Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet explorer 8 closes immediately after opening.


  • This topic is locked This topic is locked
14 replies to this topic

#1 Versani

Versani

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 04 January 2010 - 01:47 PM

I scanned with Malwarebytes, Spybot and Superantispyware. I updated them all too. And I noticed my Comodo Internet Security had disappeared too, I didn't know what happened, but all of a sudden IE closes immediately after opening and I know that is bad. can someone help me? this is my hijack this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:16 PM, on 1/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\canttouchthis.exe" /runcleanupscript
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_v1004 Class) - http://www.netgame.com/mplugin/mglaunch_USAv1005.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca5674c7ad204c) (gupdate1ca5674c7ad204c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

--
End of file - 10864 bytes

Edit: Moved topic from Web Browsing/Email and Other Internet Applications to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


m

#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 05 January 2010 - 08:25 AM

Hi Versani,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please post the required log as outlined here:

Preparation Guide For Use Before Using HijackThis and other Malware Removal Tools, Instructions for receiving help in cleaning your computer

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 07 January 2010 - 03:04 PM

Are you still there? I'll wait one more day before closing the topic.

#4 Versani

Versani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 08 January 2010 - 04:38 PM

You want me to do a DDS and RootRepeal log?

DDS : Two logs posted after the Avira log. I had firefox and MSn running at the same time during this.. is that ok?

Also I scanned after making this topic because I didn't know if anyone would help me, and I scanned with Avira AntiVir and this came up. However even after quarantining I still have the IE problem.

Avira :

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.3.30.1\ampx.exe
[0] Archive type: NSIS
--> [UnknownShellDir]/Nullsoft/ActiveX/ProxyConfig.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\4a\4\4a48d9e49ade4388e7051240da31425cef2593d5
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\79\b\79b9c522c505340d4ec75659cedaee2d997528b9
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\84\e\84ec837cff2cfcd28612f678c61dbab337820bf3
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\8e\1\8e1eef2bc5658bf155b94c58aa34448b59ec6423
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\c5\5\c55197034a3368b905ecf81ed0b350e3856b6e7b
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
C:\hp\bin\KillIt.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
C:\Program Files\Common Files\AOL\1143339122\ee\services\imApp\ver1_3_30\uninst.exe
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
C:\Program Files\WildTangent\Apps\GameChannel\Games\AF012B1F-AFCE-45DB-8D6C-8AB06ADC1D6F\bass.dll
[WARNING] The file could not be opened!
C:\Program Files\WildTangent\Apps\GameChannel\Games\E44A47AF-C94B-4E3F-81A0-979FBA9DAC57\bass.dll
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP102\A0136131.dll
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP14\A0007835.dll
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP14\A0008124.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP32\A0033536.rbf
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP6\A0000979.dll
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP6\A0000992.dll
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP63\A0071401.exe
[DETECTION] Is the TR/FakeAV.asp Trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP72\A0083110.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP72\A0083114.exe
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP72\A0083118.exe
[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP95\A0129456.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.HMI Trojan
Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\4a\4\4a48d9e49ade4388e7051240da31425cef2593d5
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE] The file was moved to '4b76bf5b.qua'!
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\79\b\79b9c522c505340d4ec75659cedaee2d997528b9
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE] The file was moved to '4ba4bf33.qua'!
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\84\e\84ec837cff2cfcd28612f678c61dbab337820bf3
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE] The file was moved to '4ba7bf2f.qua'!
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\8e\1\8e1eef2bc5658bf155b94c58aa34448b59ec6423
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE] The file was moved to '4b73bf60.qua'!
C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\c5\5\c55197034a3368b905ecf81ed0b350e3856b6e7b
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE] The file was moved to '4b77bf30.qua'!
C:\hp\bin\KillIt.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
[NOTE] The file was moved to '4baebf64.qua'!
C:\Program Files\Common Files\AOL\1143339122\ee\services\imApp\ver1_3_30\uninst.exe
[DETECTION] Contains recognition pattern of the ADSPY/AdSpy.Gen adware or spyware
[NOTE] The file was moved to '4babbf6a.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP32\A0033536.rbf
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4b72bf2d.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP63\A0071401.exe
[DETECTION] Is the TR/FakeAV.asp Trojan
[NOTE] The file was moved to '4f37ce86.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP72\A0083118.exe
[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application
[NOTE] The file was moved to '4acf7856.qua'!
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP95\A0129456.exe
[NOTE] The file was moved to '4b73bf2d.qua'!


End of the scan: Monday, January 04, 2010 20:24
Used time: 5:22:41 Hour(s)

The scan has been canceled!

23240 Scanned directories
1105159 Files were scanned
11 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
11 Files were moved to quarantine
0 Files were renamed
10 Files cannot be scanned
1105138 Files not concerned
16813 Archives were scanned
12 Warnings
12 Notes
307831 Objects were scanned with rootkit scan
0 Hidden objects were found




DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 16:40:46.37 on Fri 01/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.337 [GMT -8:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\arservice.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Documents and Settings\HP_Administrator.RAJ\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\canttouchthis.exe" /runcleanupscript
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://www.netgame.com/mplugin/mglaunch_USAv1005.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1.raj\applic~1\mozilla\firefox\profiles\wtg00ka0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-ab-en-us&query=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\hp_administrator.raj\application data\mozilla\firefox\profiles\wtg00ka0.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-4 64288]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-4 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-11-28 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-11-28 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-4 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-4 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-4 56816]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-11-28 723632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-6 210216]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S2 gupdate1ca5674c7ad204c;Google Update Service (gupdate1ca5674c7ad204c);c:\program files\google\update\GoogleUpdate.exe [2009-10-26 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 XDva317;XDva317;\??\c:\windows\system32\xdva317.sys --> c:\windows\system32\XDva317.sys [?]

=============== Created Last 30 ================

2010-01-05 19:11:28 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-01-05 19:11:28 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-01-04 22:11:20 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-04 22:11:03 0 d-----w- c:\program files\Avira
2010-01-04 22:11:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-04 22:03:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-04 22:01:24 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-04 22:00:26 0 d-----w- c:\program files\Lavasoft
2010-01-01 03:39:03 0 d-----w- c:\program files\Full Tilt Poker
2009-12-30 20:12:47 4 ----a-w- c:\windows\msoffice.ini
2009-12-24 18:59:17 0 d-----w- c:\docume~1\hp_adm~1.raj\applic~1\Poker4ever
2009-12-21 03:36:23 0 d-----w- c:\windows\system32\Adobe
2009-12-17 12:46:51 0 d-----w- C:\Netgame
2009-12-15 08:26:31 0 d-----w- C:\CFLog
2009-12-15 08:20:31 0 d-----w- c:\program files\Z8Games
2009-12-15 06:04:51 0 d-----w- c:\program files\Perfect World Entertainment
2009-12-15 06:01:38 258352 ----a-w- c:\windows\system32\unicows.dll
2009-12-15 04:18:33 0 d-----w- c:\docume~1\hp_adm~1.raj\applic~1\GetRightToGo

==================== Find3M ====================

2010-01-09 00:18:18 360128 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-31 23:34:01 106496 ----a-w- c:\windows\DUMP5d91.tmp
2009-12-30 22:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 19:08:27 106496 ----a-w- c:\windows\DUMP5af1.tmp
2009-11-29 02:15:20 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-29 02:15:20 171552 ----a-w- c:\windows\system32\guard32.dll
2009-11-29 02:15:20 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:38:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38:46 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2008-04-14 21:15:40 8356 ----a-w- c:\program files\INSTALL.LOG
2007-11-07 03:09:06 1120983 ----a-w- c:\program files\MbtNav.exe
2007-11-07 03:03:02 2982679 -c--a-w- c:\program files\MbtGrids.ocx
2007-11-07 03:02:58 549777 -c--a-w- c:\program files\MbtNavFrame.ocx
2007-11-07 03:01:02 1315795 -c--a-w- c:\program files\MbtCom.dll
2007-11-07 03:00:02 1019949 -c--a-w- c:\program files\MbtOrders.dll
2007-11-07 02:50:18 821781 -c--a-w- c:\program files\MbtQQ.ocx
2007-11-07 02:47:48 683005 -c--a-w- c:\program files\MbtOE.ocx
2007-11-07 02:43:18 402655 -c--a-w- c:\program files\MbtQuote.dll
2007-11-07 02:42:36 1285705 -c--a-w- c:\program files\MbtCommon.dll
2007-11-07 02:40:56 57773 -c--a-w- c:\program files\MbtInject.dll
2007-11-07 02:40:50 473319 -c--a-w- c:\program files\MBTInject2.dll
2007-09-17 21:48:14 67330 -c--a-w- c:\program files\mbtipc.dll
2007-04-03 23:17:04 640 -c--a-w- c:\program files\MbtNav.exe.manifest
2006-11-22 05:32:50 721592 -c--a-w- c:\program files\mbdll.dll
2006-05-23 05:31:26 250106 ----a-w- c:\program files\AtYourService.exe
2005-12-06 00:11:56 30044 ----a-w- c:\program files\mbmsg.exe
2004-03-17 16:13:22 1201 -c--a-w- c:\program files\register.bat
2002-09-04 19:34:00 154 ----a-w- c:\program files\MB Trading Chat.url
2002-07-27 00:02:06 153088 ----a-w- c:\program files\UNWISE.EXE
2002-06-20 20:00:16 41472 -c--a-w- c:\program files\esmbtrade.dll
2008-07-09 12:51:37 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 16:43:47.96 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/26/2009 11:52:25 AM
System Uptime: 1/8/2010 4:18:03 PM (0 hours ago)

Motherboard: MSI | | AMETHYST-M
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket 939 | 2188/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 224 GiB total, 124.507 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 1.139 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 10/26/2009 2:36:57 PM - Software Distribution Service 3.0
RP2: 10/26/2009 3:14:01 PM - Installed Java™ 6 Update 15
RP3: 10/26/2009 3:17:48 PM - Installed Java™ 6 Update 16
RP4: 10/26/2009 3:19:38 PM - Software Distribution Service 3.0
RP5: 10/26/2009 3:28:25 PM - Installed Windows XP KB932823-v3.
RP6: 10/26/2009 3:38:39 PM - Configured easy Internet sign-up
RP7: 10/26/2009 3:47:37 PM - Installed Windows Internet Explorer 8.
RP8: 10/26/2009 3:49:01 PM - Software Distribution Service 3.0
RP9: 10/26/2009 4:10:47 PM - Installed AVG Free 9.0
RP10: 10/26/2009 4:15:56 PM - Avg8 Update
RP11: 10/26/2009 4:16:34 PM - Avg8 Update
RP12: 10/26/2009 4:32:56 PM - Configured easy Internet sign-up
RP13: 10/26/2009 8:39:40 PM - Installed QuickTime
RP14: 10/26/2009 10:35:53 PM - Software Distribution Service 3.0
RP15: 10/27/2009 12:10:11 AM - Installed Adobe Photoshop
RP16: 10/27/2009 12:13:40 AM - Installed Adobe Photoshop
RP17: 10/27/2009 12:32:28 AM - Installed Windows Media Player 11
RP18: 10/27/2009 12:33:10 AM - Installed Windows XP Media Center Edition 2005 KB925766.
RP19: 10/27/2009 12:34:07 AM - Installed Windows XP Wudf01000.
RP20: 10/27/2009 12:37:31 AM - Installed Windows XP MSCompPackV1.
RP21: 10/27/2009 12:39:01 AM - Installed Windows XP KB926239.
RP22: 10/27/2009 12:46:45 AM - Removed Norton Security Center
RP23: 10/27/2009 12:48:23 AM - Removed Quicken 2006
RP24: 10/27/2009 12:50:07 AM - Configured Customer Experience Enhancement
RP25: 10/27/2009 9:49:30 AM - Software Distribution Service 3.0
RP26: 10/27/2009 10:03:09 AM - Software Distribution Service 3.0
RP27: 10/27/2009 10:29:34 AM - Software Distribution Service 3.0
RP28: 10/28/2009 3:00:26 AM - Software Distribution Service 3.0
RP29: 10/28/2009 4:19:34 AM - Software Distribution Service 3.0
RP30: 10/29/2009 4:03:25 PM - Installed Zune software
RP31: 10/29/2009 4:03:31 PM - Software Distribution Service 3.0
RP32: 10/31/2009 3:47:17 PM - Software Distribution Service 3.0
RP33: 11/2/2009 4:00:45 AM - Software Distribution Service 3.0
RP34: 11/3/2009 1:20:29 PM - System Checkpoint
RP35: 11/4/2009 1:55:14 PM - System Checkpoint
RP36: 11/5/2009 4:00:29 AM - Software Distribution Service 3.0
RP37: 11/6/2009 11:20:49 AM - Printer Driver Lexmark X74-X75 Installed
RP38: 11/6/2009 11:21:45 AM - Installed ePhoneTools
RP39: 11/6/2009 11:22:01 AM - Printer Driver CAPTURE FAX BVRP Installed
RP40: 11/7/2009 3:01:44 PM - System Checkpoint
RP41: 11/9/2009 12:05:59 PM - System Checkpoint
RP42: 11/10/2009 9:13:39 AM - Avg8 Update
RP43: 11/10/2009 9:14:45 AM - Avg8 Update
RP44: 11/11/2009 4:18:10 AM - Software Distribution Service 3.0
RP45: 11/12/2009 9:16:45 AM - Avg8 Update
RP46: 11/13/2009 9:19:33 AM - System Checkpoint
RP47: 11/14/2009 9:19:57 AM - System Checkpoint
RP48: 11/14/2009 9:39:38 AM - Printer Driver Lexmark X74-X75 Installed
RP49: 11/14/2009 10:22:57 AM - Printer Driver Lexmark X74-X75 Installed
RP50: 11/16/2009 7:56:30 AM - System Checkpoint
RP51: 11/17/2009 8:19:19 PM - System Checkpoint
RP52: 11/17/2009 10:42:07 PM - Software Distribution Service 3.0
RP53: 11/17/2009 4:27:04 AM - System Checkpoint
RP54: 11/17/2009 1:27:01 PM - Software Distribution Service 3.0
RP55: 11/17/2009 8:53:53 PM - Printer Driver Microsoft XPS Document Writer Installed
RP56: 11/19/2009 6:23:19 AM - System Checkpoint
RP57: 11/19/2009 8:43:56 PM - Software Distribution Service 3.0
RP58: 11/20/2009 9:51:47 AM - Avg8 Update
RP59: 11/20/2009 9:52:26 AM - Avg8 Update
RP60: 11/22/2009 6:00:20 PM - System Checkpoint
RP61: 11/23/2009 9:43:45 PM - System Checkpoint
RP62: 11/24/2009 8:53:37 AM - Software Distribution Service 3.0
RP63: 11/25/2009 9:29:56 AM - System Checkpoint
RP64: 11/26/2009 1:23:26 AM - Software Distribution Service 3.0
RP65: 11/28/2009 5:14:55 PM - System Checkpoint
RP66: 11/28/2009 6:11:33 PM - Removed AVG Free 9.0
RP67: 11/28/2009 6:12:38 PM - Installed AVG Free 9.0
RP68: 11/28/2009 7:56:50 PM - Removed Adobe Reader 7.0
RP69: 11/28/2009 7:57:22 PM - Installed Adobe Reader 9.2.
RP70: 11/28/2009 7:59:34 PM - Removed ABBYY FineReader 5.0 Sprint
RP71: 11/30/2009 10:25:23 AM - System Checkpoint
RP72: 12/1/2009 1:25:04 PM - System Checkpoint
RP73: 12/2/2009 2:01:43 PM - System Checkpoint
RP74: 12/3/2009 9:29:22 PM - System Checkpoint
RP75: 12/5/2009 6:12:02 PM - Installed Java™ 6 Update 17
RP76: 12/6/2009 6:54:40 PM - System Checkpoint
RP77: 12/8/2009 12:40:32 PM - System Checkpoint
RP78: 12/9/2009 3:39:46 AM - Software Distribution Service 3.0
RP79: 12/9/2009 9:41:57 AM - Printer Driver Lexmark X74-X75 Installed
RP80: 12/9/2009 10:59:28 AM - Software Distribution Service 3.0
RP81: 12/9/2009 4:13:55 PM - Software Distribution Service 3.0
RP82: 12/11/2009 1:55:13 PM - System Checkpoint
RP83: 12/13/2009 6:46:17 PM - System Checkpoint
RP84: 12/14/2009 12:29:41 AM - Installed WOT for Internet Explorer
RP85: 12/15/2009 10:43:48 AM - System Checkpoint
RP86: 12/16/2009 11:21:50 AM - System Checkpoint
RP87: 12/19/2009 3:00:33 AM - Software Distribution Service 3.0
RP88: 12/20/2009 3:05:37 PM - Software Distribution Service 3.0
RP89: 12/21/2009 3:37:22 PM - System Checkpoint
RP90: 12/21/2009 1:21:49 PM - System Checkpoint
RP91: 12/22/2009 2:10:56 PM - System Checkpoint
RP92: 12/23/2009 4:58:54 PM - System Checkpoint
RP93: 12/25/2009 12:30:29 PM - System Checkpoint
RP94: 12/28/2009 9:26:22 AM - System Checkpoint
RP95: 12/29/2009 3:20:52 PM - System Checkpoint
RP96: 12/30/2009 10:19:08 PM - System Checkpoint
RP97: 12/31/2009 11:04:39 PM - System Checkpoint
RP98: 12/31/2009 9:06:24 PM - System Checkpoint
RP99: 12/31/2009 4:16:13 PM - System Checkpoint
RP100: 1/2/2010 6:20:56 PM - System Checkpoint
RP101: 1/4/2010 9:06:08 AM - System Checkpoint
RP102: 1/4/2010 2:09:41 PM - Avira AntiVir Personal - 1/4/2010 14:09
RP103: 1/5/2010 1:31:28 PM - Software Distribution Service 3.0
RP104: 1/6/2010 5:10:08 PM - System Checkpoint
RP105: 1/7/2010 9:07:19 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
Ad-Aware
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Agere Systems PCI-SV92PP Soft Modem
AI RoboForm (All Users)
AiO_Scan
AiO_Scan_CDA
AiOSoftware
AiOSoftwareNPI
Apple Application Support
Apple Software Update
AstroPop Deluxe from HP Media Center (remove only)
ATI Control Panel
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
BufferChm
CameraDrivers
CCleaner
COMODO Internet Security
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_LightScribePlugin
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Cross Fire En
CueTour
Customer Experience Enhancement
DBFX Trading Station
Destinations
DeviceManagementQFolder
DivX Plus Web Player
DocProc
DocumentViewer
DocumentViewerQFolder
Download Updater (AOL LLC)
Fax
Fax_CDA
FaxTools
FL Studio 9
Full Tilt Poker
Google Chrome
Google Update Helper
Hardcore
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Boot Optimizer
HP Deskjet Printer Preload
HP DigitalMedia Archive
HP Document Viewer 5.3
HP Game Console and games
HP Image Zone 5.3
HP Image Zone for Media Center PC
HP Imaging Device Functions 5.3
HP Multimedia Keyboard Software
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
HpSdpAppCoreApp
IL Download Manager
ImTOO DVD Ripper Platinum 5
InstantShareDevices
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 5
Lexmark X74-X75
LightScribe 1.4.56.1
Magic DVD Ripper V5.4.2
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
MBT MetaTrader 4.00
MBT Navigator
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Away Mode
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Money 2005
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WinUsb 1.0
Microsoft Works
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
Netscape Browser (remove only)
NewCopy
NewCopy_CDA
OPERATION7
Otto
PanoStandAlone
PC-Doctor 5 for Windows
PhotoGallery
PoiZone
Poker4ever
PS2
PSPrinters08
PSTAPlugin
Puzzle Express from HP Media Center (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RandMap
Readme
RealPlayer
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SkinsHP1
Skype web features
Skype™ 4.1
SolutionCenter
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
Toxic Biohazard
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WOT for Internet Explorer
YouTube Downloader App 2.03
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

==== Event Viewer Messages From Past Week ========

1/5/2010 11:11:08 AM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 00000000, parameter3 f79739cc, parameter4 f79736c8.
1/5/2010 1:47:37 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SharedAccess service.
1/5/2010 1:47:08 PM, error: System Error [1003] - Error code 00000019, parameter1 00000020, parameter2 e20d69c8, parameter3 e20d6a20, parameter4 0c0b0437.
1/5/2010 1:47:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
1/5/2010 1:47:07 PM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/5/2010 1:47:07 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}
1/2/2010 2:06:36 PM, error: System Error [1003] - Error code 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3 02120000, parameter4 852a1008.
1/2/2010 2:06:33 PM, error: System Error [1003] - Error code 1000000a, parameter1 bf7f0150, parameter2 00000002, parameter3 00000001, parameter4 806e6a16.
1/2/2010 2:06:29 PM, error: System Error [1003] - Error code 100000c4, parameter1 00ffdff9, parameter2 000000ff, parameter3 00000001, parameter4 805450bf.
1/2/2010 2:06:24 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 80536ae6, parameter3 edff4bef, parameter4 00000000.
1/2/2010 1:59:45 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================


RootRepeal coming soon

Edited by Versani, 08 January 2010 - 04:57 PM.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 08 January 2010 - 05:35 PM

I'll wait for RootRepeal log.

#6 Versani

Versani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 08 January 2010 - 07:38 PM

RootRepeal log.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/08 19:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF11A1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A62000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal2.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal2.sys
Address: 0xEDBBA000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\sqlite_dajcixwgczbucwy
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_eshlucbshkv1zwf
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_o80jzzrcufrfp5g
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\sfi.dat
Status: Locked to the Windows API!

Path: \\?\C:\Program Files\COMODO\COMODO Internet Security\Quarantine\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-00000009.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0000979.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0000979.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0000992.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0000992.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0007835.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0007835.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0008124.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0008124.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0083110.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0083110.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0083114.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0083114.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0136131.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0136131.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-00000007.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-00000007.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-00000008.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-00000008.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-00000009.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000A.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000A.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000B.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000B.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000C.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000C.dll.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000D.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000D.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000E.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AVSCAN-0000000E.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\bass.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\bass.dll.info
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\RTLOC6ZL.7XY\K7DWMYHW.0EL\manifests\DotNetMagic2005.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\RTLOC6ZL.7XY\K7DWMYHW.0EL\manifests\DotNetMagic2005.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\RTLOC6ZL.7XY\K7DWMYHW.0EL\manifests\ForexTrader.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\RTLOC6ZL.7XY\K7DWMYHW.0EL\manifests\ForexTrader.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\RTLOC6ZL.7XY\K7DWMYHW.0EL\manifests\ForexTrader.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\RTLOC6ZL.7XY\K7DWMYHW.0EL\manifests\ForexTrader.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\RTLOC6ZL.7XY\K7DWMYHW.0EL\manifests\nsoftware.IPWorks.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\RTLOC6ZL.7XY\K7DWMYHW.0EL\manifests\nsoftware.IPWorks.manifest
Status: Locked to the Windows API!

Path: c:\documents and settings\hp_administrator.raj\local settings\application data\google\chrome\user data\default\current session
Status: Size mismatch (API: 240122, Raw: 216956)

Path: c:\documents and settings\hp_administrator.raj\local settings\application data\google\chrome\user data\default\history-journal
Status: Size mismatch (API: 74384, Raw: 66176)

Path: C:\Documents and Settings\HP_Administrator.RAJ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000043
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Administrator.RAJ\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000044
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1490bcc

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14901aa

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1490832

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7b4074e

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf149008c

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf149205c

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14922f4

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7b40744

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7b40753

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7b4075d

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf148fa84

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1491cde

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7b40762

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf149042e

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1490a0e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7b40730

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14906be

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7b40735

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1491712

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7b4076c

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf149263a

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7b40767

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1491a7a

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1490db2

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1491e8c

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7b40758

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14903c8

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14905b2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf13150b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf148fe24

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1494352

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1494a76

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1494486

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1494936

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14945c6

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14946fa

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14941d2

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1493424

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1493ea2

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1494834

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1493c10

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1493d52

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14938f4

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf149315c

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14935a6

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1493752

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1493ff2

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1493ab6

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14940e8

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf14932cc

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1494adc

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf1494d10

==EOF==

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 08 January 2010 - 08:51 PM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Avira AntiVir Personal or COMODO Internet Security.

  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • Since you have already SUPERAntiSpyware and Malwarebytes' Anti-Malware you may consider uninstalling Spybot - Search & Destroy.

  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    proxycfg -d
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click fix.bat on the desktop.
    • A window flashes it is normal.
  • Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#8 Versani

Versani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 09 January 2010 - 04:58 PM

I haven't downloaded anything in a long time, even though I'm not an expert I am not sure if that's triggering IE's problem. However, I forgot to mention I uninstalled AOL, and ever since IE stopped working. I read how AOL can remove IE, thus it won't work. I installed IE again, and now I cannot even remove it even if I want it to and it still doesn't work. When I was going to do the good old uninstall reinstall, it didn't have an uninstaller so... I just installed over it but it didn't work still. Just my .2 cents ..

I didn't uninstall Spybot, it has saved me in the past. Both Superantispyware and Malwarebytes couldn't find a particular virus I had a long time ago, but Spybot did... so I am grateful for it.

I was going to uninstall Viewpoint Media Player, but it said I use it frequently and last used it a few days ago. I'll have to figure out how come I use it so much, and if I can uninstall without it interfering without my activity.

I uninstalled Avira. I did the fix.bat thing. Can you tell me what that did and how to reverse it incase something happened? Though everything seems fine. Here's the new log.


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 13:52:50.04 on Sat 01/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.356 [GMT -8:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator.RAJ\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\canttouchthis.exe" /runcleanupscript
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://www.netgame.com/mplugin/mglaunch_USAv1005.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1.raj\applic~1\mozilla\firefox\profiles\wtg00ka0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-ab-en-us&query=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\hp_administrator.raj\application data\mozilla\firefox\profiles\wtg00ka0.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-4 64288]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-11-28 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-11-28 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-11-28 723632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-6 210216]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
R4 avgio;avgio;\??\c:\program files\avira\antivir desktop\avgio.sys --> c:\program files\avira\antivir desktop\avgio.sys [?]
R4 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-4 56816]
S2 gupdate1ca5674c7ad204c;Google Update Service (gupdate1ca5674c7ad204c);c:\program files\google\update\GoogleUpdate.exe [2009-10-26 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 XDva317;XDva317;\??\c:\windows\system32\xdva317.sys --> c:\windows\system32\XDva317.sys [?]

=============== Created Last 30 ================

2010-01-05 19:11:28 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-01-05 19:11:28 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-01-04 22:11:20 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-04 22:11:03 0 d-----w- c:\program files\Avira
2010-01-04 22:03:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-04 22:01:24 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-04 22:00:26 0 d-----w- c:\program files\Lavasoft
2010-01-01 03:39:03 0 d-----w- c:\program files\Full Tilt Poker
2009-12-30 20:12:47 4 ----a-w- c:\windows\msoffice.ini
2009-12-24 18:59:17 0 d-----w- c:\docume~1\hp_adm~1.raj\applic~1\Poker4ever
2009-12-21 03:36:23 0 d-----w- c:\windows\system32\Adobe
2009-12-17 12:46:51 0 d-----w- C:\Netgame
2009-12-15 08:26:31 0 d-----w- C:\CFLog
2009-12-15 08:20:31 0 d-----w- c:\program files\Z8Games
2009-12-15 06:04:51 0 d-----w- c:\program files\Perfect World Entertainment
2009-12-15 06:01:38 258352 ----a-w- c:\windows\system32\unicows.dll
2009-12-15 04:18:33 0 d-----w- c:\docume~1\hp_adm~1.raj\applic~1\GetRightToGo

==================== Find3M ====================

2010-01-09 21:34:39 360128 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 23:34:01 106496 ----a-w- c:\windows\DUMP5d91.tmp
2009-12-20 19:08:27 106496 ----a-w- c:\windows\DUMP5af1.tmp
2009-11-29 02:15:20 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-29 02:15:20 171552 ----a-w- c:\windows\system32\guard32.dll
2009-11-29 02:15:20 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:38:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-28 14:38:46 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2008-04-14 21:15:40 8356 ----a-w- c:\program files\INSTALL.LOG
2007-11-07 03:09:06 1120983 ----a-w- c:\program files\MbtNav.exe
2007-11-07 03:03:02 2982679 -c--a-w- c:\program files\MbtGrids.ocx
2007-11-07 03:02:58 549777 -c--a-w- c:\program files\MbtNavFrame.ocx
2007-11-07 03:01:02 1315795 -c--a-w- c:\program files\MbtCom.dll
2007-11-07 03:00:02 1019949 -c--a-w- c:\program files\MbtOrders.dll
2007-11-07 02:50:18 821781 -c--a-w- c:\program files\MbtQQ.ocx
2007-11-07 02:47:48 683005 -c--a-w- c:\program files\MbtOE.ocx
2007-11-07 02:43:18 402655 -c--a-w- c:\program files\MbtQuote.dll
2007-11-07 02:42:36 1285705 -c--a-w- c:\program files\MbtCommon.dll
2007-11-07 02:40:56 57773 -c--a-w- c:\program files\MbtInject.dll
2007-11-07 02:40:50 473319 -c--a-w- c:\program files\MBTInject2.dll
2007-09-17 21:48:14 67330 -c--a-w- c:\program files\mbtipc.dll
2007-04-03 23:17:04 640 -c--a-w- c:\program files\MbtNav.exe.manifest
2006-11-22 05:32:50 721592 -c--a-w- c:\program files\mbdll.dll
2006-05-23 05:31:26 250106 ----a-w- c:\program files\AtYourService.exe
2005-12-06 00:11:56 30044 ----a-w- c:\program files\mbmsg.exe
2004-03-17 16:13:22 1201 -c--a-w- c:\program files\register.bat
2002-09-04 19:34:00 154 ----a-w- c:\program files\MB Trading Chat.url
2002-07-27 00:02:06 153088 ----a-w- c:\program files\UNWISE.EXE
2002-06-20 20:00:16 41472 -c--a-w- c:\program files\esmbtrade.dll
2008-07-09 12:51:37 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 13:55:31.96 ===============

Edited by Versani, 09 January 2010 - 05:01 PM.


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 09 January 2010 - 06:43 PM

Those information and recommendations don't mean anything other than information and recommendation and you should not defend yourself or follow them.

That fix didn't changed much, I tried to remove a proxy setting in Internet Explorer. Have you set a proxy yourself?

uInternet Settings,ProxyServer = http=127.0.0.1:5555


Your issue was that Internet Explorer closes after opening, but I see on the log it is running. Could you give me feedback to understand what is going on there at the other end?

C:\Program Files\Internet Explorer\iexplore.exe



#10 Versani

Versani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 09 January 2010 - 09:22 PM

It's a weird situation. I noticed it after a few days. Ok, I open internet explorer, but it closese IMMEDIATELY. Yet, the process is still running in task manager, and I have to go into task manager and delete the process. It sometimes happens with Firefox too...

what am I to do with uInternet Settings,ProxyServer = http=127.0.0.1:5555 ?

And I've had suggestions where people say to start IE with no add ons and it's an active X situation but that still didn't work :|

Edited by Versani, 10 January 2010 - 06:26 AM.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 10 January 2010 - 07:18 AM

Could you please give me proper feedback so that I can help you better.

what am I to do with uInternet Settings,ProxyServer = http=127.0.0.1:5555 ?

What do you mean? The question was if you had set Internet Explorer to use a proxy server. What I need from you to tell me if you have set the proxy or if we should remove and get rid of it, because it is not the default setting for IE and it should not be there unless you wanted and configured it that way.

Edited by farbar, 15 January 2010 - 07:25 PM.
Spelling


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 10 January 2010 - 09:50 AM

Please don't miss my previous post. I don't thing you have set the proxy yourself as you obviously don't know what I'm talking about.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#13 Versani

Versani
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 10 January 2010 - 07:40 PM

I didn't do anything with the proxy thing, I misread.

There seems to be a problem. I installed combofix, and I double clicked it to run, then it says there is no path or I can't access iexplorer.exe and some other things. Here is what came up

I turned off Comodo and I also already have Microsoft Recovery Console.

Posted Image
Posted Image
Posted Image

This came up when I kept okay the n.pif error.

Posted Image

:|....

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 10 January 2010 - 08:36 PM

The first 3 error could be clicked away OK like you did. the last one could be canceled.
  • Reboot the computer once if you have not rebooted since running Combofix.

  • Please run fix.bat (from post #7 step #4) once more.

  • Delete your copy of Combofix and download ComboFix from one of these locations, but rename it to far.exe:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on far.exe & follow the prompts.
When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:18 PM

Posted 15 January 2010 - 07:28 PM

This thread will now be closed due to lack of activity.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users