:56 <DIR> --d----- c:\program files\MSXML 4.0
2009-08-28 21:40 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-08-28 21:40 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-08-28 21:37 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-08-28 21:37 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-08-28 21:37 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-08-28 21:37 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-08-28 21:37 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-08-28 21:37 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-08-28 21:37 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-08-28 21:37 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-08-28 21:37 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-08-28 21:37 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-28 21:37 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-28 21:37 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-28 21:35 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-08-28 21:35 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-08-28 21:35 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-08-28 21:35 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-28 21:35 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-08-28 21:33 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-08-28 21:33 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-28 21:33 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-08-28 21:30 <DIR> --dshr-- C:\cmdcons
2009-08-28 21:30 <DIR> --d----- c:\windows\setup.pss
2009-08-28 21:28 <DIR> --d----- c:\windows\system32\PreInstall
2009-08-28 21:26 <DIR> --dsh--- c:\documents and settings\compaq_owner\UserData
2009-08-28 21:25 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-08-28 21:12 <DIR> --d----- c:\program files\Microsoft
2009-08-28 21:12 221,184 a------- c:\windows\system32\wmpns.dll
2009-08-28 21:12 1,787 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_EG646AA-ABA SR1614X NA540_YC_0Pres_QMXF544_E54NAheRED4_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.10_T051014_WXH2_L409_M1023_J200_7AMD_8Athlon 64_92.19_#090829_N10EC8139_Z_G.MRK
2009-08-28 21:10 <DIR> --d----- c:\documents and settings\compaq_owner\WINDOWS
2009-08-28 21:10 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Symantec
2009-08-28 21:10 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Intuit
2009-08-28 21:10 <DIR> --d----- c:\documents and settings\Compaq_Owner
2009-08-28 21:07 179 a------- c:\windows\system\hpsysdrv.DAT
2009-08-28 20:43 61 a------- c:\windows\smscfg.ini
2009-08-28 20:43 333 a------- c:\windows\system32\$ncsp$.inf
2009-08-28 20:43 5,376 a------- c:\windows\system32\drivers\viaide.sys
2009-08-28 20:43 5,504 a------- c:\windows\system32\drivers\intelide.sys
2009-08-28 20:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-08-28 20:32 <DIR> --d----- c:\program files\Symantec
2009-08-28 20:27 <DIR> --d----- c:\program files\Easy Internet signup
2009-08-28 20:26 2,238 a------- c:\windows\system32\doc.ico
2009-08-28 20:26 <DIR> --d----- c:\program files\PC-Doctor for DOS
2009-08-28 20:23 118,842 a----r-- c:\windows\HPCPCUninstaller-6.3.2.116-5577497.exe
2009-08-28 20:23 8,192 a------- c:\windows\REGLOCS.OLD
2009-08-28 20:22 140,488 a------- c:\windows\system32\comdlg32.ocx
2009-08-28 20:22 <DIR> a-d----- c:\windows\system32\pcintro
2009-08-28 20:22 12,967 a------- c:\windows\system32\CHODDI.SYS
2009-08-28 20:22 19,736 a------- c:\windows\system32\oemlogo.bmp
2009-08-28 20:22 40,960 a------- c:\windows\system32\omano.dll
2009-08-28 20:22 45,056 a------- c:\windows\system32\hpreg.dll
2009-08-28 20:20 <DIR> --d----- c:\program files\Quicken
2009-08-28 20:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2009-08-28 20:18 122,880 a------- c:\windows\system32\ShellvRTF.dll
2009-08-28 20:18 <DIR> --d----- c:\windows\CREATOR
2009-08-28 20:17 <DIR> --d----- c:\windows\Downloaded Installations
2009-08-28 20:17 376 a------- c:\windows\ODBC.INI
2009-08-28 20:17 28,040 a------- c:\windows\system32\mdimon.dll
2009-08-28 20:16 <DIR> --d----- c:\program files\common files\L&H
2009-08-28 20:16 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-08-28 20:16 <DIR> --d----- c:\windows\SHELLNEW
2009-08-28 20:11 <DIR> --d----- c:\program files\common files\TiVo Shared
2009-08-28 20:08 <DIR> --d----- c:\program files\WildTangent
2009-08-28 20:07 56 a------- c:\windows\WININIT.INI
2009-08-28 20:07 <DIR> --d----- c:\program files\Sonic
2009-08-28 20:07 <DIR> --d----- c:\program files\common files\SureThing Shared
2009-08-28 20:07 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-08-28 20:06 <DIR> --d----- c:\program files\common files\xing shared
2009-08-28 20:06 <DIR> --d----- c:\program files\common files\Real
2009-08-28 20:06 <DIR> --d----- c:\program files\MSN Encarta Standard
2009-08-28 20:04 90,112 a------- c:\windows\system32\ps2.EXE
2009-08-28 20:04 45,056 a------- c:\windows\system32\RUNCLOSE.OCX
2009-08-28 20:04 90,112 a------- c:\windows\system32\ps2.bat
2009-08-28 20:04 26,624 a------- c:\windows\system32\drivers\PS2.sys
2009-08-28 20:04 <DIR> --d----- c:\windows\system32\FxsTmp
2009-08-28 20:02 36,352 a------- c:\windows\system32\drivers\AmdK8.sys
2009-08-28 19:59 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-08-28 19:57 <DIR> --d-h--- c:\windows\$hf_mig$
2009-08-28 19:57 52,736 a------- c:\windows\system\hpsysdrv.exe
2009-08-28 19:54 <DIR> --d----- c:\windows\RegisteredPackages
2009-08-28 19:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2009-08-28 19:52 203,055 a------- c:\windows\orun32.isu
2009-08-28 19:52 780 a------- c:\windows\orun32.ini
2009-08-28 19:52 306,688 a------- c:\windows\IsUninst.exe
2009-08-28 19:50 <DIR> --d----- c:\windows\system32\URTTemp
2009-08-28 19:38 12,928 a------- c:\windows\system32\drivers\Dot4Prt.sys
2009-08-28 19:38 12,928 a------- c:\windows\system32\dllcache\dot4prt.sys
2009-08-28 19:38 206,976 a------- c:\windows\system32\drivers\dot4.sys
2009-08-28 19:38 23,808 a------- c:\windows\system32\drivers\Dot4usb.sys
2009-08-28 19:38 23,808 a------- c:\windows\system32\dllcache\dot4usb.sys
2009-08-28 19:34 <DIR> --d----- c:\windows\I386
2009-08-28 19:18 599,040 a------- c:\windows\system32\crypt32.dll
2009-08-28 19:18 512,512 a------- c:\windows\system32\cryptui.dll
2009-08-28 19:18 163,840 a------- c:\windows\system32\credui.dll
2009-08-28 19:18 149,019 a------- c:\windows\system32\dllcache\crtdll.dll
2009-08-28 19:18 149,019 a------- c:\windows\system32\crtdll.dll
2009-08-28 19:18 74,752 a------- c:\windows\system32\cryptdlg.dll
2009-08-28 19:18 64,512 a------- c:\windows\system32\cryptnet.dll
2009-08-28 19:18 62,464 a------- c:\windows\system32\cryptsvc.dll
2009-08-28 19:18 53,760 a------- c:\windows\system32\cryptext.dll
2009-08-28 19:18 33,280 a------- c:\windows\system32\cryptdll.dll
2009-08-28 19:18 18,944 a------- c:\windows\system32\dllcache\cprofile.exe
2009-08-28 17:56 338,432 a------- c:\windows\system32\zipfldr.dll
2009-08-28 17:55 354,304 a------- c:\windows\system32\winhttp.dll
2009-08-28 17:53 990,208 a------- c:\windows\system32\syssetup.dll
2009-08-28 17:52 401,408 a------- c:\windows\system32\rpcss.dll
2009-08-28 17:51 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-08-28 17:49 527,360 a------- c:\windows\system32\drmv2clt.dll
2009-08-28 17:48 1,504,256 a------- c:\windows\system32\diskcopy.dll
2009-08-17 00:57 10,457,088 a------- c:\windows\system32\nvoglnt.dll
2009-08-17 00:57 2,189,856 a------- c:\windows\system32\nvcuvid.dll
2009-08-17 00:57 2,002,944 a------- c:\windows\system32\nvcuda.dll
2009-08-17 00:57 1,706,528 a------- c:\windows\system32\nvcuvenc.dll
2009-08-17 00:57 1,597,690 a------- c:\windows\system32\nvdata.bin
2009-08-17 00:57 868,352 a------- c:\windows\system32\nvapi.dll
2009-08-17 00:57 155,648 a------- c:\windows\system32\nvcodins.dll
2009-08-17 00:57 155,648 a------- c:\windows\system32\nvcod.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-28 23:42 81,867 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-28 23:42 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-08-28 23:42 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-08-28 23:42 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-08-28 23:42 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll
2009-08-28 23:42 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-08-28 23:42 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-08-28 23:42 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-08-28 23:42 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-08-17 00:57 7,729,568 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 00:57 5,845,760 a------- c:\windows\system32\nv4_disp.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-28 21:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 21:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 01:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 01:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 01:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 01:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 01:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 04:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 07:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-09 23:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll

============= FINISH: 17:03:30.10 ===============

Edited by mute20, 03 September 2009 - 07:05 PM.


#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:14 AM

Posted 08 September 2009 - 09:55 AM

Hello mute20 :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your long wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need to get a little different look at your system so please perform the following:



We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 mute20

mute20
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 08 September 2009 - 02:11 PM

Hello mute20 :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your long wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need to get a little different look at your system so please perform the following:



We need to scan for Rootkits with GMER

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall


The log seems to be to big to put it inside this forum

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:14 AM

Posted 08 September 2009 - 07:07 PM

If it is too big go ahead and make an attachment.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 mute20

mute20
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 09 September 2009 - 06:00 PM

File is to big to attach

Edited by mute20, 09 September 2009 - 06:01 PM.


#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:14 AM

Posted 09 September 2009 - 06:50 PM

When you ran GMER do you know if the Show All button on the right side was checked? If you think it was rerun it and uncheck that box before doing so.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:14 AM

Posted 14 September 2009 - 11:51 AM

Are you still requiring assistance?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:14 AM

Posted 15 September 2009 - 09:04 AM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users