Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whats going on?? Things changing and popping up!


  • This topic is locked This topic is locked
15 replies to this topic

#1 brads26

brads26

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 27 May 2010 - 01:19 PM

Hi all,
I have been having problems for a few days with webpages randomly opening up, when doing a search and clicking on the link it opens a totally different page, even when I tried to click on this page it opened something completely different....
I have run so far
Malwarebytes Antimalware
SUPERAntispyware
Spybot SD
All updated and restarted PC but still not cured the problem!!!!!!

It now appears that my "Start" icon and my icons in my toolbar at the bottom have changed style!!

I have finally run Hijack this and havnt got a clue about the results and which to fix??

Any help will be gratefully appreciated....

The log is below

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:41:27, on 24/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Milestone\Milestone Surveillance\ImageImportService.exe
C:\Program Files\Milestone\Milestone Surveillance\ImageServer.exe
C:\Program Files\Milestone\Milestone Surveillance\ELFFLogCheckerService.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Milestone\Milestone Surveillance\RecordingServer.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rainbow Technologies\SuperPro\6.3\Server\WinNT\spnsrvnt.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Axis Communications\AXIS Camera Station 3\ACSService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\NStar\NCIArchive.exe
C:\Program Files\NStar\NCICore.exe
C:\Program Files\NStar\NS Communications Server.exe
C:\Program Files\NStar\NS Schedule Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FlashGet\flashget.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {304171C0-65EA-4B51-B5D9-93A311E26EB1} (MxPEG_ActiveX Control) - http://192.168.0.6:100/cgi-bin/MxPEG_Activ...b?dummy=4494254
O16 - DPF: {47489CC3-B1AB-4414-A7D9-4A6380D819D8} (ConfigManager Control) - http://127.0.0.1/ConfigManager.cab
O16 - DPF: {627C5D14-CB66-493E-B0F3-589C7E2FA875} (NxWebRemote) - http://192.168.0.12:85/WebClient.cab
O16 - DPF: {817444B5-4D12-4EEB-8E78-C547E84F80B6} (EngineManager Control) - http://127.0.0.1/EngineManager.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {BF776FD3-69B4-4151-AC97-3A2A64753E18} (GVersionManager Class) - http://192.168.1.200/GVersionMan.cab
O16 - DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} (CAxMP4Dec Class) - http://192.168.0.91/activex/decoder/mpeg4_dec.cab
O16 - DPF: {DA5CE92B-A2DF-4400-A7F4-481A127FA434} (GTileContainerCtl Class) - http://78.151.183.109:2080/webviewer.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://192.168.0.91/activex/AMC.cab
O16 - DPF: {E7B12A6B-341F-4765-A9EA-29A745916878} (ImageViewer Control) - http://127.0.0.1/ImageViewer.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.snapmad.com/aurigma/ImageUploader4.cab
O16 - DPF: {F39F6F0B-170B-4A3A-AF1D-11D89CFD9ED9} (VideoSafe - VS Viewer) - http://annalbert.homeip.net/VideoX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{993DC16F-E08F-4BE7-A702-1BEFFFA8C5A7}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0BA9FBE-2654-41D4-8AC3-19D90F28D364}: NameServer = 10.0.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AXIS Camera Station - Axis Communications - C:\Program Files\Axis Communications\AXIS Camera Station 3\ACSService.exe
O23 - Service: NStar Communication Server (CommunicationsService) - Unknown owner - C:\Program Files\NStar\NS Communications Server.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: NStar Archive Database Server (DatabaseArchiveService) - Unknown owner - C:\Program Files\NStar\NCIArchive.exe
O23 - Service: NStar Database Server (DatabaseService) - Unknown owner - C:\Program Files\NStar\NCICore.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Milestone ImageImportService - Unknown owner - C:\Program Files\Milestone\Milestone Surveillance\ImageImportService.exe
O23 - Service: Milestone ImageServer - Milestone Systems A/S - C:\Program Files\Milestone\Milestone Surveillance\ImageServer.exe
O23 - Service: Milestone LogCheckService - Unknown owner - C:\Program Files\Milestone\Milestone Surveillance\ELFFLogCheckerService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Milestone Recording Server (RecordingServer) - Milestone Systems A/S - C:\Program Files\Milestone\Milestone Surveillance\RecordingServer.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: NStar Schedule Service (ScheduleService) - Unknown owner - C:\Program Files\NStar\NS Schedule Service.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\SYSTEM~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: SuperProServer - Unknown owner - C:\Program Files\Rainbow Technologies\SuperPro\6.3\Server\WinNT\spnsrvnt.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

--
End of file - 15110 bytes


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 28 May 2010 - 10:51 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 brads26

brads26
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 30 May 2010 - 07:54 AM

Sorry for the delay, not been in much.....

Heres the results....Hope you can help....
Thanks again....


DDS (Ver_10-03-17.01) - NTFSx86
Run by System administrator at 12:25:10.01 on 29/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.280 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Milestone\Milestone Surveillance\ImageServer.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Milestone\Milestone Surveillance\RecordingServer.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\Program Files\Axis Communications\AXIS Camera Station 3\ACSService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\System administrator\Desktop\Defogger.exe
C:\Documents and Settings\System administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [{7C8EE5C8-D15D-7F01-3712-F846756E9F86}] "c:\documents and settings\system administrator\application data\waups\upir.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Flashget] c:\program files\flashget\flashget.exe /min
mRun: [MChk] c:\windows\system32\xlehqkih.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {304171C0-65EA-4B51-B5D9-93A311E26EB1} - hxxp://192.168.0.6:100/cgi-bin/MxPEG_ActiveX.cab?dummy=4494254
DPF: {47489CC3-B1AB-4414-A7D9-4A6380D819D8} - hxxp://127.0.0.1/ConfigManager.cab
DPF: {627C5D14-CB66-493E-B0F3-589C7E2FA875} - hxxp://192.168.0.12:85/WebClient.cab
DPF: {817444B5-4D12-4EEB-8E78-C547E84F80B6} - hxxp://127.0.0.1/EngineManager.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://activex.webcam.nl/AxisCamControl.cab
DPF: {BF776FD3-69B4-4151-AC97-3A2A64753E18} - hxxp://192.168.1.200/GVersionMan.cab
DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://192.168.0.91/activex/decoder/mpeg4_dec.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA5CE92B-A2DF-4400-A7F4-481A127FA434} - hxxp://78.151.183.109:2080/webviewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.0.91/activex/AMC.cab
DPF: {E7B12A6B-341F-4765-A9EA-29A745916878} - hxxp://127.0.0.1/ImageViewer.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.snapmad.com/aurigma/ImageUploader4.cab
DPF: {F39F6F0B-170B-4A3A-AF1D-11D89CFD9ED9} - hxxp://annalbert.homeip.net/VideoX.CAB
TCP: {993DC16F-E08F-4BE7-A702-1BEFFFA8C5A7} = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-9 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-9 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 67656]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-9 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-9 297752]
R2 AXIS Camera Station;AXIS Camera Station;c:\program files\axis communications\axis camera station 3\ACSService.exe [2008-9-27 40960]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-9-11 47640]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-7-17 106586]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-9-29 237657]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-9-29 69706]
R2 Milestone ImageServer;Milestone ImageServer;c:\program files\milestone\milestone surveillance\ImageServer.exe [2008-1-22 3112960]
R2 RecordingServer;Milestone Recording Server;c:\program files\milestone\milestone surveillance\RecordingServer.exe [2008-1-22 2772992]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\drivers\GenBus.sys [2008-8-11 27648]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]
S0 rujqhw;rujqhw; [x]
S2 CommunicationsService;NStar Communication Server;c:\program files\nstar\NS Communications Server.exe [2007-8-28 974848]
S2 DatabaseArchiveService;NStar Archive Database Server;c:\program files\nstar\NCIArchive.exe [2007-8-28 593920]
S2 DatabaseService;NStar Database Server;c:\program files\nstar\NCICore.exe [2007-8-28 593920]
S2 Milestone ImageImportService;Milestone ImageImportService;c:\program files\milestone\milestone surveillance\ImageImportService.exe [2008-1-22 2056192]
S2 Milestone LogCheckService;Milestone LogCheckService;c:\program files\milestone\milestone surveillance\ELFFLogCheckerService.exe [2008-1-22 270336]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S2 ScheduleService;NStar Schedule Service;c:\program files\nstar\NS Schedule Service.exe [2007-8-28 356352]
S3 EST_Server;Network USB Device;c:\windows\system32\drivers\GenHC.sys [2009-8-13 151552]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 12872]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SessionLauncher;SessionLauncher;c:\docume~1\system~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\system~1\locals~1\temp\dx9\SessionLauncher.exe [?]

=============== Created Last 30 ================

2010-05-29 11:23:18 0 ----a-w- c:\documents and settings\system administrator\defogger_reenable
2010-05-29 10:34:02 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-05-29 10:34:02 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-05-29 10:22:16 0 d-----w- C:\ComboFix
2010-05-28 20:51:52 0 d-----w- c:\docume~1\system~1\applic~1\Street-Ads
2010-05-28 20:51:29 0 d-----w- c:\docume~1\system~1\applic~1\Sky-Banners
2010-05-28 20:51:27 50981 ----a-w- c:\windows\system32\mwizvtgxytibchqh.exe
2010-05-28 18:22:17 0 d-sha-r- C:\cmdcons
2010-05-28 18:18:50 77312 ----a-w- c:\windows\MBR.exe
2010-05-28 18:18:45 256512 ----a-w- c:\windows\PEV.exe
2010-05-28 18:18:42 98816 ----a-w- c:\windows\sed.exe
2010-05-28 18:18:42 161792 ----a-w- c:\windows\SWREG.exe
2010-05-24 18:40:33 0 d-----w- c:\program files\Trend Micro
2010-05-24 16:31:20 40633 ----a-w- c:\windows\system32\xlehqkih.exe
2010-05-23 11:52:08 50688 --sha-r- c:\windows\system32\ufata.dll
2010-05-17 19:31:10 421888 ----a-w- c:\windows\system32\ac3filter.acm
2010-05-17 19:30:42 0 d-----w- c:\program files\XP Codec Pack
2010-05-14 19:28:42 0 d-----w- c:\windows\system32\madll
2010-05-14 19:28:32 0 d-----w- c:\program files\Abdio
2010-05-02 20:58:56 0 d-----w- c:\program files\Dekart
2010-05-02 20:34:01 0 d-----w- c:\program files\SIM Edit Tool

==================== Find3M ====================

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 19:08:56 47360 ----a-w- c:\docume~1\system~1\applic~1\pcouffin.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-02-04 19:56:13 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-02-04 19:56:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020420090205\index.dat

============= FINISH: 12:27:33.87 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 17/07/2007 10:09:30
System Uptime: 29/05/2010 10:17:48 (2 hours ago)

Motherboard: Dell Inc. | | 0KD882
Processor: Intel® Core™2 CPU T5300 @ 1.73GHz | Microprocessor | 1728/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 107 GiB total, 35.43 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E96A-E325-11CE-BFC1-08002BE10318}
Description: Ricoh MMC Host Controller
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Manufacturer: Ricoh Company
Name: Ricoh MMC Host Controller
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Service: rimmptsk

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMTSSTCORP_DVD+-RW_TS-L632D_______________DE04____\5&2C81F6DE&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: TSSTcorp DVD+-RW TS-L632D
PNP Device ID: IDE\CDROMTSSTCORP_DVD+-RW_TS-L632D_______________DE04____\5&2C81F6DE&0&0.0.0
Service: cdrom

==== System Restore Points ===================

RP1: 23/05/2010 12:59:49 - System Checkpoint
RP2: 24/05/2010 13:49:42 - System Checkpoint
RP3: 24/05/2010 19:40:29 - Installed HiJackThis
RP4: 25/05/2010 21:55:26 - System Checkpoint
RP5: 28/05/2010 19:19:28 - ComboFix created restore point

==== Installed Programs ======================

4PLAY 4.95 for Windows 95
4PLAY 4.95 for Windows 95 (C:\Program Files\4PLAY 4\)
4PLAY 5.0
Abdio Free MP4 Player (Free)
AC3Filter (remove only)
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 7.0
Adobe Reader 7.0
AVG Free 8.5
AXIS Camera Management 2.00
AXIS Camera Station 3.11
AXIS Camera Station Decoders 3.01
AXIS Media Control Embedded
Broadcom 440x 10/100 Integrated Controller
Bytescout XLS Viewer 2.30a (FREEWARE)
CardRecovery 5.20 Build 0212
CCleaner (remove only)
CD Audio Reader Filter (remove only)
Conexant HDA D110 MDC V.92 Modem
ConvertXtoDVD 4.0.9.322
Critical Update for Windows Media Player 11 (KB959772)
Data Doctor Recovery - SIM Card 3.0.1.5
DC-Bass Source 1.1.1
Dell Resource CD
DirectVobSub (remove only)
DirectXInstallService
DMNetVuObserVer1_7_0
Driver Genius Professional Edition
DScaler 5 Mpeg Decoders
EMC 10 Content
ffdshow [rev 1685] [2007-12-06]
FlashGet 1.9.6.1073
FLV Player 2.0 (build 25)
GPL MPEG-1/2 DirectShow Decoder Filter
Haali Media Splitter
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
ImgBurn
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless WiFi Software
IrfanView (remove only)
Java™ 6 Update 2
Java™ 6 Update 5
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
LogMeIn
Malwarebytes' Anti-Malware
Malwarebytes' RogueRemover
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Word Viewer 2003
Microsoft SQL Server Desktop Engine
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Milestone XProtect Enterprise
Milestone XProtect Smart Client
Milestone XProtect Smart Client 3.5a
Modem Helper
MONOGRAM AMR Splitter/Decoder (remove only)
mProSafe
MSVC80_x86
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
mWlsSafe
Network Viewer v2.2 (002)
Nokia Connectivity Cable Driver
NStar
OpenSource Flash Video Splitter (remove only)
PC Connectivity Solution
Performance Platform Voguecash
PIXresizer 2.0.4
PL-2303 USB-to-Serial
ProShow Gold
Quick DVD Creator 3.10
QuickSet
RealMedia (remove only)
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio CinePlayer
Roxio CinePlayer Decoder Pack
Roxio Disc Gallery
Roxio Easy Media Creator 10 Suite
Roxio File Backup
Roxio MediaShare
Roxio Update Manager
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Sentinel SuperPro 6.3.1
SHOUTcast Source (remove only)
SigmaTel Audio
SIM Edit Tool
Sky-Banners browser enhancer
SmartViewer 2.0 for ProDVR
Spybot - Search & Destroy
Street-Ads Browser Enhancer
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
TeamViewer 4
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Trojan Remover 6.7.8
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Server
Video Device Pack V3.3
WebFldrs XP
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
WinZip
Xilisoft Video Converter Ultimate
XML Paper Specification Shared Components Pack 1.0
XP Codec Pack
Xvid 1.1.3 final uninstall
yDGpatch v1.1.0.3
Zoom Player (remove only)

==== Event Viewer Messages From Past Week ========

29/05/2010 11:21:56, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 5 time(s).
29/05/2010 11:21:47, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 4 time(s).
29/05/2010 11:20:55, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 3 time(s).
29/05/2010 11:20:43, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
29/05/2010 09:46:57, information: Windows File Protection [64002] - File replacement was attempted on the protected system file cdrom.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
29/05/2010 09:27:09, error: Service Control Manager [7031] - The AXIS Camera Station service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
29/05/2010 09:04:35, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
28/05/2010 22:22:19, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Imapi
28/05/2010 21:51:17, error: Service Control Manager [7000] - The RAS Asynchronous Media Driver service failed to start due to the following error: A device attached to the system is not functioning.
28/05/2010 21:51:14, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: Access is denied.
28/05/2010 21:51:13, error: Service Control Manager [7000] - The 61883 Unit Device service failed to start due to the following error: Access is denied.
28/05/2010 21:50:55, error: Service Control Manager [7034] - The MSWU-99f670fa service terminated unexpectedly. It has done this 1 time(s).
28/05/2010 20:48:20, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
28/05/2010 20:39:30, error: Service Control Manager [7034] - The NStar Database Server service terminated unexpectedly. It has done this 3 time(s).
28/05/2010 20:39:30, error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 3 time(s).
28/05/2010 20:37:38, error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 2 time(s).
28/05/2010 20:37:38, error: Service Control Manager [7031] - The NStar Database Server service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
28/05/2010 19:24:38, error: Service Control Manager [7034] - The NStar Communication Server service terminated unexpectedly. It has done this 1 time(s).
28/05/2010 19:24:38, error: Service Control Manager [7031] - The NStar Database Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
28/05/2010 19:24:37, error: Service Control Manager [7034] - The SuperProServer service terminated unexpectedly. It has done this 1 time(s).
28/05/2010 19:24:37, error: Service Control Manager [7034] - The ScsiAccess service terminated unexpectedly. It has done this 1 time(s).
28/05/2010 19:24:37, error: Service Control Manager [7034] - The NStar Archive Database Server service terminated unexpectedly. It has done this 1 time(s).
28/05/2010 19:24:37, error: Service Control Manager [7034] - The Milestone LogCheckService service terminated unexpectedly. It has done this 1 time(s).
28/05/2010 19:24:37, error: Service Control Manager [7034] - The Milestone ImageImportService service terminated unexpectedly. It has done this 1 time(s).
28/05/2010 19:24:37, error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
28/05/2010 19:17:48, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 2 time(s).
28/05/2010 18:56:45, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
27/05/2010 18:48:17, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
27/05/2010 18:39:44, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Workstation service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Wireless Zero Configuration service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Time service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Management Instrumentation service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Audio service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Telephony service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the System Restore Service service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Shell Hardware Detection service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Server service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Secondary Logon service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Logical Disk Manager service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Help and Support service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Error Reporting Service service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Distributed Link Tracking Client service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DHCP Client service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Cryptographic Services service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ Event System service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic Updates service to connect.
27/05/2010 18:39:44, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7001] - The Security Center service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7001] - The AXIS Camera Station service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Workstation service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Wireless Zero Configuration service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Windows Audio service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Telephony service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The System Restore Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Logical Disk Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Help and Support service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Distributed Link Tracking Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:44, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/05/2010 18:39:42, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
27/05/2010 18:37:43, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
27/05/2010 18:37:43, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
25/05/2010 21:39:23, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
25/05/2010 21:39:17, error: Service Control Manager [7022] - The AXIS Camera Station service hung on starting.
25/05/2010 21:37:45, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
25/05/2010 21:37:44, error: Service Control Manager [7000] - The SQLSERVERAGENT service failed to start due to the following error: The system cannot find the path specified.
25/05/2010 21:37:44, error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.
23/05/2010 13:46:41, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ROB that believes that it is the master browser for the domain on transport NetBT_Tcpip_{993DC16F-E08F-4BE7-A702. The master browser is stopping or an election is being forced.
23/05/2010 13:31:49, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
23/05/2010 13:02:11, error: Service Control Manager [7034] - The Adobe Active File Monitor V7 service terminated unexpectedly. It has done this 1 time(s).
23/05/2010 13:02:09, error: Service Control Manager [7034] - The AVG Free8 E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
23/05/2010 13:02:08, error: Service Control Manager [7034] - The NStar Schedule Service service terminated unexpectedly. It has done this 1 time(s).
23/05/2010 12:56:43, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AXIS Camera Station service to connect.
23/05/2010 12:56:43, error: Service Control Manager [7000] - The AXIS Camera Station service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
22/05/2010 13:44:00, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
22/05/2010 13:44:00, error: SideBySide [59] - Generate Activation Context failed for C:\Documents and Settings\System administrator\Desktop\MxCC.exe. Reference error message: The operation completed successfully. .
22/05/2010 13:44:00, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

==== End Of File ===========================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-29 23:48:19
Windows 5.1.2600 Service Pack 3
Running: 8q743dl3.exe; Driver: C:\DOCUME~1\SYSTEM~1\LOCALS~1\Temp\kxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA9DAA620]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat A7F6ED20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Temp\0e353c24-25e2-4c0d-9075-a8da9079cc19.tmp (size mismatch) 1112288/0 bytes executable

---- EOF - GMER 1.0.15 ----


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 30 May 2010 - 02:31 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 brads26

brads26
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 30 May 2010 - 03:39 PM

Hi again....

Heres the log from combofix....
I couldnt stop all the services for AVG as they kept restarting in "process"
The popups seem to have stopped.....
Will need to try to do a search and click the links...

Thanks


ComboFix 10-05-29.05 - System administrator 30/05/2010 20:50:28.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.292 [GMT 1:00]
Running from: c:\documents and settings\System administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-29 10:34 . 2008-04-13 17:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-05-29 10:34 . 2008-04-13 17:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-05-28 20:51 . 2010-05-28 20:51 -------- d-----w- c:\documents and settings\System administrator\Application Data\Street-Ads
2010-05-28 20:51 . 2010-05-28 20:51 -------- d-----w- c:\documents and settings\System administrator\Application Data\Sky-Banners
2010-05-28 20:51 . 2010-05-28 20:51 50981 ----a-w- c:\windows\system32\mwizvtgxytibchqh.exe
2010-05-28 20:51 . 2010-05-28 20:51 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-25 11:49 . 2010-05-25 11:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-05-25 11:45 . 2010-05-25 11:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-05-24 18:40 . 2010-05-24 18:40 388096 ----a-r- c:\documents and settings\System administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-24 18:40 . 2010-05-24 18:40 -------- d-----w- c:\program files\Trend Micro
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\xlehqkih.exe
2010-05-23 11:52 . 2010-05-23 11:52 50688 --sha-r- c:\windows\system32\ufata.dll
2010-05-17 19:30 . 2010-05-17 19:31 -------- d-----w- c:\program files\XP Codec Pack
2010-05-16 19:26 . 2010-05-29 08:07 63488 ----a-w- c:\documents and settings\System administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-14 19:28 . 2010-05-14 19:28 -------- d-----w- c:\windows\system32\madll
2010-05-14 19:28 . 2010-05-14 19:28 -------- d-----w- c:\program files\Abdio
2010-05-02 21:01 . 2010-05-02 21:01 -------- d-----w- c:\program files\FLV Player
2010-05-02 20:58 . 2010-05-02 20:58 -------- d-----w- c:\program files\Dekart
2010-05-02 20:34 . 2010-05-02 20:37 -------- d-----w- c:\program files\SIM Edit Tool
2010-05-02 20:33 . 2010-05-02 20:33 -------- d-----w- c:\documents and settings\System administrator\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 19:53 . 2009-05-23 18:12 -------- d-----w- c:\program files\FlashGet
2010-05-30 19:52 . 2007-08-28 09:45 -------- d-----w- c:\program files\NStar
2010-05-30 03:14 . 2009-09-11 17:55 -------- d-----w- c:\program files\LogMeIn
2010-05-29 08:52 . 2009-02-05 17:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 08:07 . 2009-07-25 15:15 117760 ----a-w- c:\documents and settings\System administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 20:51 . 2008-09-30 07:32 -------- d-----w- c:\documents and settings\System administrator\Application Data\Sekabu
2010-05-27 19:44 . 2010-01-31 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-27 18:35 . 2007-07-17 09:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-27 18:35 . 2009-10-24 21:30 -------- d-----w- c:\program files\Multimedia Card Reader
2010-05-27 18:30 . 2007-09-09 16:04 -------- d-----w- c:\program files\Trojan Remover
2010-05-22 15:43 . 2010-02-21 19:55 -------- d-----w- c:\program files\MxCC 2.2.3.1
2010-05-22 12:46 . 2009-10-15 19:01 -------- d-----w- c:\program files\Yahoo!
2010-05-22 10:27 . 2010-04-01 19:21 -------- d-----w- c:\program files\Google
2010-05-21 07:01 . 2009-04-11 21:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-05 07:24 . 2008-12-13 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 21:17 . 2008-11-08 18:32 -------- d-----w- c:\program files\Zoom Player
2010-04-29 14:39 . 2008-12-13 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2008-12-13 18:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 09:11 . 2010-04-10 09:11 -------- d-----w- c:\program files\Data Doctor Recovery - SIM Card
2010-03-29 20:18 . 2010-03-29 20:18 143 ----a-w- c:\documents and settings\System administrator\Local Settings\Application Data\fusioncache.dat
2010-03-29 19:08 . 2010-03-29 19:08 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-03-29 19:08 . 2010-03-29 19:08 47360 ----a-w- c:\documents and settings\System administrator\Application Data\pcouffin.sys
2010-03-29 19:08 . 2010-03-29 19:08 47360 ----a-w- c:\documents and settings\System administrator\Application Data\pcouffin.sys
2010-03-14 19:27 . 2007-07-17 10:19 47224 ----a-w- c:\documents and settings\System administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 19:15 . 2009-09-11 02:12 362464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-14 18:50 . 2010-03-14 18:50 10134 ----a-r- c:\documents and settings\System administrator\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-29_10.35.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-30 12:21 . 2010-05-30 12:23 16384 c:\windows\Temp\Perflib_Perfdata_c80.dat
+ 2010-05-30 12:20 . 2010-05-30 12:20 16384 c:\windows\Temp\Perflib_Perfdata_80c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-27 2397424]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"{7C8EE5C8-D15D-7F01-3712-F846756E9F86}"="c:\documents and settings\System administrator\Application Data\Waups\upir.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-25 2007088]
"MChk"="c:\windows\system32\xlehqkih.exe" [2010-05-24 40633]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-11 21:33 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 08:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 17:01 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AXIS Camera Station Administration]
2009-01-16 10:29 1066312 ----a-w- c:\program files\Axis Communications\AXIS Camera Station 3\AcsAdmin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-14 03:44 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-24 15:52 240112 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-04-08 10:38 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NStar\\NStar.exe"=
"c:\\Program Files\\NStar\\ConfigWizard\\QSConfigWiz.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Milestone\\Milestone Surveillance\\ImageServerAdm.exe"=
"c:\\Program Files\\Samsung\\SmartViewer 2.0 for ProDVR\\SmartViewer.exe"=
"c:\\Program Files\\NetworkViewer\\DMNetworkViewer.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Rally solution\\USB Server\\USB Server.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/11/2008 13:40 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/11/2008 13:40 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [15/01/2009 17:17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/01/2009 17:17 67656]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 13:03 169312]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [09/11/2008 13:40 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [09/11/2008 13:40 297752]
R2 AXIS Camera Station;AXIS Camera Station;c:\program files\Axis Communications\AXIS Camera Station 3\ACSService.exe [27/09/2008 08:35 40960]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/08/2008 12:41 12856]
R2 Milestone ImageServer;Milestone ImageServer;c:\program files\Milestone\Milestone Surveillance\ImageServer.exe [22/01/2008 11:21 3112960]
R2 RecordingServer;Milestone Recording Server;c:\program files\Milestone\Milestone Surveillance\RecordingServer.exe [22/01/2008 11:22 2772992]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\drivers\GenBus.sys [11/08/2008 17:01 27648]
S0 rujqhw;rujqhw; [x]
S2 CommunicationsService;NStar Communication Server;c:\program files\NStar\NS Communications Server.exe [28/08/2007 10:45 974848]
S2 DatabaseArchiveService;NStar Archive Database Server;c:\program files\NStar\NCIArchive.exe [28/08/2007 10:45 593920]
S2 DatabaseService;NStar Database Server;c:\program files\NStar\NCICore.exe [28/08/2007 10:45 593920]
S2 Milestone ImageImportService;Milestone ImageImportService;c:\program files\Milestone\Milestone Surveillance\ImageImportService.exe [22/01/2008 11:21 2056192]
S2 Milestone LogCheckService;Milestone LogCheckService;c:\program files\Milestone\Milestone Surveillance\ELFFLogCheckerService.exe [22/01/2008 11:21 270336]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [24/08/2007 16:53 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [24/08/2007 16:52 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [24/08/2007 16:52 166384]
S2 ScheduleService;NStar Schedule Service;c:\program files\NStar\NS Schedule Service.exe [28/08/2007 10:45 356352]
S3 EST_Server;Network USB Device;c:\windows\system32\drivers\GenHC.sys [13/08/2009 11:59 151552]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [24/08/2007 16:53 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [24/08/2007 16:52 1083888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/01/2009 17:17 12872]
S4 SessionLauncher;SessionLauncher;c:\docume~1\SYSTEM~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\SYSTEM~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
TCP: {993DC16F-E08F-4BE7-A702-1BEFFFA8C5A7} = 192.168.0.1
DPF: {304171C0-65EA-4B51-B5D9-93A311E26EB1} - hxxp://192.168.0.6:100/cgi-bin/MxPEG_ActiveX.cab?dummy=4494254
DPF: {47489CC3-B1AB-4414-A7D9-4A6380D819D8} - hxxp://127.0.0.1/ConfigManager.cab
DPF: {627C5D14-CB66-493E-B0F3-589C7E2FA875} - hxxp://192.168.0.12:85/WebClient.cab
DPF: {817444B5-4D12-4EEB-8E78-C547E84F80B6} - hxxp://127.0.0.1/EngineManager.cab
DPF: {BF776FD3-69B4-4151-AC97-3A2A64753E18} - hxxp://192.168.1.200/GVersionMan.cab
DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://192.168.0.91/activex/decoder/mpeg4_dec.cab
DPF: {DA5CE92B-A2DF-4400-A7F4-481A127FA434} - hxxp://78.151.183.109:2080/webviewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.0.91/activex/AMC.cab
DPF: {E7B12A6B-341F-4765-A9EA-29A745916878} - hxxp://127.0.0.1/ImageViewer.cab
DPF: {F39F6F0B-170B-4A3A-AF1D-11D89CFD9ED9} - hxxp://annalbert.homeip.net/VideoX.CAB
.
- - - - ORPHANS REMOVED - - - -

BHO-{7E1B3EE8-5107-425D-BF87-3BC8FC24EE7B} - (no file)
BHO-{90B5C027-8FA4-4C98-AEAA-D1DA7940BBCC} - (no file)
BHO-{A70CA5AB-D0D1-38BD-137D-99BBCE55273B} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 20:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(3864)
c:\windows\system32\WININET.dll
c:\program files\FlashGet\fgmgr.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-30 21:00:16
ComboFix-quarantined-files.txt 2010-05-30 20:00

Pre-Run: 35,876,229,120 bytes free
Post-Run: 36,979,122,176 bytes free

- - End Of File - - EF913B6AFEAD5A177EAD8B3DEB6B92C2


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 31 May 2010 - 12:08 AM

greetings

this is what I would like you to do next

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\system32\mwizvtgxytibchqh.exe
c:\windows\system32\xlehqkih.exe
c:\windows\system32\ufata.dll
c:\documents and settings\System administrator\Application Data\Waups\upir.exe

Folder::
c:\program files\$NtUninstallWTF1012$

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{7C8EE5C8-D15D-7F01-3712-F846756E9F86}"=-

Driver::
rujqhw


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Let me have the log that it makes

gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 brads26

brads26
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 31 May 2010 - 04:46 AM

Hi..

here you go....hope it means something..

ComboFix 10-05-29.05 - System administrator 31/05/2010 10:18:21.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.389 [GMT 1:00]
Running from: c:\documents and settings\System administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\System administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Resident AV is active


FILE ::
"c:\documents and settings\System administrator\Application Data\Waups\upir.exe"
"c:\windows\system32\mwizvtgxytibchqh.exe"
"c:\windows\system32\ufata.dll"
"c:\windows\system32\xlehqkih.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\$NtUninstallWTF1012$
c:\program files\$NtUninstallWTF1012$\elUninstall.exe
c:\windows\system32\mwizvtgxytibchqh.exe
c:\windows\system32\ufata.dll
c:\windows\system32\xlehqkih.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_rujqhw


((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-31 )))))))))))))))))))))))))))))))
.

2010-05-29 10:34 . 2008-04-13 17:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-05-29 10:34 . 2008-04-13 17:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-05-28 20:51 . 2010-05-28 20:51 -------- d-----w- c:\documents and settings\System administrator\Application Data\Street-Ads
2010-05-28 20:51 . 2010-05-28 20:51 -------- d-----w- c:\documents and settings\System administrator\Application Data\Sky-Banners
2010-05-25 11:49 . 2010-05-25 11:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-05-25 11:45 . 2010-05-25 11:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-05-24 18:40 . 2010-05-24 18:40 -------- d-----w- c:\program files\Trend Micro
2010-05-17 19:30 . 2010-05-17 19:31 -------- d-----w- c:\program files\XP Codec Pack
2010-05-14 19:28 . 2010-05-14 19:28 -------- d-----w- c:\windows\system32\madll
2010-05-14 19:28 . 2010-05-14 19:28 -------- d-----w- c:\program files\Abdio
2010-05-02 21:01 . 2010-05-02 21:01 -------- d-----w- c:\program files\FLV Player
2010-05-02 20:58 . 2010-05-02 20:58 -------- d-----w- c:\program files\Dekart
2010-05-02 20:34 . 2010-05-02 20:37 -------- d-----w- c:\program files\SIM Edit Tool
2010-05-02 20:33 . 2010-05-02 20:33 -------- d-----w- c:\documents and settings\System administrator\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-31 09:30 . 2007-08-28 09:45 -------- d-----w- c:\program files\NStar
2010-05-31 09:22 . 2009-05-23 18:12 -------- d-----w- c:\program files\FlashGet
2010-05-31 09:18 . 2009-09-11 17:55 -------- d-----w- c:\program files\LogMeIn
2010-05-29 08:52 . 2009-02-05 17:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 08:07 . 2010-05-16 19:26 63488 ----a-w- c:\documents and settings\System administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-29 08:07 . 2009-07-25 15:15 117760 ----a-w- c:\documents and settings\System administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 20:51 . 2008-09-30 07:32 -------- d-----w- c:\documents and settings\System administrator\Application Data\Sekabu
2010-05-27 19:44 . 2010-01-31 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-27 18:35 . 2007-07-17 09:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-27 18:35 . 2009-10-24 21:30 -------- d-----w- c:\program files\Multimedia Card Reader
2010-05-27 18:30 . 2007-09-09 16:04 -------- d-----w- c:\program files\Trojan Remover
2010-05-24 18:40 . 2010-05-24 18:40 388096 ----a-r- c:\documents and settings\System administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-22 15:43 . 2010-02-21 19:55 -------- d-----w- c:\program files\MxCC 2.2.3.1
2010-05-22 12:46 . 2009-10-15 19:01 -------- d-----w- c:\program files\Yahoo!
2010-05-22 10:27 . 2010-04-01 19:21 -------- d-----w- c:\program files\Google
2010-05-21 07:01 . 2009-04-11 21:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-05 07:24 . 2008-12-13 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 21:17 . 2008-11-08 18:32 -------- d-----w- c:\program files\Zoom Player
2010-04-29 14:39 . 2008-12-13 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2008-12-13 18:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 09:11 . 2010-04-10 09:11 -------- d-----w- c:\program files\Data Doctor Recovery - SIM Card
2010-03-29 20:18 . 2010-03-29 20:18 143 ----a-w- c:\documents and settings\System administrator\Local Settings\Application Data\fusioncache.dat
2010-03-29 19:08 . 2010-03-29 19:08 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-03-29 19:08 . 2010-03-29 19:08 47360 ----a-w- c:\documents and settings\System administrator\Application Data\pcouffin.sys
2010-03-29 19:08 . 2010-03-29 19:08 47360 ----a-w- c:\documents and settings\System administrator\Application Data\pcouffin.sys
2010-03-14 19:27 . 2007-07-17 10:19 47224 ----a-w- c:\documents and settings\System administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 19:15 . 2009-09-11 02:12 362464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-14 18:50 . 2010-03-14 18:50 10134 ----a-r- c:\documents and settings\System administrator\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-27 2397424]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-25 2007088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-11 21:33 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 08:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 17:01 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AXIS Camera Station Administration]
2009-01-16 10:29 1066312 ----a-w- c:\program files\Axis Communications\AXIS Camera Station 3\AcsAdmin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-14 03:44 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-24 15:52 240112 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-04-08 10:38 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NStar\\NStar.exe"=
"c:\\Program Files\\NStar\\ConfigWizard\\QSConfigWiz.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Milestone\\Milestone Surveillance\\ImageServerAdm.exe"=
"c:\\Program Files\\Samsung\\SmartViewer 2.0 for ProDVR\\SmartViewer.exe"=
"c:\\Program Files\\NetworkViewer\\DMNetworkViewer.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Rally solution\\USB Server\\USB Server.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/11/2008 13:40 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/11/2008 13:40 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [15/01/2009 17:17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/01/2009 17:17 67656]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 13:03 169312]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [09/11/2008 13:40 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [09/11/2008 13:40 297752]
R2 AXIS Camera Station;AXIS Camera Station;c:\program files\Axis Communications\AXIS Camera Station 3\ACSService.exe [27/09/2008 08:35 40960]
R2 CommunicationsService;NStar Communication Server;c:\program files\NStar\NS Communications Server.exe [28/08/2007 10:45 974848]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/08/2008 12:41 12856]
R2 Milestone ImageImportService;Milestone ImageImportService;c:\program files\Milestone\Milestone Surveillance\ImageImportService.exe [22/01/2008 11:21 2056192]
R2 Milestone ImageServer;Milestone ImageServer;c:\program files\Milestone\Milestone Surveillance\ImageServer.exe [22/01/2008 11:21 3112960]
R2 Milestone LogCheckService;Milestone LogCheckService;c:\program files\Milestone\Milestone Surveillance\ELFFLogCheckerService.exe [22/01/2008 11:21 270336]
R2 RecordingServer;Milestone Recording Server;c:\program files\Milestone\Milestone Surveillance\RecordingServer.exe [22/01/2008 11:22 2772992]
R2 ScheduleService;NStar Schedule Service;c:\program files\NStar\NS Schedule Service.exe [28/08/2007 10:45 356352]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\drivers\GenBus.sys [11/08/2008 17:01 27648]
S2 DatabaseArchiveService;NStar Archive Database Server;c:\program files\NStar\NCIArchive.exe [28/08/2007 10:45 593920]
S2 DatabaseService;NStar Database Server;c:\program files\NStar\NCICore.exe [28/08/2007 10:45 593920]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [24/08/2007 16:53 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [24/08/2007 16:52 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [24/08/2007 16:52 166384]
S3 EST_Server;Network USB Device;c:\windows\system32\drivers\GenHC.sys [13/08/2009 11:59 151552]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [24/08/2007 16:53 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [24/08/2007 16:52 1083888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/01/2009 17:17 12872]
S4 SessionLauncher;SessionLauncher;c:\docume~1\SYSTEM~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\SYSTEM~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
TCP: {993DC16F-E08F-4BE7-A702-1BEFFFA8C5A7} = 192.168.0.1
DPF: {304171C0-65EA-4B51-B5D9-93A311E26EB1} - hxxp://192.168.0.6:100/cgi-bin/MxPEG_ActiveX.cab?dummy=4494254
DPF: {47489CC3-B1AB-4414-A7D9-4A6380D819D8} - hxxp://127.0.0.1/ConfigManager.cab
DPF: {627C5D14-CB66-493E-B0F3-589C7E2FA875} - hxxp://192.168.0.12:85/WebClient.cab
DPF: {817444B5-4D12-4EEB-8E78-C547E84F80B6} - hxxp://127.0.0.1/EngineManager.cab
DPF: {BF776FD3-69B4-4151-AC97-3A2A64753E18} - hxxp://192.168.1.200/GVersionMan.cab
DPF: {C32FE9F1-A857-48B0-B7BF-065B5792F28D} - hxxp://192.168.0.91/activex/decoder/mpeg4_dec.cab
DPF: {DA5CE92B-A2DF-4400-A7F4-481A127FA434} - hxxp://78.151.183.109:2080/webviewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.0.91/activex/AMC.cab
DPF: {E7B12A6B-341F-4765-A9EA-29A745916878} - hxxp://127.0.0.1/ImageViewer.cab
DPF: {F39F6F0B-170B-4A3A-AF1D-11D89CFD9ED9} - hxxp://annalbert.homeip.net/VideoX.CAB
.
- - - - ORPHANS REMOVED - - - -

BHO-{7E1B3EE8-5107-425D-BF87-3BC8FC24EE7B} - (no file)
BHO-{90B5C027-8FA4-4C98-AEAA-D1DA7940BBCC} - (no file)
BHO-{A70CA5AB-D0D1-38BD-137D-99BBCE55273B} - (no file)
HKLM-Run-MChk - c:\windows\system32\xlehqkih.exe
AddRemove-$NtUninstallWTF1012$ - c:\program files\$NtUninstallWTF1012$\elUninstall.exe
AddRemove-mwizvtgxytibchqh - c:\windows\system32\mwizvtgxytibchqh.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-31 10:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(4712)
c:\windows\system32\WININET.dll
c:\program files\FlashGet\fgmgr.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\UPnPUI.dll
c:\program files\Common Files\Roxio Shared\10.0\DLLShared\FakeAvRenderer.dll
c:\program files\Common Files\Roxio Shared\10.0\DLLShared\roxipp52.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\crypserv.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Photodex\ProShowGold\ScsiAccess.exe
c:\program files\Rainbow Technologies\SuperPro\6.3\Server\WinNT\spnsrvnt.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-05-31 10:44:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-31 09:44
ComboFix2.txt 2010-05-30 20:00

Pre-Run: 40,078,278,656 bytes free
Post-Run: 40,112,988,160 bytes free

- - End Of File - - 7487B454ECD6756A5AC331E2654E3690


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 31 May 2010 - 04:26 PM

Hello

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 7.0
    Java™ 6 Update 2
    Java™ 6 Update 5
    Malwarebytes' RogueRemover


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 20 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. Log From ESET Online Scanner
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 03 June 2010 - 02:28 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 06 June 2010 - 02:03 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 06 June 2010 - 01:01 PM

Reopened by request


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 brads26

brads26
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 08 June 2010 - 03:52 PM

I have been away on business and Im away again tomorrow so will try to do the checks by Friday...

Thanks again

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 08 June 2010 - 09:25 PM

thumbup2.gif thanks for letting me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 12 June 2010 - 11:04 PM

thumbup2.gif
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:14 PM

Posted 17 June 2010 - 01:44 AM

Hello brads26

Which friday?

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users