Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan


  • This topic is locked This topic is locked
41 replies to this topic

#1 kymberly

kymberly

  • Banned
  • 387 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 24 August 2009 - 01:00 PM

Avira AntiVir Personal
Report file date: Monday, August 24, 2009 09:21

Scanning for 1656284 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (plain) [6.0.6000]
Boot mode : Normally booted
Username : SYSTEM
Computer name : W-PC

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 21:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 17:21:42
ANTIVIR2.VDF : 7.1.5.146 3087360 Bytes 8/21/2009 16:14:50
ANTIVIR3.VDF : 7.1.5.155 72192 Bytes 8/24/2009 16:14:50
Engineversion : 8.2.1.3
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 21:31:50
AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/24/2009 16:15:02
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 17:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 17:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 21:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 17:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 8/24/2009 16:15:00
AEHELP.DLL : 8.1.6.0 233846 Bytes 8/24/2009 16:14:54
AEGEN.DLL : 8.1.1.57 356725 Bytes 8/24/2009 16:14:52
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 17:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: Monday, August 24, 2009 09:21

Starting search for hidden objects.
'47662' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'VSSVC.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ieuser.exe' - '1' Module(s) have been scanned
Scan process 'kbd.exe' - '1' Module(s) have been scanned
Scan process 'SSDK04.exe' - '1' Module(s) have been scanned
Scan process 'WmiPrvSE.exe' - '1' Module(s) have been scanned
Scan process 'PresentationFontCache.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'HPAdvisor.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'RtHDVCpl.exe' - '1' Module(s) have been scanned
Scan process 'OSD.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'WUDFHost.exe' - '1' Module(s) have been scanned
Scan process 'XAudio.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
52 processes with 52 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights
Master boot sector HD2
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights
Master boot sector HD3
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights
Master boot sector HD4
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '41' files ).


Starting the file scan:

Begin scan in 'C:\' <COMPAQ>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\hp\bin\KillIt.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
Begin scan in 'D:\' <Recovery>

Beginning disinfection:
C:\hp\bin\KillIt.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.


End of the scan: Monday, August 24, 2009 12:26
Used time: 3:03:32 Hour(s)

The scan has been done completely.

11434 Scanned directories
325672 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
325668 Files not concerned
2350 Archives were scanned
4 Warnings
4 Notes
47662 Objects were scanned with rootkit scan
0 Hidden objects were found


DDS (Ver_09-07-30.01) - NTFSx86
Run by U cant buy peace at 12:44:15.57 on Mon 08/24/2009
Internet Explorer: 7.0.6000.16386
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.961 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\U cant buy peace\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-24 108289]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-24 38160]
R3 netr73;Amigo RT73 Wireless Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-8-22 255488]

=============== Created Last 30 ================

2009-08-24 11:50 <DIR> --d----- c:\programdata\TEMP
2009-08-24 11:50 <DIR> --d----- c:\program files\SpywareBlaster
2009-08-24 11:00 1,840 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_GC660AA-ABA SR5123WM_YC_0Pres_QCNX719_E73NAv3PrA1_49_INettle2_SECS_V1.0_B5.07_T070404_WUH0_L409_M1918_J320_7AMD_8Athlon 64 X2 Dual Core_92.1_#090824_N10DE03EF_Z14F12F20_G10DE03D0.MRK
2009-08-24 10:44 44 a------- c:\windows\system\hpsysdrv.dat
2009-08-24 10:40 <DIR> --d----- c:\users\U cant buy peace
2009-08-24 09:19 <DIR> --d----- c:\users\ucantb~1\appdata\roaming\Malwarebytes
2009-08-24 09:19 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 09:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-24 09:19 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-24 09:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-24 09:19 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-24 09:12 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-24 09:11 <DIR> --d----- c:\programdata\Avira
2009-08-24 09:11 <DIR> --d----- c:\program files\Avira
2009-08-24 09:11 <DIR> --d----- c:\progra~2\Avira
2009-08-24 09:10 0 a------- c:\windows\system32\settings.dat
2009-08-24 09:05 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-08-24 09:04 162,064 a------- c:\windows\system32\wuwebv.dll
2009-08-24 09:04 31,232 a------- c:\windows\system32\wuapp.exe
2009-08-22 17:12 <DIR> --d----- c:\programdata\Hewlett-Packard
2009-08-22 17:08 <DIR> --d----- c:\windows\SMINST
2009-08-22 17:02 <DIR> --d----- c:\programdata\Symantec
2009-08-22 17:02 <DIR> --d----- c:\progra~2\Symantec
2009-08-22 17:02 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-22 17:01 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-08-22 17:01 438,840 a--shr-- C:\bootmgr
2009-08-22 17:01 <DIR> --dsh--- C:\Boot
2009-08-22 17:00 <DIR> --d----- c:\program files\Yahoo!
2009-08-22 16:59 <DIR> --d----- c:\program files\Online Services
2009-08-22 16:59 <DIR> --d----- c:\program files\earthlink totalaccess
2009-08-22 16:56 <DIR> --d----- c:\programdata\PC-Doctor
2009-08-22 16:56 <DIR> --d----- c:\progra~2\PC-Doctor
2009-08-22 16:56 <DIR> --d----- c:\program files\PC-Doctor 5 for Windows
2009-08-22 16:54 <DIR> --d----- c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}
2009-08-22 16:54 <DIR> --d----- c:\progra~2\{623D32E9-0C62-4453-AD44-98B31F52A5E1}
2009-08-22 16:54 <DIR> --d----- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2009-08-22 16:53 32,592 a------- c:\windows\system32\msonpmon.dll
2009-08-22 16:52 <DIR> --d----- c:\windows\PCHEALTH
2009-08-22 16:51 <DIR> --d----- c:\programdata\Microsoft Help
2009-08-22 16:49 <DIR> --d----- c:\programdata\Adobe
2009-08-22 16:48 <DIR> --d----- c:\program files\muvee Technologies
2009-08-22 16:48 <DIR> --d----- c:\program files\common files\muvee Technologies
2009-08-22 16:48 <DIR> --d----- c:\programdata\muvee Technologies
2009-08-22 16:47 <DIR> --d----- c:\program files\common files\xing shared
2009-08-22 16:47 <DIR> --d----- c:\program files\common files\Real
2009-08-22 16:46 <DIR> --d----- c:\program files\Rhapsody
2009-08-22 16:46 <DIR> a-d----- c:\program files\common files\LS Getting Started
2009-08-22 16:45 <DIR> --d----- c:\program files\common files\SureThing Shared
2009-08-22 16:44 <DIR> --d----- c:\programdata\Sonic
2009-08-22 16:44 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-08-22 16:43 <DIR> --d----- c:\programdata\Roxio
2009-08-22 16:43 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-08-22 16:43 <DIR> --d----- c:\program files\Roxio
2009-08-22 16:37 <DIR> --d----- c:\program files\common files\HP
2009-08-22 16:37 <DIR> --d----- c:\program files\HP
2009-08-22 16:37 103,521 a------- c:\windows\hpqins13.dat
2009-08-22 16:37 <DIR> --d----- c:\programdata\HP
2009-08-22 16:32 <DIR> --d----- c:\programdata\WildTangent
2009-08-22 16:32 <DIR> --d----- c:\program files\HP Games
2009-08-22 16:32 <DIR> --d----- c:\progra~2\WildTangent
2009-08-22 16:27 319,456 a------- c:\windows\DIFxAPI.dll
2009-08-22 16:27 315,392 a------- c:\windows\HideWin.exe
2009-08-22 16:27 <DIR> --d----- c:\program files\Realtek
2009-08-22 16:27 520,192 a------- c:\windows\RtlExUpd.dll
2009-08-22 16:26 <DIR> --d----- c:\windows\system32\RTCOM
2009-08-22 16:26 1,840,640 a------- c:\windows\system32\RtkAPO.dll
2009-08-22 16:26 1,744,928 a------- c:\windows\system32\drivers\RTKVHDA.sys
2009-08-22 16:26 1,191,936 a------- c:\windows\RtlUpd.exe
2009-08-22 16:26 532,480 a------- c:\windows\system32\RTSndMgr.cpl
2009-08-22 16:26 494,080 a------- c:\windows\system32\RtkPgExt.dll
2009-08-22 16:26 339,968 a------- c:\windows\system32\SRSTSXT.dll
2009-08-22 16:26 135,168 a------- c:\windows\system32\SRSWOW.dll
2009-08-22 16:26 4,390,912 a------- c:\windows\RtHDVCpl.exe
2009-08-22 16:23 414,208 a------- c:\windows\system32\msscp.dll
2009-08-22 16:23 146,944 a------- c:\windows\system32\MMDevAPI.dll
2009-08-22 16:23 84,480 a------- c:\windows\system32\dnsrslvr.dll
2009-08-22 16:23 24,576 a------- c:\windows\system32\dnscacheugc.exe
2009-08-22 16:22 135,680 a------- c:\windows\system32\wusa.exe
2009-08-22 16:22 974,336 a------- c:\windows\system32\crypt32.dll
2009-08-22 16:21 104,448 a------- c:\windows\system32\DWWIN.EXE
2009-08-22 16:21 74,752 a------- c:\windows\system32\drivers\rasl2tp.sys
2009-08-22 16:21 60,928 a------- c:\windows\system32\drivers\raspptp.sys
2009-08-22 16:20 229,888 a------- c:\windows\system32\msshsq.dll
2009-08-22 16:20 292,352 a------- c:\windows\system32\psisdecd.dll
2009-08-22 16:20 218,624 a------- c:\windows\system32\psisrndr.ax
2009-08-22 16:20 80,896 a------- c:\windows\system32\MSNP.ax
2009-08-22 16:20 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-08-22 16:20 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-08-22 16:18 223,744 a------- c:\windows\system32\drivers\usbport.sys
2009-08-22 16:18 192,000 a------- c:\windows\system32\drivers\usbhub.sys
2009-08-22 16:18 73,216 a------- c:\windows\system32\drivers\usbccgp.sys
2009-08-22 16:18 38,400 a------- c:\windows\system32\drivers\usbehci.sys
2009-08-22 16:18 19,456 a------- c:\windows\system32\drivers\usbohci.sys
2009-08-22 16:18 8,704 a------- c:\windows\system32\hccoin.dll
2009-08-22 16:18 5,888 a------- c:\windows\system32\drivers\usbd.sys
2009-08-22 16:18 53,760 a------- c:\windows\system32\drivers\hdaudbus.sys
2009-08-22 16:17 61,440 -------- c:\windows\system32\OsdRemove.exe
2009-08-22 16:16 48,760 a------- c:\windows\system32\RUNCLOSE.OCX
2009-08-22 16:16 19,072 a------- c:\windows\system32\drivers\PS2.sys
2009-08-22 16:16 253,952 a------- c:\windows\system32\cPC_DMIRD.dll
2009-08-22 16:14 327,680 a------- c:\windows\system32\pythoncom24.dll
2009-08-22 16:14 102,400 a------- c:\windows\system32\pywintypes24.dll
2009-08-22 16:14 1,060,864 a------- c:\windows\system32\mfc71.dll
2009-08-22 16:14 348,160 a------- c:\windows\system32\msvcr71.dll
2009-08-22 16:13 <DIR> --dsh--- c:\windows\Installer
2009-08-22 16:07 <DIR> --d----- c:\program files\CONEXANT

==================== Find3M ====================

2009-08-22 16:29 665,600 a------- c:\windows\inf\drvindex.dat
2009-08-22 16:29 51,200 a------- c:\windows\inf\infpub.dat
2009-08-22 16:29 86,016 a------- c:\windows\inf\infstrng.dat
2009-08-22 16:29 86,016 a------- c:\windows\inf\infstor.dat
2009-08-22 16:24 4,153,344 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-22 16:24 2,143,744 a------- c:\windows\apppatch\AcGenral.dll
2009-08-22 16:24 537,600 a------- c:\windows\apppatch\AcLayers.dll
2009-08-22 16:24 449,024 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-22 16:24 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-22 16:24 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-08-22 16:24 1,686,016 a------- c:\windows\system32\gameux.dll
2009-08-22 16:20 160,872 a------- c:\windows\system32\halmacpi.dll
2009-08-22 16:20 134,760 a------- c:\windows\system32\halacpi.dll
2006-11-02 05:50 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:45:00.13 ===============
ATTACH

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 8/22/2009 4:10:10 PM
System Uptime: 8/24/2009 12:27:42 PM (0 hours ago)

Motherboard: ECS | | Nettle2
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4000+ | Socket M2 | 2000/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 289 GiB total, 273.271 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.007 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP4: 8/24/2009 9:03:44 AM - Windows Update
RP6: 8/24/2009 9:10:55 AM - Avira AntiVir Personal - 8/24/2009 9:10
RP2: 8/24/2009 10:54:17 AM - Removed Snapfish Media Detector
RP3: 8/24/2009 11:00:51 AM - Scripted restore

==== Installed Programs ======================

Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Avira AntiVir Personal - Free Antivirus
Enhanced Multimedia Keyboard Solution
Hardware Diagnostic Tools
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
LightScribe 1.4.142.1
Malwarebytes' Anti-Malware
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
muvee autoProducer 6.0
My HP Games
NVIDIA Drivers
PSSWCORE
Python 2.4.3
RealPlayer
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Soft Data Fax Modem with SmartCP
SpywareBlaster 4.2

==== Event Viewer Messages From Past Week ========

8/24/2009 9:07:00 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxResourcesLP from package WindowsUpdateClient-SelfUpdate-Aux-Package(Language Pack) into Staged(Staged) state
8/24/2009 9:07:00 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US(Language Pack) into Staged(Staged) state
8/24/2009 9:07:00 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Language Pack) into Install Requested(Install Requested) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-TW-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-HK-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-CN-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-uk-UA-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-tr-TR-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-th-TH-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sv-SE-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sr-Latn-CS-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sl-SI-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sk-SK-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ru-RU-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ro-RO-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-PT-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-BR-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pl-PL-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nl-NL-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-Neutral from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nb-NO-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lv-LV-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lt-LT-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ko-KR-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ja-JP-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-it-IT-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hu-HU-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hr-HR-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-he-IL-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fr-FR-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fi-FI-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-et-EE-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-es-ES-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-US-LP from package WUClient-SelfUpdate-Aux-Package-en-US-MiniLP(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-US-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-el-GR-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-de-DE-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-da-DK-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-cs-CZ-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-bg-BG-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ar-sa-LP-Toplevel from package WUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxComp from package WindowsUpdateClient-SelfUpdate-Aux-Package(Update) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package(Update) into Staged(Staged) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WUClient-SelfUpdate-Aux (Feature Pack) into Install Requested(Install Requested) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WUClient-SelfUpdate-Aux-Package-en-US-MiniLP (Feature Pack) into Install Requested(Install Requested) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Update) into Install Requested(Install Requested) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US (Language Pack) into Install Requested(Install Requested) state
8/24/2009 9:06:59 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package (Update) into Install Requested(Install Requested) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-3_neutral_PACKAGE from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-24_neutral_PACKAGE from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-23_neutral_PACKAGE from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-22_neutral_PACKAGE from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-21_neutral_PACKAGE from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-2_neutral_GDR from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-19_neutral_PACKAGE from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-16_neutral_PACKAGE from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-12_neutral_PACKAGE from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-11_neutral_GDR from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-10_neutral_LDR from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 954459-1_neutral_LDR from package KB954459(Security Update) into Staging(Staging) state
8/24/2009 12:43:47 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB954459 (Security Update) into Staging(Staging) state
8/24/2009 12:39:05 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 939159-2_RTM_neutral_LDR from package KB939159(Update) into Staging(Staging) state
8/24/2009 12:39:05 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 939159-1_RTM_neutral_GDR from package KB939159(Update) into Staging(Staging) state
8/24/2009 12:39:05 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB939159 (Update) into Staging(Staging) state
8/24/2009 12:28:22 PM, Error: EventLog [6008] - The previous system shutdown at 12:26:38 PM on 8/24/2009 was unexpected.
8/24/2009 10:59:37 AM, Error: EventLog [6008] - The previous system shutdown at 10:56:41 AM on 8/24/2009 was unexpected.
8/24/2009 10:34:07 AM, Error: EventLog [6008] - The previous system shutdown at 10:30:04 AM on 8/24/2009 was unexpected.
8/24/2009 10:27:42 AM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 9, function 0. Please contact your system vendor for technical assistance.
8/24/2009 10:27:42 AM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 12, function 0. Please contact your system vendor for technical assistance.
8/24/2009 10:27:42 AM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 11, function 0. Please contact your system vendor for technical assistance.

==== End Of File ===========================


WHEN I RAN THE AVIRA SCAN IT ASK ME TO START SYSTEM OVER AND BE DELETED AFTER REBOOT, BUT ONCE REBOOTED, GOT MESSAGE THAT ITEMS CANT BE DELETED. ALSO I AM NOT ABLE TO DOWNLOAD ROOTREPEAL OR ZONE ALARM FIRE MAYBECAUSE OF TROJAN THATS PRESENT. ROOTREPEAL GIVES ME A MESSAGE: FOPS Device IOControl! rootrepeal error error code-oxc00000024 extended code info (ox00000d8)
Also I have been struggle to get help with my computer but if you look at the last posting I had the person helping me is some what crazy! He closed the thread with running extra programs. I just used the recovery disks to restore computer and found a trojan already. Maybe its in the restore system. Thanks for tour help!!

BC AdBot (Login to Remove)

 


#2 kymberly

kymberly
  • Topic Starter

  • Banned
  • 387 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 30 August 2009 - 05:03 PM

Hey Hoov just wanted to let y know a few things here. I cant start in normal mode working in safe mode with networking because I am getting a fake security update each time I try to sign on. Windows start up and get a pitch black window for 3-4 seconds then blue icon circle swirling around and please wait pops up then configuring updates comes up and stays up for about 10 minutes. When I finally logged on went to see what updates where downloaded:NONE!!! supicious. Then i noticed that I have a :wuauserv, wuaueng.dll.mui, wucltux.dll.mui (mui file), wu client self update. I did a little research and believe these are not legimate files. Maybe this is whats update and not the real updates. Because when I run the real windows update it fails to install anyupdates.

#3 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:03:14 AM

Posted 02 September 2009 - 10:16 PM

The two programs that are said to be Trojans are more than likely just false positives. The first one KillIt.exe is for sure a false positive. The second is more than likely also a legit file. And for the three new files, the wu files, those are windows update files.

Run combofix in safe mode.

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#4 kymberly

kymberly
  • Topic Starter

  • Banned
  • 387 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 02 September 2009 - 11:16 PM

Ok started in safe mode as directed but kept getting several errors: access denied need to log on as adminstrator. I was logged on to admin. (confused) another message was administrator permission is needed to use this option, use an administrator command prompt to complete these tasks.

ComboFix 09-09-02.02 - I love Pink 09/02/2009 20:55.1.2 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1571 [GMT -7:00]
Running from: c:\users\I love Pink\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-03 03:59 . 2009-09-03 03:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-03 03:59 . 2009-09-03 03:59 -------- d-----w- c:\users\Orange Me Down\AppData\Local\temp
2009-09-03 03:59 . 2009-09-03 03:59 -------- d-----w- c:\users\I love Pink\AppData\Local\temp
2009-09-03 03:59 . 2009-09-03 03:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-31 00:33 . 2009-08-31 00:33 -------- d-----w- c:\users\I love Pink\AppData\Local\Adobe
2009-08-29 01:32 . 2009-08-29 01:32 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-08-29 01:32 . 2009-08-29 01:32 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-08-29 01:32 . 2009-08-29 01:32 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-08-29 01:32 . 2009-08-29 01:32 83968 ----a-w- c:\windows\system32\mscories.dll
2009-08-29 01:32 . 2009-08-29 01:32 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-08-29 01:08 . 2009-08-29 01:08 1645568 ----a-w- c:\windows\system32\connect.dll
2009-08-29 01:08 . 2009-08-29 01:08 5120 ----a-w- c:\windows\system32\wmi.dll
2009-08-29 01:08 . 2009-08-29 01:08 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2009-08-29 01:08 . 2009-08-29 01:08 152576 ----a-w- c:\windows\system32\imagehlp.dll
2009-08-29 01:08 . 2009-08-29 01:08 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2009-08-29 01:07 . 2009-08-29 01:07 1327104 ----a-w- c:\windows\system32\quartz.dll
2009-08-29 01:06 . 2009-08-29 01:06 -------- d-----w- c:\program files\MSXML 4.0
2009-08-29 01:05 . 2009-08-29 01:05 99840 ----a-w- c:\windows\system32\poqexec.exe
2009-08-29 01:05 . 2009-08-29 01:05 633856 ----a-w- c:\windows\system32\user32.dll
2009-08-29 01:05 . 2009-08-29 01:05 2026496 ----a-w- c:\windows\system32\win32k.sys
2009-08-29 01:05 . 2009-08-29 01:05 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-08-29 01:05 . 2009-08-29 01:05 1341440 ----a-w- c:\windows\system32\msxml6.dll
2009-08-29 01:03 . 2009-08-29 01:03 750080 ----a-w- c:\windows\system32\qmgr.dll
2009-08-28 23:18 . 2009-08-28 23:18 -------- d-----w- c:\users\I love Pink\AppData\Local\Hewlett-Packard
2009-08-28 23:17 . 2009-08-28 23:33 87776 ----a-w- c:\users\I love Pink\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-28 23:17 . 2009-08-28 23:17 -------- d-----w- c:\users\I love Pink\AppData\Roaming\Snapfish
2009-08-28 23:17 . 2009-08-28 23:55 -------- d-----w- c:\users\I love Pink\AppData\Local\VirtualStore
2009-08-28 23:15 . 2009-08-28 23:15 44 ----a-w- c:\windows\system\hpsysdrv.dat
2009-08-28 23:15 . 2009-08-28 23:18 -------- d-----w- c:\users\I love Pink\AppData\Roaming\Hewlett-Packard
2009-08-28 21:45 . 2009-08-28 21:45 -------- d-----w- c:\users\I love Pink\AppData\Roaming\OnlineArmor
2009-08-28 21:45 . 2009-08-28 21:45 -------- d-----w- c:\programdata\OnlineArmor
2009-08-28 21:44 . 2009-07-11 12:17 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2009-08-28 21:44 . 2009-08-28 21:44 -------- d-----w- c:\program files\Tall Emu
2009-08-28 21:44 . 2009-07-11 12:17 200784 ----a-w- c:\windows\system32\drivers\OADriver.sys
2009-08-28 21:43 . 2009-08-30 22:51 -------- d-----w- c:\program files\a-squared Free
2009-08-28 21:41 . 2009-08-28 21:41 43544 ----a-w- c:\windows\system32\wups2.dll
2009-08-28 21:41 . 2009-08-28 21:41 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-08-28 21:41 . 2009-08-28 21:41 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-28 21:41 . 2009-08-28 21:41 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-28 21:40 . 2009-08-28 21:40 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-08-28 21:40 . 2009-08-28 21:40 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-27 00:39 . 2009-08-28 23:18 -------- d-----w- c:\programdata\Hewlett-Packard
2009-08-27 00:35 . 2009-08-28 23:53 -------- d-----w- c:\windows\SMINST
2009-08-27 00:31 . 2009-08-28 23:32 -------- d--h--w- C:\hp
2009-08-27 00:31 . 2006-11-29 10:14 172032 ----a-w- c:\windows\system32\UCI32m15.dll
2009-08-27 00:31 . 2006-06-19 14:26 12672 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2009-08-27 00:31 . 2006-06-19 14:26 94208 ----a-w- c:\windows\system32\mdmxsdk.dll
2009-08-27 00:31 . 2007-01-04 16:41 255488 ----a-w- c:\windows\system32\drivers\netr73.sys
2009-08-27 00:31 . 2007-03-19 13:58 101672 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2009-08-27 00:31 . 2007-03-19 13:39 352768 ----a-w- c:\windows\system32\idecoiins.dll
2009-08-27 00:31 . 2007-03-19 13:39 352768 ----a-w- c:\windows\system32\idecoi.dll
2009-08-27 00:30 . 2009-08-27 00:40 -------- d-----w- c:\windows\Panther
2009-08-27 00:30 . 2009-08-27 00:30 -------- d-----w- c:\windows\system32\OEM
2009-08-27 00:30 . 2009-08-27 00:30 -------- d-sh--w- C:\Boot
2009-08-27 00:29 . 2009-08-30 22:07 -------- d-----w- c:\programdata\Symantec
2009-08-27 00:29 . 2009-08-28 23:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-27 00:28 . 2009-08-28 23:27 -------- d-----w- c:\program files\Yahoo!
2009-08-27 00:26 . 2009-08-27 00:26 -------- d-----w- c:\program files\earthlink totalaccess
2009-08-27 00:24 . 2009-08-27 00:24 -------- d-----w- c:\programdata\PC-Doctor
2009-08-27 00:23 . 2009-08-27 00:38 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2009-08-27 00:22 . 2009-08-27 00:22 -------- d-----w- c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}
2009-08-27 00:21 . 2009-08-27 00:22 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2009-08-27 00:21 . 2006-10-27 02:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-08-27 00:20 . 2009-08-27 00:20 -------- d-----w- c:\windows\PCHEALTH
2009-08-27 00:20 . 2009-08-27 00:20 -------- d-----w- c:\program files\Microsoft.NET
2009-08-27 00:19 . 2009-08-27 00:21 -------- d-----w- c:\programdata\Microsoft Help
2009-08-27 00:19 . 2009-08-27 00:19 -------- d--h--r- C:\MSOCache
2009-08-27 00:18 . 2009-08-27 00:20 -------- d-----w- c:\program files\Microsoft Works
2009-08-27 00:16 . 2009-08-27 00:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-27 00:15 . 2009-08-28 23:29 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-08-27 00:15 . 2009-08-27 00:15 -------- d-----w- c:\program files\muvee Technologies
2009-08-27 00:15 . 2009-08-27 00:15 -------- d-----w- c:\programdata\muvee Technologies
2009-08-27 00:15 . 2009-08-27 00:15 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-27 00:15 . 2009-08-27 00:15 -------- d-----w- c:\program files\Common Files\Real
2009-08-27 00:14 . 2009-08-27 00:15 -------- d-----w- c:\program files\Real
2009-08-27 00:14 . 2009-08-27 00:14 -------- d-----w- c:\program files\Rhapsody
2009-08-27 00:13 . 2009-08-27 00:13 -------- d---a-w- c:\program files\Common Files\LightScribe
2009-08-27 00:13 . 2009-08-27 00:13 -------- d---a-w- c:\program files\Common Files\LS Getting Started
2009-08-27 00:13 . 2009-08-27 00:13 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-27 00:12 . 2009-08-27 00:12 -------- d-----w- c:\programdata\Sonic
2009-08-27 00:12 . 2009-08-27 00:12 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-08-27 00:11 . 2009-08-27 00:13 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-27 00:11 . 2009-08-27 00:11 -------- d-----w- c:\programdata\Roxio
2009-08-27 00:11 . 2009-08-27 00:13 -------- d-----w- c:\program files\Roxio
2009-08-27 00:11 . 2009-08-27 00:12 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-27 00:05 . 2009-08-28 23:20 -------- d-----w- c:\program files\HP
2009-08-27 00:05 . 2009-08-27 00:05 -------- d-----w- c:\program files\Common Files\HP
2009-08-27 00:04 . 2009-08-27 00:06 103521 ----a-w- c:\windows\hpqins13.dat
2009-08-27 00:04 . 2009-08-27 00:05 -------- d-----w- c:\programdata\HP
2009-08-26 23:59 . 2009-08-27 00:04 -------- d-----w- c:\programdata\WildTangent
2009-08-26 23:59 . 2009-08-27 00:04 -------- d-----w- c:\program files\HP Games
2009-08-26 23:59 . 2009-08-26 23:59 -------- d-----w- c:\windows\system32\Macromed
2009-08-26 23:53 . 2007-02-11 00:18 958464 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-26 23:52 . 2009-08-26 23:52 414208 ----a-w- c:\windows\system32\msscp.dll
2009-08-26 23:52 . 2009-08-26 23:52 146944 ----a-w- c:\windows\system32\MMDevAPI.dll
2009-08-26 23:51 . 2009-08-26 23:51 84480 ----a-w- c:\windows\system32\dnsrslvr.dll
2009-08-26 23:51 . 2009-08-26 23:51 24576 ----a-w- c:\windows\system32\dnscacheugc.exe
2009-08-26 23:50 . 2009-08-26 23:50 135680 ----a-w- c:\windows\system32\wusa.exe
2009-08-26 23:50 . 2009-08-26 23:50 974336 ----a-w- c:\windows\system32\crypt32.dll
2009-08-26 23:50 . 2009-08-26 23:50 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2009-08-26 23:49 . 2009-08-26 23:49 74752 ----a-w- c:\windows\system32\drivers\rasl2tp.sys
2009-08-26 23:49 . 2009-08-26 23:49 60928 ----a-w- c:\windows\system32\drivers\raspptp.sys
2009-08-26 23:49 . 2009-08-26 23:49 229888 ----a-w- c:\windows\system32\msshsq.dll
2009-08-26 23:48 . 2009-08-26 23:48 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-26 23:47 . 2009-08-26 23:47 8704 ----a-w- c:\windows\system32\hccoin.dll
2009-08-26 23:47 . 2009-08-26 23:47 73216 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-26 23:47 . 2009-08-26 23:47 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2009-08-26 23:47 . 2009-08-26 23:47 38400 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-08-26 23:47 . 2009-08-26 23:47 223744 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-08-26 23:47 . 2009-08-26 23:47 19456 ----a-w- c:\windows\system32\drivers\usbohci.sys
2009-08-26 23:47 . 2009-08-26 23:47 192000 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-08-26 23:46 . 2009-08-26 23:46 53760 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-08-26 23:46 . 2007-02-12 15:01 61440 ----a-w- c:\windows\system32\OsdRemove.exe
2009-08-26 23:46 . 2009-08-27 00:26 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-26 23:45 . 2005-12-12 17:27 19072 ----a-w- c:\windows\system32\drivers\PS2.sys
2009-08-26 23:45 . 2007-02-08 10:40 253952 ----a-w- c:\windows\system32\cPC_DMIRD.dll
2009-08-26 23:43 . 2006-07-16 21:23 327680 ----a-w- c:\windows\system32\pythoncom24.dll
2009-08-26 23:43 . 2006-07-16 21:15 102400 ----a-w- c:\windows\system32\pywintypes24.dll
2009-08-26 23:42 . 2006-09-07 17:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-26 23:42 . 2006-09-07 17:13 1060864 ----a-w- c:\windows\system32\mfc71.dll
2009-08-26 23:42 . 2009-08-29 01:56 -------- d-sh--w- c:\windows\Installer
2009-08-26 23:35 . 2009-08-26 23:35 -------- d-----w- c:\program files\CONEXANT
2009-08-26 23:34 . 2009-08-28 23:08 -------- d-----w- c:\windows\Debug

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 23:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-08-30 23:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-28 23:34 . 2009-08-26 23:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-28 23:32 . 2009-08-28 23:32 1840 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_GC660AA-ABA SR5123WM_YC_0Pres_QCNX719_E73NAv3PrA1_49_INettle2_SECS_V1.0_B5.07_T070404_WUH0_L409_M1918_J320_7AMD_8Athlon 64 X2 Dual Core_92.1_#090828_N10DE03EF_Z14F12F20_G10DE03D0.MRK
2009-08-27 00:06 . 2009-08-26 23:55 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-26 23:55 . 2009-08-26 23:55 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-08-26 23:55 . 2009-08-26 23:55 315392 ----a-w- c:\windows\HideWin.exe
2009-08-26 23:55 . 2009-08-26 23:55 -------- d-----w- c:\program files\Realtek
2009-08-26 23:53 . 2009-08-26 23:53 4153344 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-26 23:53 . 2009-08-26 23:53 1686016 ----a-w- c:\windows\system32\gameux.dll
2009-08-26 23:49 . 2006-11-02 08:30 134760 ----a-w- c:\windows\system32\halacpi.dll
2009-08-26 23:49 . 2006-11-02 08:30 160872 ----a-w- c:\windows\system32\halmacpi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-11 90192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-11 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-11 81920]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-07-11 2121416]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-01 4390912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-07-11 336584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ECF57311-8226-45F9-91F1-A76FDC76209D}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F21DD049-BD9C-482E-AC91-E5FE3AE7E64E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{AD7223AB-4303-4BB4-B429-9AD577098FC6}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A7A01835-0D62-4E17-B5D3-29617F9A2C54}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AB65EFF9-89FF-4908-B020-27B387103BC5}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BAE68C0C-8149-4961-9896-8039AF36957F}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EAF90D6A-7FFD-4F0D-AEA8-F51502124F96}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EDAD4B30-872F-4623-A506-44FFDD4E1067}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

S1 OADevice;OADriver;c:\windows\System32\drivers\OADriver.sys [8/28/2009 2:44 PM 200784]
S1 OAmon;OAmon;c:\windows\System32\drivers\OAmon.sys [8/28/2009 2:44 PM 24656]
S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [8/28/2009 2:44 PM 362184]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [8/28/2009 2:44 PM 3142344]
S3 netr73;Amigo RT73 Wireless Driver for Vista;c:\windows\System32\drivers\netr73.sys [8/26/2009 5:31 PM 255488]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 21:00
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(916)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2009-09-03 21:01
ComboFix-quarantined-files.txt 2009-09-03 04:01
ComboFix2.txt 2009-08-31 17:52
ComboFix3.txt 2009-08-31 17:45

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 288,941,355,008 bytes free

228
OLD COMBO LOG RAN ON 8-31
ComboFix 09-08-30.04 - I love Pink 08/31/2009 10:40.1.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1510 [GMT -7:00]
Running from: c:\users\I love Pink\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-161002949-3877063017-1965083225-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 00:33 . 2009-08-31 00:33 -------- d-----w- c:\users\I love Pink\AppData\Local\Adobe
2009-08-29 01:32 . 2009-08-29 01:32 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-08-29 01:32 . 2009-08-29 01:32 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-08-29 01:32 . 2009-08-29 01:32 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-08-29 01:32 . 2009-08-29 01:32 83968 ----a-w- c:\windows\system32\mscories.dll
2009-08-29 01:32 . 2009-08-29 01:32 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-08-29 01:08 . 2009-08-29 01:08 1645568 ----a-w- c:\windows\system32\connect.dll
2009-08-29 01:08 . 2009-08-29 01:08 5120 ----a-w- c:\windows\system32\wmi.dll
2009-08-29 01:08 . 2009-08-29 01:08 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2009-08-29 01:08 . 2009-08-29 01:08 152576 ----a-w- c:\windows\system32\imagehlp.dll
2009-08-29 01:08 . 2009-08-29 01:08 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2009-08-29 01:07 . 2009-08-29 01:07 1327104 ----a-w- c:\windows\system32\quartz.dll
2009-08-29 01:06 . 2009-08-29 01:06 -------- d-----w- c:\program files\MSXML 4.0
2009-08-29 01:05 . 2009-08-29 01:05 99840 ----a-w- c:\windows\system32\poqexec.exe
2009-08-29 01:05 . 2009-08-29 01:05 633856 ----a-w- c:\windows\system32\user32.dll
2009-08-29 01:05 . 2009-08-29 01:05 2026496 ----a-w- c:\windows\system32\win32k.sys
2009-08-29 01:05 . 2009-08-29 01:05 2048 ----a-w- c:\windows\system32\msxml6r.dll
2009-08-29 01:05 . 2009-08-29 01:05 1341440 ----a-w- c:\windows\system32\msxml6.dll
2009-08-29 01:03 . 2009-08-29 01:03 750080 ----a-w- c:\windows\system32\qmgr.dll
2009-08-28 23:18 . 2009-08-28 23:18 -------- d-----w- c:\users\I love Pink\AppData\Local\Hewlett-Packard
2009-08-28 23:17 . 2009-08-28 23:33 87776 ----a-w- c:\users\I love Pink\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-28 23:17 . 2009-08-28 23:17 -------- d-----w- c:\users\I love Pink\AppData\Roaming\Snapfish
2009-08-28 23:17 . 2009-08-28 23:55 -------- d-----w- c:\users\I love Pink\AppData\Local\VirtualStore
2009-08-28 23:15 . 2009-08-28 23:15 44 ----a-w- c:\windows\system\hpsysdrv.dat
2009-08-28 23:15 . 2009-08-28 23:18 -------- d-----w- c:\users\I love Pink\AppData\Roaming\Hewlett-Packard
2009-08-28 21:45 . 2009-08-28 21:45 -------- d-----w- c:\users\I love Pink\AppData\Roaming\OnlineArmor
2009-08-28 21:45 . 2009-08-28 21:45 -------- d-----w- c:\programdata\OnlineArmor
2009-08-28 21:44 . 2009-07-11 12:17 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2009-08-28 21:44 . 2009-08-28 21:44 -------- d-----w- c:\program files\Tall Emu
2009-08-28 21:44 . 2009-07-11 12:17 200784 ----a-w- c:\windows\system32\drivers\OADriver.sys
2009-08-28 21:43 . 2009-08-30 22:51 -------- d-----w- c:\program files\a-squared Free
2009-08-28 21:41 . 2009-08-28 21:41 43544 ----a-w- c:\windows\system32\wups2.dll
2009-08-28 21:41 . 2009-08-28 21:41 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-08-28 21:41 . 2009-08-28 21:41 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-28 21:41 . 2009-08-28 21:41 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-28 21:40 . 2009-08-28 21:40 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-08-28 21:40 . 2009-08-28 21:40 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-27 00:39 . 2009-08-28 23:18 -------- d-----w- c:\programdata\Hewlett-Packard
2009-08-27 00:35 . 2009-08-28 23:53 -------- d-----w- c:\windows\SMINST
2009-08-27 00:31 . 2009-08-28 23:32 -------- d--h--w- C:\hp
2009-08-27 00:31 . 2006-11-29 10:14 172032 ----a-w- c:\windows\system32\UCI32m15.dll
2009-08-27 00:31 . 2006-06-19 14:26 12672 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2009-08-27 00:31 . 2006-06-19 14:26 94208 ----a-w- c:\windows\system32\mdmxsdk.dll
2009-08-27 00:31 . 2007-01-04 16:41 255488 ----a-w- c:\windows\system32\drivers\netr73.sys
2009-08-27 00:31 . 2007-03-19 13:58 101672 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2009-08-27 00:31 . 2007-03-19 13:39 352768 ----a-w- c:\windows\system32\idecoiins.dll
2009-08-27 00:31 . 2007-03-19 13:39 352768 ----a-w- c:\windows\system32\idecoi.dll
2009-08-27 00:30 . 2009-08-27 00:40 -------- d-----w- c:\windows\Panther
2009-08-27 00:30 . 2009-08-27 00:30 -------- d-----w- c:\windows\system32\OEM
2009-08-27 00:30 . 2009-08-27 00:30 -------- d-sh--w- C:\Boot
2009-08-27 00:29 . 2009-08-30 22:07 -------- d-----w- c:\programdata\Symantec
2009-08-27 00:29 . 2009-08-28 23:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-27 00:28 . 2009-08-28 23:27 -------- d-----w- c:\program files\Yahoo!
2009-08-27 00:26 . 2009-08-27 00:26 -------- d-----w- c:\program files\earthlink totalaccess
2009-08-27 00:24 . 2009-08-27 00:24 -------- d-----w- c:\programdata\PC-Doctor
2009-08-27 00:23 . 2009-08-27 00:38 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2009-08-27 00:22 . 2009-08-27 00:22 -------- d-----w- c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}
2009-08-27 00:22 . 2006-11-29 20:33 321108 ----a-w- c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\mia.dll
2009-08-27 00:22 . 2006-11-29 20:33 2538535 ----a-w- c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe
2009-08-27 00:21 . 2009-08-27 00:22 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2009-08-27 00:21 . 2006-10-27 02:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-08-27 00:20 . 2009-08-27 00:20 -------- d-----w- c:\windows\PCHEALTH
2009-08-27 00:20 . 2009-08-27 00:20 -------- d-----w- c:\program files\Microsoft.NET
2009-08-27 00:19 . 2009-08-27 00:21 -------- d-----w- c:\programdata\Microsoft Help
2009-08-27 00:19 . 2009-08-27 00:19 -------- d--h--r- C:\MSOCache
2009-08-27 00:18 . 2009-08-27 00:20 -------- d-----w- c:\program files\Microsoft Works
2009-08-27 00:16 . 2009-08-27 00:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-27 00:15 . 2009-08-28 23:29 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-08-27 00:15 . 2009-08-27 00:15 -------- d-----w- c:\program files\muvee Technologies
2009-08-27 00:15 . 2009-08-27 00:15 -------- d-----w- c:\programdata\muvee Technologies
2009-08-27 00:15 . 2009-08-27 00:15 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-27 00:15 . 2009-08-27 00:15 -------- d-----w- c:\program files\Common Files\Real
2009-08-27 00:14 . 2009-08-27 00:15 -------- d-----w- c:\program files\Real
2009-08-27 00:14 . 2009-08-27 00:14 -------- d-----w- c:\program files\Rhapsody
2009-08-27 00:13 . 2009-08-27 00:13 -------- d---a-w- c:\program files\Common Files\LightScribe
2009-08-27 00:13 . 2009-08-27 00:13 -------- d---a-w- c:\program files\Common Files\LS Getting Started
2009-08-27 00:13 . 2009-08-27 00:13 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-27 00:12 . 2009-08-27 00:12 -------- d-----w- c:\programdata\Sonic
2009-08-27 00:12 . 2009-08-27 00:12 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-08-27 00:11 . 2009-08-27 00:13 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-27 00:11 . 2009-08-27 00:11 -------- d-----w- c:\programdata\Roxio
2009-08-27 00:11 . 2009-08-27 00:13 -------- d-----w- c:\program files\Roxio
2009-08-27 00:11 . 2009-08-27 00:12 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-08-27 00:05 . 2009-08-28 23:20 -------- d-----w- c:\program files\HP
2009-08-27 00:05 . 2009-08-27 00:05 -------- d-----w- c:\program files\Common Files\HP
2009-08-27 00:04 . 2009-08-27 00:06 103521 ----a-w- c:\windows\hpqins13.dat
2009-08-27 00:04 . 2009-08-27 00:05 -------- d-----w- c:\programdata\HP
2009-08-27 00:04 . 2007-01-03 13:31 4779376 ----a-w- c:\programdata\WildTangent\oem-eula.exe
2009-08-26 23:59 . 2009-08-27 00:04 -------- d-----w- c:\programdata\WildTangent
2009-08-26 23:59 . 2009-08-27 00:04 -------- d-----w- c:\program files\HP Games
2009-08-26 23:59 . 2009-08-26 23:59 -------- d-----w- c:\windows\system32\Macromed
2009-08-26 23:53 . 2007-02-11 00:18 958464 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-26 23:52 . 2009-08-26 23:52 414208 ----a-w- c:\windows\system32\msscp.dll
2009-08-26 23:52 . 2009-08-26 23:52 146944 ----a-w- c:\windows\system32\MMDevAPI.dll
2009-08-26 23:51 . 2009-08-26 23:51 84480 ----a-w- c:\windows\system32\dnsrslvr.dll
2009-08-26 23:51 . 2009-08-26 23:51 24576 ----a-w- c:\windows\system32\dnscacheugc.exe
2009-08-26 23:50 . 2009-08-26 23:50 135680 ----a-w- c:\windows\system32\wusa.exe
2009-08-26 23:50 . 2009-08-26 23:50 974336 ----a-w- c:\windows\system32\crypt32.dll
2009-08-26 23:50 . 2009-08-26 23:50 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2009-08-26 23:49 . 2009-08-26 23:49 74752 ----a-w- c:\windows\system32\drivers\rasl2tp.sys
2009-08-26 23:49 . 2009-08-26 23:49 60928 ----a-w- c:\windows\system32\drivers\raspptp.sys
2009-08-26 23:49 . 2009-08-26 23:49 229888 ----a-w- c:\windows\system32\msshsq.dll
2009-08-26 23:48 . 2009-08-26 23:48 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-26 23:47 . 2009-08-26 23:47 8704 ----a-w- c:\windows\system32\hccoin.dll
2009-08-26 23:47 . 2009-08-26 23:47 73216 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-26 23:47 . 2009-08-26 23:47 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2009-08-26 23:47 . 2009-08-26 23:47 38400 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-08-26 23:47 . 2009-08-26 23:47 223744 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-08-26 23:47 . 2009-08-26 23:47 19456 ----a-w- c:\windows\system32\drivers\usbohci.sys
2009-08-26 23:47 . 2009-08-26 23:47 192000 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-08-26 23:46 . 2009-08-26 23:46 53760 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-08-26 23:46 . 2007-02-12 15:01 61440 ----a-w- c:\windows\system32\OsdRemove.exe
2009-08-26 23:46 . 2009-08-27 00:26 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-26 23:45 . 2005-12-12 17:27 19072 ----a-w- c:\windows\system32\drivers\PS2.sys
2009-08-26 23:45 . 2007-02-08 10:40 253952 ----a-w- c:\windows\system32\cPC_DMIRD.dll
2009-08-26 23:43 . 2006-07-16 21:23 327680 ----a-w- c:\windows\system32\pythoncom24.dll
2009-08-26 23:43 . 2006-07-16 21:15 102400 ----a-w- c:\windows\system32\pywintypes24.dll
2009-08-26 23:42 . 2006-09-07 17:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-26 23:42 . 2006-09-07 17:13 1060864 ----a-w- c:\windows\system32\mfc71.dll
2009-08-26 23:42 . 2009-08-29 01:56 -------- d-sh--w- c:\windows\Installer
2009-08-26 23:35 . 2009-08-26 23:35 -------- d-----w- c:\program files\CONEXANT
2009-08-26 23:34 . 2009-08-28 23:08 -------- d-----w- c:\windows\Debug

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 23:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-08-30 23:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-28 23:34 . 2009-08-26 23:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-28 23:32 . 2009-08-28 23:32 1840 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_GC660AA-ABA SR5123WM_YC_0Pres_QCNX719_E73NAv3PrA1_49_INettle2_SECS_V1.0_B5.07_T070404_WUH0_L409_M1918_J320_7AMD_8Athlon 64 X2 Dual Core_92.1_#090828_N10DE03EF_Z14F12F20_G10DE03D0.MRK
2009-08-27 00:06 . 2009-08-26 23:55 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-26 23:57 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-26 23:55 . 2009-08-26 23:55 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-08-26 23:55 . 2009-08-26 23:55 315392 ----a-w- c:\windows\HideWin.exe
2009-08-26 23:55 . 2009-08-26 23:55 -------- d-----w- c:\program files\Realtek
2009-08-26 23:53 . 2009-08-26 23:53 4153344 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-26 23:53 . 2009-08-26 23:53 1686016 ----a-w- c:\windows\system32\gameux.dll
2009-08-26 23:49 . 2006-11-02 08:30 134760 ----a-w- c:\windows\system32\halacpi.dll
2009-08-26 23:49 . 2006-11-02 08:30 160872 ----a-w- c:\windows\system32\halmacpi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-11 90192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-11 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-11 81920]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-07-11 2121416]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-01 4390912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-07-11 336584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ECF57311-8226-45F9-91F1-A76FDC76209D}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F21DD049-BD9C-482E-AC91-E5FE3AE7E64E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{AD7223AB-4303-4BB4-B429-9AD577098FC6}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A7A01835-0D62-4E17-B5D3-29617F9A2C54}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AB65EFF9-89FF-4908-B020-27B387103BC5}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BAE68C0C-8149-4961-9896-8039AF36957F}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EAF90D6A-7FFD-4F0D-AEA8-F51502124F96}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{EDAD4B30-872F-4623-A506-44FFDD4E1067}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 OAmon;OAmon;c:\windows\System32\drivers\OAmon.sys [8/28/2009 2:44 PM 24656]
S1 OADevice;OADriver;c:\windows\System32\drivers\OADriver.sys [8/28/2009 2:44 PM 200784]
S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [8/28/2009 2:44 PM 362184]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [8/28/2009 2:44 PM 3142344]
S3 netr73;Amigo RT73 Wireless Driver for Vista;c:\windows\System32\drivers\netr73.sys [8/26/2009 5:31 PM 255488]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 10:44
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1796)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2009-08-31 10:45
ComboFix-quarantined-files.txt 2009-08-31 17:45

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 289,057,923,072 bytes free

233

I also have about six or seven service host running with high cpu usage such as: SearchFilterHost.exe, SearchIndexer.exe, Search ProctolHost.exe and Trusted Installer (very high high usage)

I am still not able to run in normal mode. I tried after running combo fix in safe mode and after I log on with password I get a pitch black screen still. Nothing else comes up. Don't know what's going on here!!!

Edited by kymberly, 02 September 2009 - 11:19 PM.


#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:03:14 AM

Posted 03 September 2009 - 09:52 AM

Those process's are part of windows. They are legitimate files. That said, I did find where they can cause problems. Does this installation of windows Vista have SP1 installed? How about SP2? If you don't know, go to the control panel and start the system control panel. It will tell you there. If either of them are installed it will tell you right up near the top in the windows edition section.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 kymberly

kymberly
  • Topic Starter

  • Banned
  • 387 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 04 September 2009 - 12:04 PM

Ok, hope this is right cuz i am in safe mode with networking. cant do windows normal mode bcuz of something is preventing me from starting normal mode once again. I went to control panel and believe its Microsoft Net.Framework 3.5 SP1. Something is most certain lurking and hiding on my system.

#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:03:14 AM

Posted 04 September 2009 - 07:18 PM

I need you to go to the administration tools in Vista. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side expand the window category and then click on System. Then up at the top click on Action and then click on Save Events As, type in system as the file name, make sure file type EVTX is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name, make sure file type EVTX is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 kymberly

kymberly
  • Topic Starter

  • Banned
  • 387 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 06 September 2009 - 10:56 PM

Hoov I also noticed that while I was visiting the event viewer that two messages stuck in my mind: A logon was attempted using explicit credentials and a cryptographic self test was performed. Dont know why but that first one is very suspicious, I noticed all kind of logons allowed on this computer. Also after i created the application and system files a folder popped up om my destktop name LocaleMetaData which I did not create. cannot upload service file because it states it was larger than the available space will try again.

Attached Files


Edited by kymberly, 06 September 2009 - 10:57 PM.


#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:03:14 AM

Posted 07 September 2009 - 06:16 PM

I have sent you a PM on what to do with the logs.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:03:14 AM

Posted 07 September 2009 - 06:19 PM

About the folder LocaleMetaData, it belongs in the C:\Users\username\Documents folder. It is a legit folder. I am looking at the other things in the log.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 kymberly

kymberly
  • Topic Starter

  • Banned
  • 387 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 09 September 2009 - 12:53 PM

Hoov it is getting worse and I am afraid I am not going to be able to get on the internet. When I try and get on the internet it stalls and make a clicking sound constantly cant move mouse or anything. It just stalls with the clicking noise. If i dont respond its not because im busy it will be because i cant get to your web page. Do you know what Qoobox is?

Attached Files



#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:03:14 AM

Posted 09 September 2009 - 03:26 PM

Qoobox is from Combofix. Leave it be for right now.

There is something else to try to improve the connectivity.

Click Start. click run, type: cmd, and press CTRL+SHIFT+Enter
Type: netsh winsock reset, and then press the ENTER key.
Type: Exit and press ENTER.
Restart the computer.

Do you have your vista install DVD?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 kymberly

kymberly
  • Topic Starter

  • Banned
  • 387 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 09 September 2009 - 03:43 PM

Hoov, I was able to run dr cure it in safe mode and this is what it found for the 100th time. I explained to m0le that this could not be deleted and it was intstalled in my hp games. Well its back once again and more aggresive. It stops everything and disable my online armour and firewall and not being caught by avira either. It could not be deleted or cured. ok i am in safe mode with networking and tried that and it gave me a message: the requested operation requires elevation. i spaced after each command netsh (space) winsock (space) reset then enter nothing happens.

Attached Files


Edited by kymberly, 09 September 2009 - 03:48 PM.


#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:03:14 AM

Posted 09 September 2009 - 03:51 PM

Do you have your installation DVD?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 kymberly

kymberly
  • Topic Starter

  • Banned
  • 387 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 09 September 2009 - 03:58 PM

yes i do have a dvd but believe that it is corrput!! thats the same cd i just used the other day with this instatllation and what ever it is, its not removing this. Also notice that i have explorer.exe and iexplore.exe which is not good per Google research on this. Desktop (dwm.exe) is very very high




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users