Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Plauged by Protection System Rouge Av


  • This topic is locked This topic is locked
31 replies to this topic

#1 elbarracho

elbarracho

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 16 September 2009 - 10:53 AM

Ok where to start. I was infected by a Protection System rouge av. This bug prevents me from running a malware bytes scan. It also pops up a bogus windows security center and various ads for spyware. I was instucted by a member to post here as she could not remedy the situation. I have attached a dds log as well as a link to the work we did hitherto.

http://www.bleepingcomputer.com/forums/t/257334/protection-system-rootkit-needs-to-be-removed/

Attached Files

  • Attached File  DDS1.txt   15.06KB   4 downloads


BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 September 2009 - 01:21 PM

Hi,

I will handle your log. As I am in training all my answers have to be approved by my Coaches.
I hope you understand.

I'll get back to you as soon as is possible.

#3 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 September 2009 - 02:48 PM

Hi,

1. Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

2. Remove the C:\DDS folder, and run DDS again. Post both logs, together with the logfile from GMER.

#4 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 17 September 2009 - 10:40 AM

Thanks again. Here is the log:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-17 11:38:23
Windows 5.1.2600 Service Pack 2
Running: b5ydb964.exe; Driver: C:\DOCUME~1\pinky\LOCALS~1\Temp\fxdoyaob.sys


---- System - GMER 1.0.15 ----

Code 847A41D0 ZwEnumerateKey
Code 8468FE40 ZwFlushInstructionCache
Code 8477F156 IofCallDriver
Code 846D86BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE00A 5 Bytes JMP 8477F15B
.text ntkrnlpa.exe!IofCompleteRequest 804EE09A 5 Bytes JMP 846D86C3
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AAC4A 5 Bytes JMP 8468FE44
PAGE ntkrnlpa.exe!ZwEnumerateKey 80619770 5 Bytes JMP 847A41D4
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\Iexplore.exe[1412] WININET.dll!HttpAddRequestHeadersA 771C40A2 5 Bytes JMP 00C4000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[1412] WININET.dll!HttpAddRequestHeadersW 771CEEDC 5 Bytes JMP 00D3000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1412] WS2_32.dll!connect 71AB406A 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1412] WS2_32.dll!send 71AB428A 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1412] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 100129A0
.text C:\Program Files\Mozilla Firefox\firefox.exe[2208] WS2_32.dll!connect 71AB406A 5 Bytes JMP 010227E0 \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2208] WS2_32.dll!send 71AB428A 5 Bytes JMP 010227C0 \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2208] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 010229A0 \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [264] 0x10000000
Library \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [492] 0x10000000
Library \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [912] 0x024C0000
Library \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1156] 0x10000000
Library \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1264] 0x10000000
Library \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1312] 0x10000000
Library \\?\globalroot\systemroot\system32\UACtnbsshaqew.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1412] 0x00A90000
Library \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1772] 0x10000000
Library \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1892] 0x10000000
Library \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2208] 0x01010000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\geyekrperaqfhw.sys (*** hidden *** ) [SYSTEM] geyekrpnwspjcr <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACpavjpgifix.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr@imagepath \systemroot\system32\drivers\geyekrperaqfhw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrperaqfhw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\modules@geyekrcmd.dll \systemroot\system32\geyekrnlipcgoo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\modules@geyekrlog.dat \systemroot\system32\geyekreenhrnxc.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\modules@geyekrwsp.dll \systemroot\system32\geyekrvnwtmwrd.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\modules@geyekr.dat \systemroot\system32\geyekruxxyvcsv.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACpavjpgifix.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACpavjpgifix.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACobeeusxdlb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACfgaywmrecu.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACxqvskvnetv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACtnbsshaqew.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACerrors \\?\globalroot\systemroot\system32\UAClyxufrrnti.log
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr@imagepath \systemroot\system32\drivers\geyekrperaqfhw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrperaqfhw.sys
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\modules@geyekrcmd.dll \systemroot\system32\geyekrnlipcgoo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\modules@geyekrlog.dat \systemroot\system32\geyekreenhrnxc.dat
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\modules@geyekrwsp.dll \systemroot\system32\geyekrvnwtmwrd.dll
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\modules@geyekr.dat \systemroot\system32\geyekruxxyvcsv.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACpavjpgifix.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACpavjpgifix.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACobeeusxdlb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACqqepvcjysg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACfgaywmrecu.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACxqvskvnetv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACtnbsshaqew.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacqqepvcjysg.dll.227b1c9354bb2cebd6fc73437dc3.aawqff 74244 bytes
File C:\Documents and Settings\pinky\Application Data\Apple Computer\Logs\CrashReporter\MobileDevice\pinkys iPhone\6thElement.sol 401 bytes
File C:\Documents and Settings\pinky\Application Data\Apple Computer\Logs\CrashReporter\MobileDevice\pinkys iPhone\_f5e.swf 0 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\AppEvent.Evt 524288 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\default 524288 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\default.LOG 1024 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\default.sav 94208 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\SAM 262144 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\SAM.LOG 1024 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\SecEvent.Evt 524288 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\SECURITY 262144 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\SECURITY.LOG 1024 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\software 26738688 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\software.LOG 1024 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\software.sav 634880 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\SysEvent.Evt 524288 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\system 5242880 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\system.LOG 1024 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\system.sav 876544 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\systemprofile 0 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\TempKey.LOG 1024 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\userdiff 262144 bytes
File C:\Documents and Settings\pinky\Application Data\Sun\Java\Deployment\cache\6.0\11\userdiff.LOG 1024 bytes
File C:\Documents and Settings\pinky\Local Settings\Temp\UAC4c97.tmp 61440 bytes executable
File C:\Documents and Settings\pinky\Local Settings\Temp\UAC4ca7.tmp 343040 bytes executable

---- EOF - GMER 1.0.15 ----

#5 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 September 2009 - 01:39 AM

Hi,

Can you also please perform step 2? I need the DDS logs too. :(

#6 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 18 September 2009 - 01:51 AM

DDS (Ver_09-07-30.01) - NTFSx86
Run by pinky at 2:48:12.14 on Fri 09/18/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.108 [GMT -4:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Documents and Settings\pinky\Desktop\Security\b5ydb964.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\pinky\Desktop\Security\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.averatec.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet1.04\tools\BitCometBHO_1.2.8.7.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
uRun: [Google Update] "c:\documents and settings\pinky\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Protection System] "c:\program files\protection system\psystem.exe" -noscan
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PHIME2002ASync] c:\windows\system\dumprep.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet1.04\tools\BitCometBHO_1.2.8.7.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096453339343
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pinky\applic~1\mozilla\firefox\profiles\t4kbs3up.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pressdemocrat.com
FF - component: c:\documents and settings\pinky\application data\mozilla\firefox\profiles\t4kbs3up.default\extensions\kodak-companion@mozilla.com\platform\winnt_x86-msvc\components\mozFotofox.dll
FF - plugin: c:\documents and settings\pinky\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\pinky\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-28 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-27 28544]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2009-5-24 6097]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 Ktp3;Elantech TouchPad(KTP3);c:\windows\system32\drivers\Ktp3.sys [2002-1-24 24704]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2009-5-24 299923]
S3 VVRUSB;VVRUSB Device;c:\windows\system32\drivers\VVRUSB.sys [2005-4-25 38479]

=============== Created Last 30 ================

2009-09-14 14:44 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 14:44 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-14 14:44 <DIR> --d----- c:\program files\winlogon
2009-09-10 12:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 04:30 <DIR> --d----- c:\program files\Protection System
2009-09-09 02:18 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-08-19 12:55 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 23:04 48,913 a------- c:\windows\system32\geyekreenhrnxc.dat
2009-07-28 21:24 0 a------- c:\documents and settings\pinky\settings.dat
2009-07-18 20:07 40,448 a------- c:\windows\system32\geyekrnlipcgoo.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 10:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 12:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2007-12-04 12:40 2,293,848 a------- c:\program files\FLV PlayerFCSetup.exe

============= FINISH: 2:49:20.70 ===============

#7 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 September 2009 - 07:33 AM

Hi,

Can you please post the other logfile from DDS (located on your C-drive) too? :(

#8 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 18 September 2009 - 11:29 AM

Sorry, my brain was not working right last night. This is the dds log that I saved to my desktop.

Attached Files

  • Attached File  dds4.txt   15.58KB   4 downloads


#9 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 18 September 2009 - 09:05 PM

Is this the right log?

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 September 2009 - 09:40 AM

Hi,

1. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitComet 1.04). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

2. Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
  • J2SE Runtime Environment 5.0 Update 2
  • Java™ SE Runtime Environment 6 Update 1
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

3. Download OTM (by OldTimer) to your Desktop.* Doubleclick on OTM.exe to start the tool.
* Copy (select and press Ctrl-C) all of this bold code:
:Processes
explorer.exe

:Services
geyekrpnwspjcr 
UACd.sys

:Reg
[-HKLM\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr]
[-HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys]
[-HKLM\SYSTEM\ControlSet002\Services\geyekrpnwspjcr]
[-HKLM\SYSTEM\ControlSet002\Services\UACd.sys]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Protection System"=-

:Files
C:\Documents and settings\pinky\Local Settings\Temp\fxdoyaob.sys
C:\WINDOWS\system32\drivers\geyekrperaqfhw.sys 
C:\WINDOWS\system32\drivers\UACpavjpgifix.sys
C:\WINDOWS\system32\UACqqepvcjysg.dll
C:\WINDOWS\system32\UACtnbsshaqew.dll
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacqqepvcjysg.dll.227b1c9354bb2cebd6fc73437dc3.aawqff
C:\Documents and Settings\pinky\Local Settings\Temp\UAC4c97.tmp
C:\Documents and Settings\pinky\Local Settings\Temp\UAC4ca7.tmp
c:\program files\winlogon
c:\program files\protection system
c:\windows\system32\geyekrnlipcgoo.dll
c:\documents and settings\pinky\settings.dat
c:\windows\system32\geyekreenhrnxc.dat

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Paste the copied text (press Ctrl-V) into the "Paste List of Files/Folders to be moved" window.
* Click on the red MoveIt! button
* Copy and paste the contents of the right result-screen in your next reply,
(or the log you can find back as C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log).
* Close OTM
When a file or folder can't be moved directly,
you could be asked to restart the computer to complete the removal process.
If so, click Yes.

4. Run DDS again, and post the logfile that opens. Also post the logfile from OTM.

#11 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 19 September 2009 - 02:23 PM

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
Service\Driver geyekrpnwspjcr not found.
Service\Driver key geyekrpnwspjcr deleted successfully.
Service\Driver UACd.sys not found.
Service\Driver key UACd.sys deleted successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\geyekrpnwspjcr\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\geyekrpnwspjcr\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Protection System deleted successfully.
========== FILES ==========
File/Folder C:\Documents and settings\pinky\Local Settings\Temp\fxdoyaob.sys not found.
C:\WINDOWS\system32\drivers\geyekrperaqfhw.sys moved successfully.
File/Folder C:\WINDOWS\system32\drivers\UACpavjpgifix.sys not found.
File/Folder C:\WINDOWS\system32\UACqqepvcjysg.dll not found.
File/Folder C:\WINDOWS\system32\UACtnbsshaqew.dll not found.
File/Folder C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacqqepvcjysg.dll.227b1c9354bb2cebd6fc73437dc3.aawqff not found.
File/Folder C:\Documents and Settings\pinky\Local Settings\Temp\UAC4c97.tmp not found.
File/Folder C:\Documents and Settings\pinky\Local Settings\Temp\UAC4ca7.tmp not found.
c:\program files\winlogon\Languages moved successfully.
c:\program files\winlogon moved successfully.
c:\program files\Protection System moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\geyekrnlipcgoo.dll
c:\windows\system32\geyekrnlipcgoo.dll NOT unregistered.
c:\windows\system32\geyekrnlipcgoo.dll moved successfully.
c:\documents and settings\pinky\settings.dat moved successfully.
c:\windows\system32\geyekreenhrnxc.dat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 65670 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 65536 bytes

User: Guest
->Temp folder emptied: 3337037 bytes
->Temporary Internet Files folder emptied: 103746061 bytes
->Java cache emptied: 1867995 bytes
->FireFox cache emptied: 14693229 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 136579263 bytes

User: pinky
File delete failed. C:\Documents and Settings\pinky\Local Settings\Temp\Perflib_Perfdata_868.dat scheduled to be deleted on reboot.
->Temp folder emptied: 712063770 bytes
->Temporary Internet Files folder emptied: 596395883 bytes
->Java cache emptied: 496554470 bytes
->FireFox cache emptied: 97758484 bytes
->Apple Safari cache emptied: 106281479 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
Windows Temp folder emptied: 31422758 bytes
RecycleBin emptied: 169576158 bytes

Total Files Cleaned = -1738.90 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09192009_151432

Files moved on Reboot...
File C:\Documents and Settings\pinky\Local Settings\Temp\Perflib_Perfdata_868.dat not found!

Registry entries deleted on Reboot...


here is the dds:

DDS (Ver_09-07-30.01) - NTFSx86
Run by pinky at 15:21:00.73 on Sat 09/19/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.125 [GMT -4:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\pinky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pinky\Desktop\Security\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.averatec.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet1.04\tools\BitCometBHO_1.2.8.7.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
uRun: [Google Update] "c:\documents and settings\pinky\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PHIME2002ASync] c:\windows\system\dumprep.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet1.04\tools\BitCometBHO_1.2.8.7.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096453339343
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pinky\applic~1\mozilla\firefox\profiles\t4kbs3up.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pressdemocrat.com
FF - component: c:\documents and settings\pinky\application data\mozilla\firefox\profiles\t4kbs3up.default\extensions\kodak-companion@mozilla.com\platform\winnt_x86-msvc\components\mozFotofox.dll
FF - plugin: c:\documents and settings\pinky\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\pinky\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-27 28544]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2009-5-24 6097]
S3 Ktp3;Elantech TouchPad(KTP3);c:\windows\system32\drivers\Ktp3.sys [2002-1-24 24704]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2009-5-24 299923]
S3 VVRUSB;VVRUSB Device;c:\windows\system32\drivers\VVRUSB.sys [2005-4-25 38479]

=============== Created Last 30 ================

2009-09-19 15:14 17,920 a------- c:\windows\system32\geyekrwsp.dll
2009-09-19 15:14 85 a------- c:\windows\system32\geyekrlog.dat
2009-09-19 15:14 <DIR> --d----- C:\_OTM
2009-09-14 14:44 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 14:44 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-10 12:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 02:18 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-09-09 00:49 19,968 a------- c:\windows\system32\UACtnbsshaqew.dll
2009-09-09 00:48 1,245,184 a------- c:\windows\system32\UACxqvskvnetv.dll
2009-09-09 00:48 217 a------- c:\windows\system32\UACfgaywmrecu.dat
2009-09-09 00:48 6,678 a------- c:\windows\system32\uacinit.dll
2009-09-09 00:48 74,240 a------- c:\windows\system32\UACqqepvcjysg.dll
2009-09-09 00:48 24,064 a------- c:\windows\system32\UACobeeusxdlb.dll
2009-09-09 00:48 50,176 a------- c:\windows\system32\drivers\UACpavjpgifix.sys

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 12:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2007-12-04 12:40 2,293,848 a------- c:\program files\FLV PlayerFCSetup.exe

============= FINISH: 15:21:40.23 ===============

Attached Files



#12 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 September 2009 - 06:06 AM

Hi,* Doubleclick on OTM.exe to start the tool.
* Copy (select and press Ctrl-C) all of this bold code:
:Processes
explorer.exe

:Files
c:\windows\system32\geyekrwsp.dll
c:\windows\system32\geyekrlog.dat
c:\windows\system32\UACtnbsshaqew.dll
c:\windows\system32\UACxqvskvnetv.dll
c:\windows\system32\UACfgaywmrecu.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACqqepvcjysg.dll
c:\windows\system32\UACobeeusxdlb.dll
c:\windows\system32\drivers\UACpavjpgifix.sys

:Commands
[emptytemp]
[Reboot]
* Paste the copied text (press Ctrl-V) into the "Paste List of Files/Folders to be moved" window.
* Click on the red MoveIt! button
* Copy and paste the contents of the right result-screen in your next reply,
(or the log you can find back as C:\_OTM\MovedFiles\mmddyyyy_hhmmss.log).
* Close OTM
When a file or folder can't be moved directly,
you could be asked to restart the computer to complete the removal process.
If so, click Yes.

Also please post a new DDS logfile.

#13 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  

Posted 20 September 2009 - 11:04 AM

This one triggered a few runtime error messages.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\geyekrwsp.dll
c:\windows\system32\geyekrwsp.dll NOT unregistered.
c:\windows\system32\geyekrwsp.dll moved successfully.
c:\windows\system32\geyekrlog.dat moved successfully.
LoadLibrary failed for c:\windows\system32\UACtnbsshaqew.dll
c:\windows\system32\UACtnbsshaqew.dll NOT unregistered.
c:\windows\system32\UACtnbsshaqew.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\UACxqvskvnetv.dll
c:\windows\system32\UACxqvskvnetv.dll NOT unregistered.
c:\windows\system32\UACxqvskvnetv.dll moved successfully.
c:\windows\system32\UACfgaywmrecu.dat moved successfully.
LoadLibrary failed for c:\windows\system32\uacinit.dll
c:\windows\system32\uacinit.dll NOT unregistered.
c:\windows\system32\uacinit.dll moved successfully.
LoadLibrary failed for c:\windows\system32\UACqqepvcjysg.dll
c:\windows\system32\UACqqepvcjysg.dll NOT unregistered.
c:\windows\system32\UACqqepvcjysg.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\UACobeeusxdlb.dll
c:\windows\system32\UACobeeusxdlb.dll NOT unregistered.
c:\windows\system32\UACobeeusxdlb.dll moved successfully.
c:\windows\system32\drivers\UACpavjpgifix.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: pinky
File delete failed. C:\Documents and Settings\pinky\Local Settings\Temp\46F3D95.dmp scheduled to be deleted on reboot.
->Temp folder emptied: 1882528 bytes
File delete failed. C:\Documents and Settings\pinky\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 85858339 bytes
->Apple Safari cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 5226128 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 88.72 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09202009_115605

Files moved on Reboot...
File C:\Documents and Settings\pinky\Local Settings\Temp\46F3D95.dmp not found!

Registry entries deleted on Reboot...



DDS:
DDS (Ver_09-07-30.01) - NTFSx86
Run by pinky at 12:01:56.93 on Sun 09/20/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.114 [GMT -4:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pinky\Desktop\Security\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.averatec.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet1.04\tools\BitCometBHO_1.2.8.7.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
uRun: [Google Update] "c:\documents and settings\pinky\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PHIME2002ASync] c:\windows\system\dumprep.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet1.04\tools\BitCometBHO_1.2.8.7.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096453339343
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pinky\applic~1\mozilla\firefox\profiles\t4kbs3up.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pressdemocrat.com
FF - component: c:\documents and settings\pinky\application data\mozilla\firefox\profiles\t4kbs3up.default\extensions\kodak-companion@mozilla.com\platform\winnt_x86-msvc\components\mozFotofox.dll
FF - plugin: c:\documents and settings\pinky\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\pinky\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-27 28544]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2009-5-24 6097]
S3 Ktp3;Elantech TouchPad(KTP3);c:\windows\system32\drivers\Ktp3.sys [2002-1-24 24704]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2009-5-24 299923]
S3 VVRUSB;VVRUSB Device;c:\windows\system32\drivers\VVRUSB.sys [2005-4-25 38479]

=============== Created Last 30 ================

2009-09-19 15:14 <DIR> --d----- C:\_OTM
2009-09-14 14:44 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 14:44 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-10 12:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 02:18 102,664 a------- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 12:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2007-12-04 12:40 2,293,848 a------- c:\program files\FLV PlayerFCSetup.exe

============= FINISH: 12:02:35.23 ===============


This one triggered a few runtime error messages.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\geyekrwsp.dll
c:\windows\system32\geyekrwsp.dll NOT unregistered.
c:\windows\system32\geyekrwsp.dll moved successfully.
c:\windows\system32\geyekrlog.dat moved successfully.
LoadLibrary failed for c:\windows\system32\UACtnbsshaqew.dll
c:\windows\system32\UACtnbsshaqew.dll NOT unregistered.
c:\windows\system32\UACtnbsshaqew.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\UACxqvskvnetv.dll
c:\windows\system32\UACxqvskvnetv.dll NOT unregistered.
c:\windows\system32\UACxqvskvnetv.dll moved successfully.
c:\windows\system32\UACfgaywmrecu.dat moved successfully.
LoadLibrary failed for c:\windows\system32\uacinit.dll
c:\windows\system32\uacinit.dll NOT unregistered.
c:\windows\system32\uacinit.dll moved successfully.
LoadLibrary failed for c:\windows\system32\UACqqepvcjysg.dll
c:\windows\system32\UACqqepvcjysg.dll NOT unregistered.
c:\windows\system32\UACqqepvcjysg.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\UACobeeusxdlb.dll
c:\windows\system32\UACobeeusxdlb.dll NOT unregistered.
c:\windows\system32\UACobeeusxdlb.dll moved successfully.
c:\windows\system32\drivers\UACpavjpgifix.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: pinky
File delete failed. C:\Documents and Settings\pinky\Local Settings\Temp\46F3D95.dmp scheduled to be deleted on reboot.
->Temp folder emptied: 1882528 bytes
File delete failed. C:\Documents and Settings\pinky\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 85858339 bytes
->Apple Safari cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 5226128 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 88.72 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09202009_115605

Files moved on Reboot...
File C:\Documents and Settings\pinky\Local Settings\Temp\46F3D95.dmp not found!

Registry entries deleted on Reboot...



DDS:
DDS (Ver_09-07-30.01) - NTFSx86
Run by pinky at 12:01:56.93 on Sun 09/20/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.114 [GMT -4:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pinky\Desktop\Security\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.averatec.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet1.04\tools\BitCometBHO_1.2.8.7.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
uRun: [Google Update] "c:\documents and settings\pinky\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [MaxtorOneTouch] c:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PHIME2002ASync] c:\windows\system\dumprep.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet1.04\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet1.04\tools\BitCometBHO_1.2.8.7.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096453339343
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pinky\applic~1\mozilla\firefox\profiles\t4kbs3up.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pressdemocrat.com
FF - component: c:\documents and settings\pinky\application data\mozilla\firefox\profiles\t4kbs3up.default\extensions\kodak-companion@mozilla.com\platform\winnt_x86-msvc\components\mozFotofox.dll
FF - plugin: c:\documents and settings\pinky\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\pinky\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-27 28544]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2009-5-24 6097]
S3 Ktp3;Elantech TouchPad(KTP3);c:\windows\system32\drivers\Ktp3.sys [2002-1-24 24704]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2009-5-24 299923]
S3 VVRUSB;VVRUSB Device;c:\windows\system32\drivers\VVRUSB.sys [2005-4-25 38479]

=============== Created Last 30 ================

2009-09-19 15:14 <DIR> --d----- C:\_OTM
2009-09-14 14:44 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-14 14:44 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-10 12:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 02:18 102,664 a------- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 12:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2007-12-04 12:40 2,293,848 a------- c:\program files\FLV PlayerFCSetup.exe

============= FINISH: 12:02:35.23 ===============

Attached Files



#14 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 September 2009 - 02:39 PM

Hi,

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
If you need a tutorial, see here

#15 elbarracho

elbarracho
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 20 September 2009 - 06:09 PM

The scan will not initiate because of missing java run time components. The required plugins will not download automatically. I tried to manually download the plugins to my desktop but the scan still will not recognize.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users