Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

not sure if virus or spyware or malware


  • This topic is locked This topic is locked
32 replies to this topic

#1 econcrete

econcrete

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 21 October 2010 - 01:09 AM

I have updated and ran spybot search and destroy and malwarebytes in safe mode several times. when I run msconfig I now see, in the start up menu xygio at the top then ifocSrv then ifocSrvSrv this is repeated about 50 times each with another Srv added to each item progressivly then ocbuiSrv 8 times with another Srv added to each new item then TameSrv with another Srv added to the next item about 30 more times. I have saved the logs that are suggested if anyone is familiar with this problem please let me know what to post. Thank you for the help

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:56:48 PM, on 10/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Documents and Settings\Edward Eslinger\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z002&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80099&lng=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80099
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80099&lng=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80099
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\windows\system32\servicessrv.exe,c:\windows\system32\lsasssrvsrvsrv.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O2 - BHO: (no name) - {E1BACF55-35E1-4E47-9247-2D48660E5545} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (file missing)
O3 - Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [{8461978B-D21C-A021-D989-081BEF789967}] "C:\Documents and Settings\Edward Eslinger\Application Data\Fomo\xygio.exe"
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.1.19&build=Symantec&a=00000082.00000010.0000002f&b=00000082.00000049.000000b9&c=00000082.00000049.000000bb
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: qiynh.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: ruvyc.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: wimy.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: qiynh.exe (User 'Default user')
O4 - .DEFAULT Startup: ruvyc.exe (User 'Default user')
O4 - .DEFAULT Startup: wimy.exe (User 'Default user')
O4 - .DEFAULT User Startup: qiynh.exe (User 'Default user')
O4 - .DEFAULT User Startup: ruvyc.exe (User 'Default user')
O4 - .DEFAULT User Startup: wimy.exe (User 'Default user')
O4 - Startup: ocbuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
O4 - Startup: ocbuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
O4 - Startup: ocbuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
O4 - Startup: ocbuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
O4 - Startup: ocbuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
O4 - Startup: ocbuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
O4 - Startup: ocbuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
O8 - Extra context menu item: &Search - http://tbedits.mywebsearch.com/one-toolbaredits/menusearch.jhtml?s=100000428&p=Z1xdm00330US&si=&a=D396BD11-040A-4D2D-8FEE-0DF5F87C7300&n=2010091800
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on CD - c:\AHD4withThesaurus\ahd.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - c:\AHD4withThesaurus\ahd.htm (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188484112296
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\EDWARD~1\LOCALS~1\Temp\hpdj00.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10403 bytes
unknown last code section [0x03459000, 0xB000, 0xE0000020]

I have to run Malwarebytes Spybot in safe mode to remove infected files. The first time there were over 3000 files infected. Most of them had SrvSrv repetitively in the file name. I could not attach the Ark.txt file because it was to big to upload


DDS (Ver_09-09-29.01) - NTFSx86
Run by Edward Eslinger at 3:53:21.90 on Sat 10/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.286 [GMT -5:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Edward Eslinger\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Edward Eslinger\My Documents\Downloads\dds.com
C:\DOCUME~1\EDWARD~1\LOCALS~1\Temp\RarSFX0\ETPATHSSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\DOCUME~1\EDWARD~1\LOCALS~1\Temp\RarSFX0\FISrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\WINDOWS\system32\cscriptSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\DOCUME~1\EDWARD~1\LOCALS~1\Temp\RarSFX0\WREGSSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\DOCUME~1\EDWARD~1\LOCALS~1\Temp\RarSFX0\WREGSSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\WINDOWS\system32\cmdSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\WINDOWS\SYSTEM32\findstrSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\WINDOWS\system32\findSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\WINDOWS\system32\cmdSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\WINDOWS\system32\findSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\DOCUME~1\EDWARD~1\LOCALS~1\Temp\RarSFX0\ETPATHSSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\WINDOWS\system32\findstrSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\WINDOWS\system32\cmdSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\DOCUME~1\EDWARD~1\LOCALS~1\Temp\RarSFX0\FISrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
C:\WINDOWS\system32\cscriptSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z002&form=ZGAPHP
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80099&lng=en
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80099
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\windows\system32\lsasssrvsrv.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: {E1BACF55-35E1-4E47-9247-2D48660E5545} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
EB: {CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7} - No File
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.1.19&build=Symantec&a=00000082.00000010.0000002f&b=00000082.00000049.000000b9&c=00000082.00000049.000000bb
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [RunNarrator] Narrator.exe
mPolicies-explorer: HideRunAsVerb = 1 (0x1)
IE: &Search - http://tbedits.mywebsearch.com/one-toolbaredits/menusearch.jhtml?s=100000428&p=Z1xdm00330US&si=&a=D396BD11-040A-4D2D-8FEE-0DF5F87C7300&n=2010091800
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on CD - c:\ahd4withthesaurus\ahd.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188484112296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\edward~1\applic~1\mozilla\firefox\profiles\u4fkfs53.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BO2TDF&PC=B8MS&q=
FF - prefs.js: browser.search.selectedEngine - My Way
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en&btnG=Google+Search|http://www.wunderground.com/cgi-bin/findweather/getForecast?query=67547&MR=1|https://login.yahoo.com/config/login?.src=fpctx&.done=http://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z1xdm00330US&ptb=D396BD11-040A-4D2D-8FEE-0DF5F87C7300&psa=&ind=2010091800&ptnrS=Z1xdm00330US&si=&st=kwd&n=77cf9118&searchfor=
FF - component: c:\documents and settings\edward eslinger\application data\mozilla\firefox\profiles\u4fkfs53.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - HiddenExtension: XULRunner: {F5F65858-38B4-4478-98F5-E0845CCBABC4} - c:\documents and settings\edward eslinger\local settings\application data\{F5F65858-38B4-4478-98F5-E0845CCBABC4}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-10-16 03:53 43,520 a------- c:\windows\system32\findstrSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 03:08 43,520 a------- c:\windows\ExplorerSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 02:25 43,520 a------- c:\windows\system32\rundll32SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 01:50 43,520 a------- c:\windows\system32\NOTEPADSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 01:46 43,520 a------- c:\windows\system32\wuaucltSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 01:44 43,520 -------- c:\windows\system32\lsassSrvSrv.exe
2010-10-15 19:34 974,848 -c------ c:\windows\system32\dllcache\mfc42.dll
2010-10-15 19:34 953,856 -c------ c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 19:34 617,472 -c------ c:\windows\system32\dllcache\comctl32.dll
2010-10-15 19:33 602,112 a------- c:\windows\system32\SET80.tmp
2010-10-15 19:33 55,296 a------- c:\windows\system32\SET7F.tmp
2010-10-15 19:33 916,480 a------- c:\windows\system32\SET79.tmp
2010-10-15 19:33 5,957,120 a------- c:\windows\system32\SET7E.tmp
2010-10-15 19:33 1,986,560 a------- c:\windows\system32\SET84.tmp
2010-10-15 19:33 1,210,880 a------- c:\windows\system32\SET7A.tmp
2010-10-15 19:33 11,080,192 a------- c:\windows\system32\SET86.tmp
2010-10-15 19:32 <DIR> --d-h--- c:\windows\$hf_mig$
2010-10-15 19:31 590,848 a------- c:\windows\system32\SET28.tmp
2010-10-13 11:47 <DIR> --d----- c:\program files\system
2010-10-07 21:32 <DIR> --d----- C:\5b051a9f1733d0f90553d02c
2010-10-01 07:04 120 a------- c:\windows\Uqatip.dat
2010-10-01 07:04 0 a------- c:\windows\Uyasur.bin
2010-09-27 08:34 <DIR> --d----- c:\program files\sy4
2010-09-18 02:28 664 a------- c:\windows\system32\d3d9caps.dat
2010-09-17 22:23 <DIR> --d----- c:\docume~1\edward~1\applic~1\MozillaControl
2010-09-17 22:21 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2010-09-17 22:19 <DIR> --d----- c:\program files\Graboid
2010-09-17 21:51 <DIR> --d----- c:\program files\FilmFanaticEI
2010-09-17 21:19 <DIR> --d----- c:\program files\Search Toolbar

==================== Find3M ====================

2010-10-16 03:53 43,520 a------- c:\windows\system32\cscriptSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 03:49 43,520 a------- c:\windows\system32\verclsidSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 03:12 43,520 a------- c:\windows\ExplorerSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 03:07 43,520 a------- c:\windows\system32\wuaucltSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 02:26 43,520 a------- c:\windows\system32\rundll32SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-10-16 02:25 43,520 a------- c:\windows\system32\rundll32SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe
2010-09-19 06:36 671,744 a------- c:\program files\msvcr80.dll
2010-09-18 12:23 974,848 a------- c:\windows\system32\mfc42u.dll
2010-09-18 01:53 974,848 a------- c:\windows\system32\mfc42.dll
2010-09-18 01:53 954,368 a------- c:\windows\system32\mfc40.dll
2010-09-18 01:53 953,856 a------- c:\windows\system32\mfc40u.dll
2010-09-10 00:58 43,520 a------- c:\windows\system32\licmgr10.dll
2010-09-01 06:51 285,824 a------- c:\windows\system32\SETF9.tmp
2010-08-31 08:42 1,852,800 a------- c:\windows\system32\win32k.sys
2010-08-27 03:02 119,808 a------- c:\windows\system32\SETE7.tmp
2010-08-27 00:57 99,840 a------- c:\windows\system32\srvsvc.dll
2010-08-26 08:39 357,248 a------- c:\windows\system32\drivers\srv.sys
2010-08-26 07:52 5,120 -------- c:\windows\system32\SETF2.tmp
2010-08-23 11:12 617,472 a------- c:\windows\system32\comctl32.dll
2010-08-17 08:17 58,880 a------- c:\windows\system32\spoolsv.exe
2010-07-22 10:49 590,848 -------- c:\windows\system32\rpcrt4.dll
2010-07-22 00:57 5,120 -------- c:\windows\system32\xpsp4res.dll
2009-07-17 12:55 300,848 a------- c:\documents and settings\all users\dcmsvcsetup.exe
2009-07-17 12:55 9,960 a------- c:\documents and settings\all users\invokesi.exe
2008-03-26 07:04 938 a------- c:\program files\pink floyd time.m3u
2008-03-20 09:03 60,968 -------- c:\documents and settings\edward eslinger\GoToAssistDownloadHelper.exe
2007-03-27 19:40 4,148,736 -------- c:\program files\DWGVIEWR.msi
2007-03-27 19:40 230,400 -------- c:\program files\SetupRes.dll
2007-03-27 19:40 6,114 -------- c:\program files\Setup.ini
2007-02-12 02:07 150,632 -------- c:\program files\AcDelTree.exe
2007-02-12 02:07 440,424 -------- c:\program files\SetupAcadUi.dll
2007-02-12 02:07 431,208 -------- c:\program files\SetupUi.dll
2007-02-12 02:07 93,800 -------- c:\program files\LiteHtml.dll
2005-09-23 10:56 479,232 -------- c:\program files\msvcm80.dll
2005-09-23 03:22 522 -------- c:\program files\Microsoft.VC80.CRT.manifest
2005-09-23 03:05 548,864 -------- c:\program files\msvcp80.dll
2004-05-04 15:53 1,645,320 -------- c:\program files\gdiplus.dll
2003-09-25 16:54 25,214 -------- c:\program files\no_icon.ico
2009-12-12 01:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2009-12-12 01:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\internet explorer\domstore\index.dat
2009-12-10 11:02 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009121020091211\index.dat
2009-12-12 23:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009121220091213\index.dat

============= FINISH: 3:56:24.60 ===============
Attached File  Attach.txt   9.38KB   0 downloads

EDIT: Topics and posts merged ~BP

Edited by Budapest, 28 October 2010 - 04:08 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 PM

Posted 30 October 2010 - 07:22 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 econcrete

econcrete
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 31 October 2010 - 04:22 PM

I could not copy and paste the gmer file nor could i attach is I think the file was to big. I tried to zip it that did not work. I have ran spybot twice in safe mode and got nothing on second try. I ran malwarebytes in safe mode quick scan once and deleted many files then did a full scan in safe mode and got rid of many more files with the full can. what do you want me to do to get gmer log



OTL Extras logfile created on: 10/30/2010 9:04:45 PM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Edward Eslinger\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 412.00 Mb Available Physical Memory | 40.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 71.37 Gb Free Space | 76.61% Space Free | Partition Type: NTFS

Computer Name: ECRMLAPTOP | User Name: Edward Eslinger | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"59714:TCP" = 59714:TCP:*:Disabled:emule
"24490:UDP" = 24490:UDP:*:Disabled:emule
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe:*:Enabled:hpqgpc01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Disabled:µTorrent -- File not found
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour -- File not found
"C:\Program Files\eMule\emule.exe" = C:\Program Files\eMule\emule.exe:*:Disabled:eMule -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Disabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Disabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Disabled:hposid01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe:*:Disabled:hpqgpc01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Disabled:hpqnrs08.exe -- File not found
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Disabled:hpqphotocrm.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Disabled:hpqpsapp.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Disabled:hpqpse.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Disabled:hpqscnvw.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Disabled:hpqsudi.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Disabled:hpqtra08.exe -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes -- (Apple Inc.)
"C:\Program Files\360Share Pro\jre\bin\javaw.exe" = C:\Program Files\360Share Pro\jre\bin\javaw.exe:*:Disabled:Java™ Platform SE Binary -- (Sun Microsystems, Inc.)
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Disabled:LimeWire -- File not found
"C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe:*:Disabled:QuickBooks 2007 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Disabled:smartwebprintexe.exe -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{034759DA-E21A-4795-BFB3-C66D17FAD183}" = Sophos Anti-Virus
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{497072FE-0A75-4E5C-A5B7-EB1FA67F66F1}" = DJ_AIO_05_F4400_Software_Min
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{5AEBB4A3-6878-4CEE-AD34-0F6958A983F0}" = HP Deskjet F4400 Printer Driver 13.0 Rel .5
"{67E4EE98-59F4-4210-89A6-A20AF5BEC689}" = Microsoft Streets and Trips 2005 with USB GPS
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7E545666-F426-45FD-B3DF-C0B99A1A579F}" = QuickBooks Premier: Contractor Edition 2007
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.4
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B1A9CD45-A702-4E3B-91ED-8CD562869901}" = DWG TrueView 2008
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}" = mToolkit
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E33A4D86-8941-41CB-9DF7-466FACB3ADF2}" = Belkin F5U249 Driver and Icon
"{E65CA2A8-1F2A-4400-AE55-FFD43D3B6980}" = c4200_Help
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F13843E5-C2B8-4904-8051-0FEE27773396}" = Connex
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.5
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FE0C305A-37EE-4499-B4CF-0182E37B20C4}" = PS_AIO_ProductContext
"{FF11005D-CBC8-45D5-A288-25C7BB304121}" = Sophos Remote Management System
"2Wire SetupWiz" = AT&T Yahoo! High Speed Internet Home Networking Installer
"360Share Pro" = 360Share Pro(remove only)
"A106663FD3361BDFACB045D83EBA03858EB1E411" = Windows Driver Package - FTDI CDM Driver Package (03/13/2008 2.04.06)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.92 Modem
"dcmsvc_is1" = dcmsvc 1.0
"DWG TrueView 2008" = DWG TrueView 2008
"F2F24872454C7CAEAABD8BB063F70FBEFF01989D" = Windows Driver Package - FTDI CDM Driver Package (03/13/2008 2.04.06)
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Inkscape" = Inkscape 0.46
"KandaInst_EREFCD_1_0" = American Heritage® Dictionary, 4th Ed.
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"NavigationAdvisor" = NavigationAdvisor
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel® PROSet/Wireless Software
"SignCut-X2" = SignCut-X2 (remove only)
"TomTom HOME" = TomTom HOME 2.6.1.1549
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-602162358-1547161642-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting/GoToWebinar 3.0.0.198

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/19/2010 12:17:45 PM | Computer Name = ECRMLAPTOP | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 9/19/2010 12:18:19 PM | Computer Name = ECRMLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3909, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 9/19/2010 12:40:40 PM | Computer Name = ECRMLAPTOP | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 9/22/2010 9:29:09 PM | Computer Name = ECRMLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.46.0.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/19/2010 12:49:15 AM | Computer Name = ECRMLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application msconfig.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/19/2010 12:49:29 AM | Computer Name = ECRMLAPTOP | Source = Application Hang | ID = 1001
Description = Fault bucket 745609629.

Error - 10/24/2010 3:27:45 AM | Computer Name = ECRMLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.46.0.1, faulting module mbam.dll,
version 1.46.0.0, fault address 0x00001683.

Error - 10/24/2010 7:14:34 AM | Computer Name = ECRMLAPTOP | Source = Application Error | ID = 1001
Description = Fault bucket 1124491857.

Error - 10/28/2010 3:41:27 AM | Computer Name = ECRMLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.46.0.1, faulting module mbam.dll,
version 1.46.0.0, fault address 0x00001683.

Error - 10/28/2010 3:44:10 AM | Computer Name = ECRMLAPTOP | Source = Application Error | ID = 1001
Description = Fault bucket 1124491857.

[ System Events ]
Error - 10/30/2010 7:17:54 PM | Computer Name = ECRMLAPTOP | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 10/30/2010 7:17:54 PM | Computer Name = ECRMLAPTOP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 10/30/2010 7:17:54 PM | Computer Name = ECRMLAPTOP | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 10/30/2010 7:17:54 PM | Computer Name = ECRMLAPTOP | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 10/30/2010 7:17:54 PM | Computer Name = ECRMLAPTOP | Source = Service Control Manager | ID = 7001
Description = The Windows Service Pack Installer update service service depends
on the Security Accounts Manager service which failed to start because of the following
error: %%1058

Error - 10/30/2010 7:17:54 PM | Computer Name = ECRMLAPTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips IntelIde intelppm IPSec MRxSmb NetBIOS NetBT ohci1394 OMCI RasAcd Rdbss SAVOnAccessControl
SAVOnAccessFilter
Tcpip

Error - 10/30/2010 9:50:43 PM | Computer Name = ECRMLAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/30/2010 9:52:18 PM | Computer Name = ECRMLAPTOP | Source = Service Control Manager | ID = 7000
Description = The hpdj00 service failed to start due to the following error: %%2

Error - 10/30/2010 9:52:18 PM | Computer Name = ECRMLAPTOP | Source = Service Control Manager | ID = 7001
Description = The Windows Service Pack Installer update service service depends
on the Security Accounts Manager service which failed to start because of the following
error: %%1058

Error - 10/30/2010 9:52:18 PM | Computer Name = ECRMLAPTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde


< End of report >

#4 econcrete

econcrete
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 31 October 2010 - 04:45 PM

After posting the last reply i shut down the computer and i got a blue screen message saying there was a serious problem it had a full page explanation and my computer locked up I had to disconect from power and remove battery. When i started it again it was very slow then said it had revovered from a serious error i hit send to report the error. When I finaly got to the desk top there were many new files on there that were named gmerSrvSrvSrvSrv ect ect. I shut the computor off and am waiting for your instructions.

#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 PM

Posted 31 October 2010 - 05:03 PM

Hello, econcrete.

This may not be recoverable.

It appears to be a file infector called Ramnit. If caught early, I've had very good success in restoring it. However, this is a fairly advanced infection. I'm more than willing to give it a go if you want to.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).





Step 1

First, you only posted the extras.txt OTL log, I really need OTL.txt. Can you try and find it and post it here? It should be in the same directory that you saved and ran OTL from.





Step 2


Did you run Spware Doctor and MBAM before or after the OTL report? Please don't run any tools unless I've specified it as it throws away all the work we did before.

Please post the MBAM logs here from the last few times you ran it. You can attach them. You can find them at:
C:\Documents and Settings\(Your Profile Name)\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs



Step 3

I will PM you my email address to send the GMER txt file to.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 econcrete

econcrete
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 31 October 2010 - 08:33 PM

It won't even boot up now.

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 PM

Posted 01 November 2010 - 05:51 PM

Not surprising, it is a very, very sick machine. Are you able to reformat? I may be able to help you recover some files if you want to. We can try to recover the computer without a reformat, but it is very unlikely with a Ramnit infection this advanced that we will be able to recover it. I can help you reformat as well. Please let me know how you want to proceed.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 econcrete

econcrete
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 01 November 2010 - 08:16 PM

I have burned all the pictures to a cd. Will they be a risk to view after the format? I am ready to format. Don't know how will need your help. What operating system can I reinstall and will it what will it cost me to reinstall my programs? MC Office Adobe I would be happy with a bare bones installation without all the unnecessary programs.

Tell me what to do.

#9 econcrete

econcrete
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 02 November 2010 - 12:01 AM

I will run malwarebytes in safe mode again. It seems to be the only thing that keeps the computer working. Then I will wait for your direction.

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 PM

Posted 02 November 2010 - 06:05 PM

Hello, econcrete.
If you're able to get into safe mode, we can try a few more things. With 928 files in the email you sent me, this may be long gone.

We do need to worry about your photos, but we can scan that once we reformat and clean it if anything jumped over. You'll need your Windows Installation CD. As for programs, you need the license key. It should be on the CD. If your computer was purchased new, and did not come with a windows CD, please let me know the brand and model of your computer as many ship with a recovery partition we can activate.

If worse gets to worse, there are freeware apps that are pretty good that work with MS Office Documents.

If you want to try to clean first, we can try this. I can't guarantee your computer will boot after this, but it won't keep working much longer with this infection.





Step 1

Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 econcrete

econcrete
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 02 November 2010 - 07:21 PM

do I do this in safe mode?

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 PM

Posted 02 November 2010 - 09:15 PM

Regular if possible, but safe mode if not.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 econcrete

econcrete
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 02 November 2010 - 09:43 PM

tried to copy and paste in fast reply. Paste was to large.Attached File  ComboFix.txt   446.46KB   2 downloads

#14 econcrete

econcrete
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 02 November 2010 - 09:46 PM

tried to attach file said it was to big to upload

#15 econcrete

econcrete
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 02 November 2010 - 09:49 PM

can I email the file to you?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users