Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Explorer and Outlook crash sometimes


  • This topic is locked This topic is locked
22 replies to this topic

#1 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:00 PM

Posted 24 July 2010 - 01:22 PM

Hello all,
I'll tell you that there have been some very strange things going on with my computer in the past few days. The other night, after installing the IIS features to play with ASP.net, I opened Windows Explorer, and after a few seconds, it stopped responding, and I was given the error message "The Remote procedure Call failed and did not execute." Not to mention the crashing of Outlook and Office diagnostics turned up nothing leading to the cause. Both of these symptoms are very inconsistent, so it is hard to keep a consistent monitor on them. I also get periodic blue screens, but the messages are ordinary. I can't give you the word for word message from last night in particular due to the fact that I'm blind, and I use a screen reader. No sighted individuals were available at that moment. Any help with this would be wonderful for it's beginning to drive me nuts. logs as follows:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Katherine Moss at 12:59:15.66 on Sat 07/24/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3574.2151 [GMT -4:00]

SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\CISVC.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\Explorer.EXE
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\System Access\SAWinlogonMaster.exe
C:\Windows\system32\U2VSvr.exe
C:\Windows\system32\Tdxvgautil.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\System Access\SAHS.exe
C:\Program Files\System Access\SAHSHelper.exe
C:\Windows\system32\conhost.exe
c:\program files\system access\SARCServer.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\fsATProxy.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe
C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\DevEnv.exe
c:\program files\system access\sawinlogonslave.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Katherine Moss\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://bing.com/
BHO: Disabled:{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No File
BHO: Disabled:{72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No File
BHO: Disabled:{9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: Disabled:{DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [JAWS] "c:\program files\freedom scientific\jaws\11.0\jfw.exe" /run
mRun: [Dell Laser Printer 1110 SM_JB] c:\program files\dell\dell laser printer 1110\localsm\jbDetect.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\users\kather~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\system~1.lnk - c:\program files\system access\SAHS.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\qwitter.lnk - c:\program files\qwitter\qwitter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: cfins.com\vpn1
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\kather~1\appdata\roaming\mozilla\firefox\profiles\058zko80.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\users\katherine moss\appdata\roaming\mozilla\firefox\profiles\058zko80.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AEP_TDI_DRV;AEP NSP Port Forwarder TDI Driver;c:\windows\system32\drivers\aeptdipfwd.sys [2010-7-7 36659]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67656]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-12-18 95896]
R2 Freedom Scientific Kernel Manager {D2B4C7A7-7605-4039-89E4-DE5CC69BBE9D};Freedom Scientific Kernel Manager;c:\windows\system32\fsKMgr.dll [2010-4-13 20512]
R2 System Access Windows Logon Helper;System Access Windows Logon Helper;c:\program files\system access\SAWinlogonMaster.exe [2010-4-10 25816]
R2 U2VSvr;U2VSvr;c:\windows\system32\U2VSvr.exe [2010-1-19 172032]
R3 fsvidmir;fsvidmir;c:\windows\system32\drivers\fsvidmir.sys [2009-10-21 2944]
R3 NetillaVPN;AEP VPN Adapter;c:\windows\system32\drivers\Netva.sys [2010-7-7 10112]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
R3 TdxMrMINI;TdxMrMINI;c:\windows\system32\drivers\TdxMrMINI.sys [2010-1-19 247808]
R3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\drivers\TdxVgaMini.sys [2010-1-19 253184]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 OpenSSHd;OpenSSH Server;c:\program files\openssh\bin\cygrunsrv.exe [2004-4-18 36864]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [2010-1-19 22144]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-3-30 84832]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 FSBRLDSP;Freedom Scientific Braille Display USB driver (fsbrldsp.sys);c:\windows\system32\drivers\fsbrldsp.sys [2009-10-21 35352]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-1-19 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 JTVNCProxy_11.0;JTVNCProxy_11.0;c:\program files\freedom scientific\jaws\11.0\JTVNCProxy.exe [2010-4-13 16152]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-11-2 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-1-23 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 MsDepSvc;Web Deployment Agent Service;"c:\program files\iis\microsoft web deploy\msdepsvc.exe" -runservice:msdepsvc --> c:\program files\iis\microsoft web deploy\MsDepSvc.exe [?]
S3 NetillaVPNService;AEP SSL Tunnel Helper Service;c:\program files\aep\ssltunnel\nvpns.exe [2010-7-7 13824]
S3 PowerBrl;powerBraille System Driver;c:\windows\system32\drivers\powerbrl.sys [2010-4-13 14880]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2010-2-2 43520]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2010-2-16 63488]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TdxVGAUSB;TARGUS USB 2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.sys [2010-1-19 34944]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-24 1343400]
S3 WPFFontCache_v0400;WPFFontCache_v0400;c:\windows\microsoft.net\framework\v4.0.21006\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.21006\wpf\WPFFontCache_v0400.exe [?]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-07-24 16:44:55 0 ----a-w- c:\users\katherine moss\defogger_reenable
2010-07-24 02:54:23 47777600 ----a-w- C:\dqrzx9z3.exe
2010-07-24 00:36:21 10637605 ----a-w- C:\041510_ESET_Password.mp3
2010-07-24 00:32:49 8290346 ----a-w- C:\051410_ESET_YahooIM.mp3
2010-07-24 00:31:58 8953021 ----a-w- C:\051010_ESET_Password2.mp3
2010-07-24 00:31:12 6569399 ----a-w- C:\052010_ESET_Microsoft.mp3
2010-07-22 21:01:16 173 ----a-w- C:\Initial_Creation_Script.SQL
2010-07-22 17:11:08 325120 ----a-w- C:\vbscript_reference.doc
2010-07-22 16:53:56 0 d-----w- c:\programdata\MySQL
2010-07-22 16:53:56 0 d-----w- c:\program files\MySQL
2010-07-22 16:49:22 3508422 ----a-w- C:\mysql-connector-net-5.2.7.zip
2010-07-22 16:40:00 110022144 ----a-w- C:\mysql-5.1.48-win32.msi
2010-07-22 05:00:56 95 ----a-w- C:\sample 2.VBS
2010-07-22 04:57:26 34 ----a-w- C:\sample 1.vbs
2010-07-21 21:42:11 56 ---h--w- c:\windows\sc2rtl.ini
2010-07-21 21:41:48 385024 ----a-w- c:\windows\system32\msoecmd32.dll
2010-07-21 21:41:47 276 ----a-w- c:\windows\system32\mstrbscom32.dll
2010-07-21 21:41:27 0 d-----w- c:\program files\Troopanum 2.0
2010-07-21 21:19:46 58869312 ----a-w- C:\troop2_setup.exe
2010-07-20 05:12:59 160 ----a-w- C:\sample script.VBS
2010-07-18 00:36:49 1004034 ----a-w- C:\EsetWP-20YearsBeforeTheMouse.pdf
2010-07-16 23:58:01 16066 ----a-w- C:\(Demonoid.com)-_Net_4_0_books.torrent
2010-07-16 18:50:51 0 d-----w- C:\dee251e71c3feac6d5ced24a17323e
2010-07-09 18:32:45 0 d-----w- c:\program files\NirSoft
2010-07-09 18:27:00 652594 ----a-w- C:\passrec_setup.exe
2010-07-07 16:02:36 70656 ----a-w- c:\windows\NetAX.dll
2010-07-07 16:02:36 39936 ----a-w- c:\windows\NetCore.dll
2010-07-07 16:02:36 10112 ----a-w- c:\windows\system32\drivers\Netva.sys
2010-07-07 16:02:36 0 d-----w- c:\program files\AEP
2010-07-07 15:59:41 36659 ----a-w- c:\windows\system32\drivers\aeptdipfwd.sys
2010-07-07 15:59:41 13824 ----a-w- c:\windows\TDIuninstall.exe
2010-07-06 00:45:06 0 d-----w- C:\1001 Sound FX
2010-07-06 00:37:37 0 d-----w- c:\program files\iZotope
2010-07-06 00:31:57 0 d-----w- c:\programdata\Sony
2010-07-06 00:31:36 0 d-----w- c:\program files\Sony
2010-06-24 19:01:07 0 d-----w- c:\program files\MSXML 4.0

==================== Find3M ====================

2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-09 09:14:55 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14:50 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-01 14:49:25 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 18:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-22 02:27:12 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-01-22 02:27:12 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-01-22 02:27:12 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-01-22 02:27:12 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-03-15 14:59:29 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-03-15 14:59:29 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-03-15 14:59:29 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:01:10.48 ===============

Attached Files


Edited by chromebuster, 24 July 2010 - 01:25 PM.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:00 PM

Posted 02 August 2010 - 03:55 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  1. Double click on RSIT.exe to run RSIT.
  2. Click Continue at the disclaimer screen.
  3. Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  1. Reply to this thread; do not start another!
  2. Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  3. Do not run any other tool until instructed to do so!
  4. Let me know if any of the links do not work or if any of the tools do not work.
  5. Tell me about problems or symptoms that occur during the fix.
  6. Do not run any other programs or open any other windows while doing a fix.
  7. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:00 PM

Posted 02 August 2010 - 09:39 PM

Hi,
Thanks so much for your response. I really appreciate it. And do me a favor. Please tell random/Random that the tool is 100 percent screen reader accessible which is crucial for blind and visually impaired computer users like me. Log is as follows:
Logfile of random's system information tool 1.08 (written by random/random)
Run by Katherine Moss at 2010-08-02 22:32:24
Microsoft Windows 7 Professional
System drive C: has 52 GB (18%) free of 293 GB
Total RAM: 3574 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:32:48 PM, on 8/2/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\OEM02Mon.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe
C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\System Access\SAHS.exe
C:\Program Files\System Access\SAHSHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\fsATProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Katherine Moss\Desktop\RSIT.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\trend micro\Katherine Moss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - Disabled:{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: (no name) - Disabled:{72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: (no name) - Disabled:{9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - Disabled:{DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [JAWS] "C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe" /run
O4 - HKLM\..\Run: [Dell Laser Printer 1110 SM_JB] C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: System Access HomeServer.lnk = C:\Program Files\System Access\SAHS.exe
O4 - Global Startup: Qwitter.lnk = C:\Program Files\Qwitter\qwitter.exe
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: JTVNCProxy_11.0 - Unknown owner - C:\Program Files\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe
O23 - Service: Web Deployment Agent Service (MsDepSvc) - Unknown owner - C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: AEP SSL Tunnel Helper Service (NetillaVPNService) - AEP Networks, Inc. - C:\Program Files\AEP\SSLTunnel\nvpns.exe
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8195 (NetMsmqActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8197 (NetPipeActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8199 (NetTcpActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8201 (NetTcpPortSharing) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: System Access Windows Logon Helper - Serotek Corporation - C:\Program Files\System Access\SAWinlogonMaster.exe
O23 - Service: U2VSvr - Unknown owner - C:\Windows\system32\U2VSvr.exe
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe,-100 (WPFFontCache_v0400) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe (file missing)

--
End of file - 8464 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\Disabled:{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\Disabled:{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\Disabled:{9030D464-4C02-4ABF-8ECC-5164760863C6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\Disabled:{DBC80044-A445-435b-BC74-9C25C1C588A9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18 403840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"OEM02Mon.exe"=C:\Windows\OEM02Mon.exe [2007-05-09 36864]
"JAWS"=C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe [2010-04-13 4471064]
"Dell Laser Printer 1110 SM_JB"=C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe [2009-08-21 222448]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2010-05-31 323976]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2009-09-23 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2009-09-23 173592]
"Persistence"=C:\Windows\system32\igfxpers.exe [2009-09-23 150552]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-19 35760]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-11-16 2054360]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-07-30 2403568]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Qwitter.lnk - C:\Program Files\Qwitter\qwitter.exe

C:\Users\Katherine Moss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
System Access HomeServer.lnk - C:\Program Files\System Access\SAHS.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2009-09-23 218112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*
.txt - open -

======List of files/folders created in the last 1 months======

2010-08-02 22:32:24 ----D---- C:\rsit
2010-08-02 22:32:24 ----D---- C:\Program Files\trend micro
2010-08-02 13:23:41 ----A---- C:\Windows\system32\shell32.dll
2010-08-01 22:14:54 ----D---- C:\Users\Katherine Moss\AppData\Roaming\OpenCandy
2010-08-01 22:14:39 ----D---- C:\ProgramData\Winamp Toolbar
2010-08-01 22:14:39 ----D---- C:\Program Files\Winamp Toolbar
2010-07-30 12:33:45 ----D---- C:\mysql-connector-net-6.3.3
2010-07-23 22:54:23 ----A---- C:\dqrzx9z3.exe
2010-07-22 12:53:56 ----D---- C:\ProgramData\MySQL
2010-07-22 12:53:56 ----D---- C:\Program Files\MySQL
2010-07-22 01:00:56 ----A---- C:\sample 2.VBS
2010-07-22 00:57:26 ----A---- C:\sample 1.vbs
2010-07-21 17:42:11 ----H---- C:\Windows\sc2rtl.ini
2010-07-21 17:41:48 ----A---- C:\Windows\system32\msoecmd32.dll
2010-07-21 17:41:47 ----A---- C:\Windows\system32\mstrbscom32.dll
2010-07-21 17:41:27 ----D---- C:\Program Files\Troopanum 2.0
2010-07-21 17:19:46 ----A---- C:\troop2_setup.exe
2010-07-20 01:12:59 ----A---- C:\sample script.VBS
2010-07-16 19:58:01 ----A---- C:\(Demonoid.com)-_Net_4_0_books.torrent
2010-07-16 14:50:51 ----D---- C:\dee251e71c3feac6d5ced24a17323e
2010-07-09 14:32:45 ----D---- C:\Program Files\NirSoft
2010-07-09 14:27:00 ----A---- C:\passrec_setup.exe
2010-07-07 12:02:36 ----D---- C:\Program Files\AEP
2010-07-07 12:02:36 ----A---- C:\Windows\system32\drivers\Netva.sys
2010-07-07 12:02:36 ----A---- C:\Windows\NetCore.dll
2010-07-07 12:02:36 ----A---- C:\Windows\NetAX.dll
2010-07-07 11:59:41 ----A---- C:\Windows\TDIuninstall.exe
2010-07-07 11:59:41 ----A---- C:\Windows\system32\drivers\aeptdipfwd.sys
2010-07-05 20:45:06 ----D---- C:\1001 Sound FX
2010-07-05 20:37:37 ----D---- C:\Program Files\iZotope
2010-07-05 20:31:57 ----D---- C:\ProgramData\Sony
2010-07-05 20:31:36 ----D---- C:\Program Files\Sony
2010-07-05 20:28:46 ----D---- C:\Users\Katherine Moss\AppData\Roaming\Sony

======List of files/folders modified in the last 1 months======

2010-08-02 22:32:34 ----D---- C:\Windows\Temp
2010-08-02 22:32:24 ----D---- C:\Program Files
2010-08-02 22:22:59 ----D---- C:\Windows\System32
2010-08-02 22:08:22 ----D---- C:\Users\Katherine Moss\AppData\Roaming\Qwitter
2010-08-02 22:07:44 ----A---- C:\CYGWIN_SYSLOG.TXT
2010-08-02 17:01:56 ----D---- C:\Windows\system32\config
2010-08-02 15:04:15 ----D---- C:\Windows\winsxs
2010-08-02 15:02:57 ----D---- C:\Windows\Prefetch
2010-08-02 14:59:52 ----SHD---- C:\System Volume Information
2010-08-02 13:23:01 ----D---- C:\Windows\system32\catroot2
2010-08-02 13:22:21 ----D---- C:\Windows\system32\catroot
2010-08-02 01:10:59 ----D---- C:\Windows\system32\NDF
2010-08-01 22:17:28 ----D---- C:\Users\Katherine Moss\AppData\Roaming\Winamp
2010-08-01 22:15:54 ----D---- C:\Program Files\Winamp
2010-08-01 22:14:39 ----HD---- C:\ProgramData
2010-08-01 17:13:38 ----SHD---- C:\Windows\Installer
2010-07-30 18:49:09 ----D---- C:\Windows\inf
2010-07-30 18:49:09 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-07-30 12:35:35 ----RSD---- C:\Windows\assembly
2010-07-30 12:27:48 ----SD---- C:\Users\Katherine Moss\AppData\Roaming\Microsoft
2010-07-30 02:37:23 ----D---- C:\Program Files\SUPERAntiSpyware
2010-07-24 22:16:00 ----D---- C:\Program Files\System Access
2010-07-23 23:08:28 ----D---- C:\Windows\system32\drivers
2010-07-23 21:52:59 ----D---- C:\Program Files\Mozilla Firefox
2010-07-23 21:47:16 ----D---- C:\Windows
2010-07-23 21:47:13 ----D---- C:\Windows\Downloaded Installations
2010-07-23 21:41:12 ----D---- C:\Windows\Minidump
2010-07-22 21:27:54 ----D---- C:\ProgramData\Microsoft Help
2010-07-22 21:23:34 ----A---- C:\Windows\win.ini
2010-07-22 17:37:57 ----D---- C:\Windows\rescache
2010-07-22 01:49:52 ----D---- C:\Windows\system32\inetsrv
2010-07-22 01:49:50 ----D---- C:\Inetpub
2010-07-16 16:22:56 ----RD---- C:\Program Files\Skype
2010-07-16 15:10:42 ----D---- C:\Windows\system32\en-US
2010-07-16 14:57:01 ----D---- C:\Users\Katherine Moss\AppData\Roaming\McTwit
2010-07-14 00:01:32 ----D---- C:\Program Files\SafeConnect
2010-07-10 15:22:22 ----D---- C:\Windows\Downloaded Program Files
2010-07-10 15:03:40 ----D---- C:\Program Files\LWorks
2010-07-09 13:58:01 ----D---- C:\Windows\system32\LogFiles
2010-07-09 00:04:53 ----D---- C:\Users\Katherine Moss\AppData\Roaming\Skype
2010-07-09 00:04:50 ----D---- C:\Users\Katherine Moss\AppData\Roaming\skypePM
2010-07-07 12:02:56 ----D---- C:\Windows\system32\DriverStore
2010-07-05 23:02:02 ----D---- C:\Program Files\Qwitter

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-13 173648]
R1 AEP_TDI_DRV;AEP NSP Port Forwarder TDI Driver; C:\Windows\system32\DRIVERS\aeptdipfwd.sys [2010-07-07 36659]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2009-07-13 387584]
R1 ehdrv;ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 ISODrive;ISO DVD/CD-ROM Device Driver; \??\C:\Program Files\UltraISO\drivers\ISODrive.sys [2010-01-29 82320]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-26 67656]
R2 eamon;eamon; C:\Windows\system32\DRIVERS\eamon.sys [2009-11-16 116520]
R2 epfwwfpr;epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [2009-12-18 95896]
R2 Freedom Scientific Kernel Manager {D2B4C7A7-7605-4039-89E4-DE5CC69BBE9D};Freedom Scientific Kernel Manager; \??\C:\Windows\system32\fsKMgr.dll [2010-04-13 20512]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2009-06-25 48128]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2009-06-25 44544]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2009-06-25 38400]
R2 Sentinel;Sentinel; C:\Windows\System32\Drivers\SENTINEL.SYS [2008-07-11 92712]
R3 fsvidmir;fsvidmir; C:\Windows\system32\DRIVERS\fsvidmir.sys [2009-10-21 2944]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2009-09-23 4808192]
R3 NetillaVPN;AEP VPN Adapter; C:\Windows\system32\DRIVERS\Netva.sys [2010-07-07 10112]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 OEM02Dev;Creative Camera OEM002 Driver; C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver; C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 7424]
R3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2009-07-13 133120]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-10-09 84992]
R3 SrvHsfHDA;SrvHsfHDA; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 tap0801;TAP-Win32 Adapter V8; C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TdxMrMINI;TdxMrMINI; C:\Windows\system32\DRIVERS\TdxMrMini.sys [2008-02-14 247808]
R3 TdxVGAMINI;TdxVGAMINI; C:\Windows\system32\DRIVERS\TdxVgaMini.sys [2008-02-14 253184]
S2 eamonm;eamonm; C:\Windows\system32\DRIVERS\eamonm.sys []
S2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter; C:\Windows\system32\DRIVERS\ADM851X.SYS [2004-10-27 22144]
S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\Windows\system32\DRIVERS\amdagp.sys [2009-07-13 53312]
S3 ASPI;Advanced SCSI Programming Interface Driver; \??\C:\Windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 FSBRLDSP;Freedom Scientific Braille Display USB driver (fsbrldsp.sys); C:\Windows\system32\DRIVERS\FSBRLDSP.sys [2009-10-21 35352]
S3 fssfltr;FssFltr; C:\Windows\system32\DRIVERS\fssfltr.sys [2009-08-05 54632]
S3 motccgp;Motorola USB Composite Device Driver; C:\Windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService; C:\Windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
S3 motmodem;Motorola USB CDC ACM Driver; C:\Windows\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 motport;Motorola USB Diagnostic Port; C:\Windows\system32\DRIVERS\motport.sys [2007-06-18 23680]
S3 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-13 12368]
S3 PowerBrl;powerBraille System Driver; \??\C:\Windows\system32\Drivers\powerbrl.sys [2010-04-13 14880]
S3 s3cap;s3cap; C:\Windows\system32\DRIVERS\vms3cap.sys [2009-07-13 5632]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver; C:\Windows\system32\DRIVERS\silabenm.sys [2010-02-02 43520]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver; C:\Windows\system32\DRIVERS\silabser.sys [2010-02-16 63488]
S3 sisagp;SIS AGP Bus Filter; C:\Windows\system32\DRIVERS\sisagp.sys [2009-07-13 52304]
S3 storvsc;storvsc; C:\Windows\system32\DRIVERS\storvsc.sys [2009-07-13 28224]
S3 TdxVGAUSB;TARGUS USB 2.0 VGA DOCK DEVICE(USB); C:\Windows\system32\drivers\TdxVGAUSB.sys [2008-02-14 34944]
S3 U2SP;OEM USB to Serial Converter Driver(Philips); C:\Windows\system32\DRIVERS\u2s2kxp.sys [2004-09-01 23296]
S3 USBPNPA;USB PnP Sound Device Interface; C:\Windows\system32\drivers\CM108.sys [2007-06-28 1310720]
S3 viaagp;VIA AGP Bus Filter; C:\Windows\system32\DRIVERS\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\DRIVERS\vmbus.sys [2009-07-13 175824]
S3 VMBusHID;VMBusHID; C:\Windows\system32\DRIVERS\VMBusHID.sys [2009-07-13 17920]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AppHostSvc;@%windir%\system32\inetsrv\iisres.dll,-30011; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 CISVC;@%systemroot%\system32\CISVC.EXE,-1; C:\Windows\system32\CISVC.EXE [2009-07-13 20480]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
R2 FileZilla Server;FileZilla Server FTP server; C:\Program Files\FileZilla Server\FileZilla Server.exe [2009-12-30 703488]
R2 MySQL;MySQL; C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld --defaults-file=C:\Program Files\MySQL\MySQL Server 5.1\my.ini MySQL []
R2 simptcp;@%SystemRoot%\system32\simptcp.dll,-200; C:\Windows\System32\tcpsvcs.exe [2009-07-13 9216]
R2 System Access Windows Logon Helper;System Access Windows Logon Helper; C:\Program Files\System Access\SAWinlogonMaster.exe [2010-05-06 25816]
R2 U2VSvr;U2VSvr; C:\Windows\system32\U2VSvr.exe [2008-02-01 172032]
R2 W3SVC;@%windir%\system32\inetsrv\iisres.dll,-30003; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-08-18 1529728]
R3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R3 WAS;@%windir%\system32\inetsrv\iisres.dll,-30001; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 NetMsmqActivator;@C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8195; C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe -NetMsmqActivator []
S2 NetPipeActivator;@C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8197; C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe []
S2 NetTcpActivator;@C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8199; C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe []
S2 OpenSSHd;OpenSSH Server; C:\Program Files\OpenSSH\bin\cygrunsrv.exe [2004-04-18 36864]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-11-16 20680]
S3 fsssvc;Windows Live Family Safety Service; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864]
S3 JTVNCProxy_11.0;JTVNCProxy_11.0; C:\Program Files\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe [2010-04-13 16152]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 MsDepSvc;Web Deployment Agent Service; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe -runService:MsDepSvc []
S3 NetillaVPNService;AEP SSL Tunnel Helper Service; C:\Program Files\AEP\SSLTunnel\nvpns.exe [2010-07-07 13824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 OpenVPNService;OpenVPN Service; C:\Program Files\OpenVPN\bin\openvpnserv.exe [2006-10-01 16384]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2010-02-24 1343400]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe []

-----------------EOF-----------------
Just some questions. I just noticed in that log that a bunch of services related to the .net framework 4.0 were stopped as well as one from eset. This had been getting to me for a few days, and I'm beginning to wonder if this is all caused (at least the Windows Explorer part), by how much extra stuff I threw at my computer at once? You see, I was told to reinstall IIS if I wanted to play with ASP.net eventually, since the person that I had been talking to stopped advocating for ASP.net and third-party server support. Does IIS do that? cause periodic crashes of other programs when too many of it's features are enabled at once? And also to let you know, the only changes I have made prior to tonight's scan are that I updated Winamp since it had been driving me crazy with it's update prompt, and then today when it came through, I applied the patch for the .lnk vulnerability. I hope that that was okay and that it doesn't confuse you too much. Since I have been here for three months, I really try my best to follow the rules. The only sites I've been on lately are trusted sites such as Dell.com, bing.com, Microsoft.com, I've been online a few times to check my college email, and that's about it as well as downloading a few PDF's along the way. all of them came from reputable sources like the sites I just mentioned. But I don't understand how the entries that say "file missing" can actually exist since I don't touch those deep folders unless I have really good reason to. Any input would be great.
Many thanks,
Chromebuster

Edited by chromebuster, 02 August 2010 - 10:16 PM.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#4 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:00 PM

Posted 03 August 2010 - 12:37 PM

Hi again,
I know you didn't request for me to post the Info.txt file from RSIT, but I figured that I'd look at it from my own educational perspective. a few lines in particular have me puzzled and wondering if this is nothing more than a software issue rather than a malware issue. puzzling lines are as follows: =====Application event log=====

Computer Name: KatherineMoss
Event Code: 1000
Message: Faulting application name: Explorer.EXE, version: 6.1.7600.16404, time stamp: 0x4a765076
Faulting module name: FSDomNodeUIA.DLL, version: 10.19.737.0, time stamp: 0x4adfaa45
Exception code: 0xc0000005
Fault offset: 0x00016d96
Faulting process id: 0x600
Faulting application start time: 0x01ca97d4bc53f7ba
Faulting application path: C:\Windows\Explorer.EXE
Faulting module path: C:\Program Files\Freedom Scientific\Shared\FsDomSrv\2.0\FSDomNodeUIA.DLL
Report Id: eee33041-03cb-11df-8ec0-0023ae1b5b74
Record Number: 413
Source Name: Application Error
Time Written: 20100118005347.000000-000
Event Type: Error
User:
and:
=====Security event log=====

Computer Name: KatherineMoss
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-21-942590297-1784831518-3084477993-1000
Account Name: Katherine Moss
Account Domain: KatherineMoss
Logon ID: 0x4a397
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: Katherine.Moss
Account Domain: GORDON.EDU
Logon GUID: {253C8B79-5C04-A2F7-D3C3-1C1A645400AD}

Target Server:
Target Server Name: Ex07MB2.gordon.edu
Additional Information: exchangeRFR/Ex07MB2.gordon.edu
Process Information:
Process ID: 0x518
Process Name: C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Network Information:
Network Address: -
Port: -
I don't understand how in the world that could have gotten there since I no longer as of now use Office 2010. Doesn't office 14 correspond to that version of office? and I even did a search for that folder and it just doesn't exist. Any input would be great. Another thing I find funny is that if I understood the application part of the log I just posted, it seems like the crashes of Windows explorer are pointing to one of my screen readers. That DLL file belongs to JAWS 11.0 it seems like. Could it be? Could it be that the solution to this problem is simply reinstalling a program that needs reinstallation anyway? JAWS has always needed reinstallation, but I just never got around to it. Please let me know if you agree or disagree, and depending on what the issue really is, please tell me what you would like me to do next. Thanks so much, and sorry for the double reply. I just realized like last night that I forgot to post these questions then. Forgive me, and I look forward to hearing your input.

Many thanks,
Chromebuster


The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:00 PM

Posted 06 August 2010 - 06:04 PM

NOTE: If for some reason you are unable to complete a step(s), skip that step and continue with the rest of the steps. Please describe your problem with the step in your next reply.

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
  1. Please download TFC by OldTimer to your desktop.
  2. Open the file and close any other windows.
  3. It will close all programs itself when run; make sure to let it run uninterrupted.
  4. Click the Start button to begin the process. The program should not take long to finish its job.
  5. After it is finished, it should reboot your machine, if not, do this yourself to ensure a complete clean.
Step 3

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  1. Detects and removes malware ( viruses, worms, trojans, etc. )
  2. Detects and removes grayware and spyware
  3. Restores damage caused by malware to your system.
  4. Notifies about vulnerabilities in installed programs and connected network services.
  5. Multi-platform support for: Windows, Linux, Solaris.
  6. Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 4

Please download Spybot-S&D©® and install Spybot-S&D©® .
  1. Be sure to UNCHECK TeaTimer when presented with the option to install. You can enable it after you are clean.
  2. Run Spybot-S&D©® , go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
  3. Click the button "Search for Updates".
  4. If any updates are found, install them by placing a check mark next to each one and clicking "Download Updates".
  5. If you encounter any error messages while downloading the updates, manually download them from here.
  6. Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
  7. Click the button "Check for Problems".
  8. When Spybot-S&D©® is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
  9. Make certain there is a check mark beside all of the RED entries ONLY.
  10. Choose "Fix Selected Problems" and allow Spybot-S&D©® to fix the RED entries.
  11. REBOOT to complete the scan and clear memory.
Note: After Windows loads, Spybot-S&D©® may run again to clean some files that it could not clean during the prior session. Follow the same procedure.

Step 5

I recommend using Spyware Blaster.
  • Please download SpywareBlaster and save it to your desktop.
  • Double click on it to install the program.
  • Follow the prompts and choose the default locations when installing the program.
  • When the program is installed, it will place an icon on your desktop.
  • Double click on the SpywareBlaster icon and you will be presented with a brief tutorial. On the first page of this tutorial, you will see some of the SpywareBlaster features
  • Click on the Next button to proceed to the second page of the tutorial.
  • If you want to purchase the software, then you should select Automatic Updating. If you do not plan on purchasing the software, then you should select the option for Manual Updating. Press the Next button.
  • At the next screen, click Finish.
  • At the next screen, Protection Status, click Enable All Protection.
  • Click Download Latest Protection Updates. This will ensure that SpywareBlaster has the latest definitions so that it can protect your browser more efficiently. You should update SpywareBlaster regularly, as much as every few days, in order to provide the best protection. Each time you update, be sure to click Enable All Protection.
Step 6

Malwarebytes' Anti-Malware is FREEWARE, however you may upgrade to the PRO version which contains realtime protection, scheduled scanning and updating.
  1. Please download Malwarebytes Anti-Malware (MBAM). Alternate download link
  2. Double-click on Download_mbam-setup.exe to install the application.
  3. When the installation begins, follow the prompts and do not make any changes to default settings.
  4. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  5. Click Finish.
  6. MBAM will automatically start and you will be asked to update the program before performing scan. If an update is found, the program will automatically update itself.
  7. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from the Malware Bytes Web site. Scroll down the page until you see Latest Database; click Download from GT500.org
  8. Double-click on mbam-rules.exe to install.
  9. On the Scanner tab, make sure the Perform Quick Scan option is selected.
  10. Click on the Scan button.
  11. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  12. The scan will begin and Scan in progress will show at the top. It may take some time to complete; please be patient.
  13. When the scan is finished, a message box will say "The scan completed successfully.
  14. At the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  15. Make sure that everything is checked, and click Remove Selected.
  16. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  17. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  18. Copy and paste the contents of that report in your next reply and exit MBAM.
  19. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Step 7

We need to disconnect your computer from the Internet. By doing this, it prevents any further Internet activity until the removal of malware is complete. You need to make it impossible for viruses, trojan horses, worms and spyware to call for backup once you start to dismantle them. They will continue to infect your computer with new variants while you are connected to the Internet. We also need to prevent hackers from controlling your system and they will try to prevent you from removing the pests they installed on your computer.

Close ALL browser windows (including this one). Exit all processes and items in your System tray.

According to how your computer connects to the Internet, please disconnect your computer from the Internet. Possible means of disconnecting your computer from the Internet include:
  • Physically remove the cable for your broadband Internet service “Always On” Connection from your computer.
  • Turn your modem off.
  • Disconnect your modem cable from your computer.
  • Turn the device off for Hand-held wireless connections.
  • Some laptops have a switch that will disconnect the laptop from the Internet.
Step 8

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.
Please disable the following program(s):

SUPERAntiSpyware

We need to disable SUPERAntiSpyware as it may interfere with the fixes that we need to make.
  1. Right click on the icon in your System Tray.
  2. Click Exit
  3. Make sure that the program, SUPERAntiSpyware itself, is also closed/not running.
Step 9

Now we will address the HijackThis fixes.
  1. If you have not already done so, please download Trend Micro - HijackThis.
  2. Double click HJTInstall.exe to begin installation.
  3. Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to save it in another location.
  4. Click Install.
  5. A shortcut will be created on your Desktop and HijackThis will run automatically.
  6. Click the button labeled Do a system scan only.
  7. Click the Scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
  8. Click in the boxes to the left of the following entries to place check marks (make sure not to miss any):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: AcroIEHelperStub - Disabled:{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
    O2 - BHO: (no name) - Disabled:{72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
    O2 - BHO: (no name) - Disabled:{9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
    O2 - BHO: (no name) - Disabled:{DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

  9. Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.
Step 10

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow Computer/browser? Check Here First; It May Not Be Malware
What to do if your Computer is running slowly
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 11

Please download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "Safe Mode" .
-- Post the log in your next reply.

Perform an anti-rootkit (ARK) scan with one of the following:
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  1. Disconnect from the Internet or physically unplug your Internet cable connection.
  2. Clean out your temporary files.
  3. Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  4. Temporarily disable your anti-virus and real-time anti-spyware protection.
  5. After starting the scan, do not use the computer until the scan has completed.
  6. When finished, enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

Step 12

Check to see if you have insecure applications with
Secunia Software Inspector. Secunia Software Inspector:
  1. Detects insecure versions of common/popular programs installed on your computer.
  2. Verifies that all Microsoft patches are applied.
  3. Assists you in updating, patching, and protecting your computer.
  4. Activates additional security features in Sun Java.
  5. Runs through your browser. No installation or download is required.
Step 13

A Firewall is an essential part of computer security and you do not appear to have a third party software firewall running on your system. If you have one, and I missed it, please ignore this.

A third party firewall is generally considered to be more effective and more configurable and usually works on both inbound and outbound traffic.

There are several firewalls that provide better protection than the Windows firewalls. Follow these steps to turn off/disable the Windows Firewall before installing a new firewall:
  1. Download the new firewall to your desktop.
  2. Disconnect from the Internet.
    • Click the Pearl button located at the bottom left of the screen, and then on Start Search, type windows firewall then press Enter.
    • Under Control Panel, select Windows Firewall.
    • When the Windows Firewall window appears, select Turn Windows Firewall on or off at the side bar.
    • When the Windows Firewall Settings screen appears, select Turn off Windows Firewall then click OK.
    • Click red X to exit the Windows Firewall Settings screen.
    • NOTE: If you need to turn on the Windows Firewall again, you can follow the steps above to come back to the Windows Firewall Settings screen to turn on the Windows Firewall.
  3. Install the new Firewall.
Do not attempt to run two software firewalls since like running two antivirus programs, they will possibly cause problems and conflict with each other.

There are a few firewalls available for free that appear to be good and easy to use:Step 14

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post:
  1. the list of file names and locations for any files that cannot be cleaned / deleted that were reported after you completed the online scans.
  2. the log from MalwareBytes
  3. a new HijackThis log
Please advise me of any problems you still have.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:00 PM

Posted 06 August 2010 - 08:36 PM

Hi again,
Thanks again for all of the information, as I am always curious and trying to find out what is going on. I am going to save your post to a text or MSWord document, so that I can view it offline. Before I run anything though, I am just wondering some stuff. First of all, I'll tell you that all of the .VBS files you saw in the RSIT log are mine, for I was playing with VBScript prior to this happening. and secondly, what is going on. Is this something that is right now unnamed? Do we have a name for this infection if there actually is one? and third and last, I'm wondering about the office 2010 thing and Eamonm.sys. That file belongs to NOD32, and the question about this I have is, is NOD32 crippled? If so, what in the world could have uprooted and disabled that driver? This is really bothering me since I have tons of security software looking after my computer. Win Patrol is there to help ensure that file extensions don't get changed, that unnecessary startups are not in my way, and to protect my registry since I have the plus version. I have been meaning to ask someone what registry values and keys I should define in there as I am unafraid to touch that. Please advise. I have NOD32 as my primary antivirus, and that is always updated database wise. MalwareBytes 1.46 is always working behind NOD to make sure that nothing slipped through. I'm actually thinking about upgrading to the pro version. i just have to play the game of "Who gets it?" since I have two computers to worry about, but it looks like it's going to be this one, as this is my laptop, and it is the one who seems to have issues. It also bothers me that I'm even having issues since I take constant care of my computers, cleaning them out temp, history, registry, and program wise, always making sure that they get multiple scans with all of my security tools, and taking measures to make sure that windows is always updated. I experiment a lot, but I'm not foolish. I don't go where I don't know. If I don't know something, I ask those close to me, as I have a lot of folks in my little group who are computer techies, then I go to the tech support at my college if I absolutely have to. What am I doing wrong? Oh yeah. I also check to make sure that files are intact if even the slightest thing seems out of place. I encrypt the most sensitive of data on my computer, so good luck to those trying to get in there. What have I done? and one more thing. Will the scans fix all of the constant framework issues I've been encountering too? all those services that were stopping for no reason? Please let me know, as I am really curious since I love to learn about these things, but I am also really worried I messed up and lost my watchful eye. Thanks for all your help in advance. Logs will be forthcoming in another reply.

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#7 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:00 PM

Posted 07 August 2010 - 01:40 PM

Hello again,
I'm sorry for the delay on logs, but I think that until I get back from my summer vacation in two days, I'm not going to be able to get anything. The connection I have here is bearly strong enough to load this page, so never mind being able to download programs. I did have a question for you though. I've never been able to install the Windows Live Safety scanner from the internet, but I do have something called Windows Live Safety Scanner that shows up in my programs list. I recognize it as the one that scans for viruses in files that are sent by Windows live users. Is this the same thing? When It gave me the error, it said, "We were unable to install the scanner. Follow each of the troubleshooting steps below and then try reinstalling." There were no steps shown below, so I was forced to abandon it. And the other thing. Since Trend Micro Housecall is now browser independent, is it a third-opinion scanner worth keeping after use? Let me know. Thanks so much!

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:00 PM

Posted 08 August 2010 - 06:27 AM

Thanks for letting me know.

I did not see any obvious signs of infection but please do the steps as instructed; sometimes, we have to do several things before we find the problem.

I deal with malware removal. The questions you are asking are beyond my expertise. If you like you can post the questions in BleepingComputer's Computer Forum, Windows 7, where the computer experts may help you. Please include a link to this thread so that the computer experts may see what we have done.


Edited by suebaby41, 08 August 2010 - 06:36 AM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:00 PM

Posted 08 August 2010 - 11:34 AM

If after finishing the steps you kindly gave me, and the services relating to the framework don't repair themselves, I'll go there, but if they end up being fine, and NOD's driver is the only one crippled, I'll know it's malware, right? Thanks.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:00 PM

Posted 08 August 2010 - 12:31 PM

Please post a new HijackThis log and tell me how your computer is behaving. Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:00 PM

Posted 10 August 2010 - 05:10 PM

Hi,
I'm still here. I'm now doing the scans from the online sites you gave me. I can tel you: Trend micro Housecall found three files, but they all belonged to the Nirsoft password recovery package, so I told it to ignore them seeing that that installation was of my doing. Bit defender found nothing. It had to for some reason, according to the log, upload four of my files for server-side scanning. I don't know why it didn't do the same for all of them? Can you explain that one to me? The four it took to the server, one belonged to JAWS 11.0 which is my screen reader, another belonged to the open VPN software, and the two others, I'd have to look up. I'm not sure where the log saved to, but I'll do a search for it after Panda (which is taking forever), finishes scanning. Panda on that note, did find one infected file, but it is very hard for me to monitor the status since my screen reader keeps moving around on the page. I'll keep it going though. I just wanted to give you an update. Another interesting thing is something I discovered last night. I had plugged in one of my sandisc cruiser U3 flash drives in order to move something, and amazingly, Windows Explorer was stable. I can't understand this one, but the only conclusion I can come to is how my laptop, for all of it's life as an XP based computer, and now for most of it's life running as a Win 7 based computer, it has always had an external drive plugged into it. At one time, that drive served all of it's default folders such as the my documents folder, shared folders that I had going at one point between me and a friend of mine, as well as being my backup drive. Now it serves as my primary hard drive, and any data that does not belong to the operating system stored on the C drive is only for backup. Could it be that the instability of windows explorer could be caused in part by the computer looking for it's lifeline per se? I know it sounds strange, but overall, it's quite logical, isn't it? I'll update you as tasks are completed.

Thanks so much,
Chromebusterb

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#12 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:00 PM

Posted 11 August 2010 - 12:45 PM

Hi again,
Here is a new HighJackThis log as you requested:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:17:09 PM, on 8/11/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\OEM02Mon.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe
C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Qwitter\qwitter.exe
C:\Program Files\System Access\SAHS.exe
C:\Program Files\System Access\SAHSHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\fsATProxy.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
O2 - BHO: AcroIEHelperStub - Disabled:{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: (no name) - Disabled:{72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: (no name) - Disabled:{9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - Disabled:{DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [JAWS] "C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe" /run
O4 - HKLM\..\Run: [Dell Laser Printer 1110 SM_JB] C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: System Access HomeServer.lnk = C:\Program Files\System Access\SAHS.exe
O4 - Global Startup: Qwitter.lnk = C:\Program Files\Qwitter\qwitter.exe
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: JTVNCProxy_11.0 - Unknown owner - C:\Program Files\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe
O23 - Service: Web Deployment Agent Service (MsDepSvc) - Unknown owner - C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: AEP SSL Tunnel Helper Service (NetillaVPNService) - AEP Networks, Inc. - C:\Program Files\AEP\SSLTunnel\nvpns.exe
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8195 (NetMsmqActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8197 (NetPipeActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8199 (NetTcpActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8201 (NetTcpPortSharing) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: System Access Windows Logon Helper - Serotek Corporation - C:\Program Files\System Access\SAWinlogonMaster.exe
O23 - Service: U2VSvr - Unknown owner - C:\Windows\system32\U2VSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe,-100 (WPFFontCache_v0400) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe (file missing)

--
End of file - 10176 bytes
My computer is still acting the same way as far as I can tell, Windows Explorer hanging, outlook crashing and restarting. I have no idea about the services that were stopped for some unknown reason though. I had to skip some of the steps for now considering some of the programs are inaccessible to screen readers, and right now, there are no sighted people available to read the screen and mouse click on what I can't see with speech output. Steps skipped: running Dr.WebCureIt because of inaccessibility in either safe or normal mode. I'll run it when one of my parents is not busy and can assist in reading the screen. scanning with root repeal due to the following error:
01:03:51: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x00000174)
01:03:51: DeviceIoControl Error! Error Code = 0x1e7
01:03:51: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x00000174). Maybe you can tell me why in the world that happened? The program runs fine on my other computer. I had some issues also using the Secunia Software Inspector since it kept reporting that there was a problem with running the JAVA applet in my browser. That also happened on my other computer. But I know for sure that I definitely have JRE 6 installed. Spyware blaster, though not accessible at all with screen readers, is installed, so it looks as if I'm going to need sighted help as well to configure that one too. That stinks, but it is what it is. Malwarebytes found nothing but another one of the Nirsoft password tools which I of course told it to ignore. Panda security neveer finished scanning since I stopped it because it was taking forever. And that web page wasn't the most accessible thing in the world for screen reader users either. I take back my conclusion in my last reply about the stability of Windows Explorer. That problem still persists. And as far as I know, outlook still crashes like it has nothing better to do. I would like your advice on some things though. First and foremost, I'm concerned about these security programs I have on here. Like I told you, Win patrol runs, NOD32 runs, now ZoneAlarm runs it's firewall, and now I've got Sqyware Blaster in the mix as well along with SpyBot's internet explorer protection module. I left TTimer out as you had requested though. I was thinking of upgrading to the pro version of malwarebytes, but is that a good idea with all this other stuff? Or can I switch something out for that one? And also, you tel me that I have some extra programs that don't need to start up. What are they, and I'll disable them. Please let me know what I need to do next. And oh yeah, if the log above still shows the stuff you told me to fix, it appears as if a sighted person is going to have to check those for me as well seeing that my screen reader does not tell me whether they are checked or unchecked. And SpyBot found 43 objects, none of which I know since there was too much other stuff in the way, but if you could give me the location of the logs for SpyBot on Windows 7, I'd appreciate that and I'l look it up. Thanks.

Chromebuster


The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#13 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:00 PM

Posted 11 August 2010 - 02:47 PM

Thanks for the update. I cannot explain the usb drive making explorer stable. If it were the other way around, I would think that the usb drive had a virus. Keep me informed about your progress. Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#14 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:00 PM

Posted 11 August 2010 - 03:54 PM

Hi,
Here is one more HighJackThis log with the stuff you told me to fix taken care of. How does it look now?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:51:27 PM, on 8/11/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe
C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Freedom Scientific\JAWS\11.0\fsATProxy.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\prevhost.exe
C:\Windows\explorer.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [JAWS] "C:\Program Files\Freedom Scientific\JAWS\11.0\jfw.exe" /run
O4 - HKLM\..\Run: [Dell Laser Printer 1110 SM_JB] C:\Program Files\DELL\Dell Laser Printer 1110\LocalSM\jbDetect.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: JTVNCProxy_11.0 - Unknown owner - C:\Program Files\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe
O23 - Service: Web Deployment Agent Service (MsDepSvc) - Unknown owner - C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: AEP SSL Tunnel Helper Service (NetillaVPNService) - AEP Networks, Inc. - C:\Program Files\AEP\SSLTunnel\nvpns.exe
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8195 (NetMsmqActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8197 (NetPipeActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8199 (NetTcpActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\\ServiceModelInstallRC.dll,-8201 (NetTcpPortSharing) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe (file missing)
O23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: System Access Windows Logon Helper - Serotek Corporation - C:\Program Files\System Access\SAWinlogonMaster.exe
O23 - Service: U2VSvr - Unknown owner - C:\Windows\system32\U2VSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @C:\Windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe,-100 (WPFFontCache_v0400) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe (file missing)

--
End of file - 8749

By the way, another question for you. Two actually. Remember how I told you that Root Repeal showed an error when I tried to use it but it runs fine on my other computer? What happened there? I'm just curious. and in that last log, there are a few o23's, which I understand are service entries. Some of them have a "file missing" remark next to them. Do I need to do anything with those? Any further advice would be wonderful. And in reference to behavior, everything's still the same. I tried Windows Explorer again, and it hung as usual, and when I selected to close the program, as usual, it gave me the sound as if I were logging off and back on my computer. That's not new either. What do you think? Any further advice would be much appreciated. I also want to apologize if it seems as if we're not getting anywhere. I'm as stumped as you are, I think.

Many thanks,
Chromebuster

Edited by chromebuster, 11 August 2010 - 04:04 PM.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:00 PM

Posted 12 August 2010 - 01:42 PM

QUOTE
and in that last log, there are a few o23's, which I understand are service entries. Some of them have a "file missing" remark next to them. Do I need to do anything with those?

You will see (file missing) in some of the lines in different sections. You can only rely on that to be true in the sections for BHOs and Toolbars (02s & 03s)

When you see (file missing) in other sections, it may really NOT be missing. You will see it in the 09's and the 023s especially. The only time you should fix the (file missing) in those sections is IF AND ONLY IF you see a *bad* file there. Be aware that "fixing" doesn't remove the malware either. It's important to have them manually delete the file as well (plus any other recommended removal methods)

Except for the 02 & 03 Sections, good items listed in other sections with (file missing) should be left alone. Most often they ARE there but HJT doesn't see the file.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users