Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

POSSIBLE ROOTKIT


  • This topic is locked This topic is locked
6 replies to this topic

#1 senseless

senseless

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 06 April 2012 - 01:44 PM

Computer is inherited, laden with programs of all kinds.
It's slow.
Dell inspiron 530, 2G RAM 200+HD intel dual core 2.2 mghz
HD pretty full.
27% fragmented, according to defraggler.
Lots of accessories like the games, and windows defrag tool, are gone.

I have been wading through uninstall process.
Several programs seem to lack necessary uninstall info.
Am considering a format!

Spybot found bunches of the usual adware, cookies, PUPS etc.
Lots of toolbars.
Avast scan showed several entries called Win 32 rootkit gen and quarantined them.


I ran DDS then
Defogger then
GMER, but it crashes to BSOD BAD_POOL_HEADER error.

DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by cheryl at 14:15:44 on 2012-04-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1297 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\WINDOWS\system32\dumprep.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net?cid=083109
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3081028
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {1036AD63-AEAC-460B-9060-C96005D4DC86} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TheBflix Class: {78d5d320-985a-4435-ba9d-e153ce328680} - c:\documents and settings\all users\application data\thebflix\bhoclass.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Privacy Safeguard BHO: {a42d2eb4-dd31-4bb5-8aa5-8d4e04806dbe} - c:\program files\privacysafeguard\PrivacySafeGuard.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {9DA1BCF1-77F5-41C5-B7C3-C597DC20752C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [NPSStartup]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {D85B4BE2-07C3-422f-ADE9-B1A2C7D25224} - c:\documents and settings\cheryl1.chpc\desktop\WPT Poker.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: mypoints.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268593046807
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268593041370
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bookworm_adventures/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-23 64288]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-25 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-25 314456]
R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2012-4-5 21752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-25 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-25 44768]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2011-9-7 238952]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 2152152]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-9-7 36608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-6 136176]
S2 IHA_MessageCenter;IHA_MessageCenter;"c:\program files\verizon\iha_messagecenter\bin\verizon_ihamessagecenter.exe" --> c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-6 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15232]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2011-11-15 33792]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2012-04-06 17:35:47 388096 ----a-r- c:\documents and settings\cheryl\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-04-06 17:35:46 -------- d-----w- c:\program files\Trend Micro
2012-04-06 04:12:08 -------- d-----w- c:\documents and settings\cheryl\application data\Ad-Aware Antivirus
2012-04-06 03:30:39 -------- d-----w- c:\documents and settings\cheryl\local settings\application data\PackageAware
2012-04-06 03:29:52 -------- d-----w- c:\documents and settings\cheryl\application data\IObit
2012-04-06 03:25:34 97280 ----a-w- c:\documents and settings\cheryl\local settings\application data\UrlManager.exe
2012-04-06 01:08:38 -------- d-----w- c:\program files\Defraggler
2012-04-06 01:07:59 -------- d-----w- c:\program files\HWiNFO32
2012-04-06 01:07:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-04-06 01:07:29 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-04-06 00:55:47 -------- d-----w- c:\windows\pss
2012-04-06 00:16:47 -------- d-----w- c:\documents and settings\cheryl\application data\FCTB000100815
2012-04-05 23:56:51 -------- d-----w- c:\documents and settings\cheryl\local settings\application data\blekkotb_015
2012-04-05 23:54:12 21504 ------w- c:\windows\system32\hidserv.dll
2012-04-05 23:54:12 21504 ------w- c:\windows\system32\dllcache\hidserv.dll
2012-04-05 18:49:04 -------- d-----w- c:\program files\Bucksbee Loyalty Plugin - 100815
2012-04-05 18:48:54 -------- d-----w- c:\program files\PrivacySafeGuard
2012-04-05 18:48:24 -------- d-----w- c:\documents and settings\all users\application data\blekko toolbars
2012-04-03 23:48:37 418464 ------w- c:\windows\system32\FlashPlayerApp.exe
2012-03-31 23:42:07 -------- d-----w- c:\program files\common files\Steam
2012-03-31 22:02:51 -------- d-----w- c:\program files\AWS
2012-03-28 22:14:58 -------- d-----w- c:\program files\VideoLAN
2012-03-22 19:12:12 4435968 ------w- c:\windows\system32\GPhotos.scr
2012-03-14 23:01:30 -------- d-----w- c:\documents and settings\cheryl\application data\Macrovision
2012-03-14 23:00:58 -------- d-----w- c:\documents and settings\cheryl\local settings\application data\Sonic_Solutions
2012-03-14 22:31:09 267272 ------w- c:\windows\system32\xactengine2_10.dll
2012-03-14 22:31:07 444776 ------w- c:\windows\system32\d3dx10_36.dll
2012-03-14 22:31:07 1374232 ------w- c:\windows\system32\D3DCompiler_36.dll
2012-03-14 22:31:06 3734536 ------w- c:\windows\system32\d3dx9_36.dll
2012-03-14 22:31:04 267112 ------w- c:\windows\system32\xactengine2_9.dll
2012-03-14 22:31:01 444776 ------w- c:\windows\system32\d3dx10_35.dll
2012-03-14 22:30:59 1358192 ------w- c:\windows\system32\D3DCompiler_35.dll
2012-03-14 22:30:57 3727720 ------w- c:\windows\system32\d3dx9_35.dll
2012-03-14 22:30:53 266088 ------w- c:\windows\system32\xactengine2_8.dll
2012-03-14 22:30:53 17928 ------w- c:\windows\system32\X3DAudio1_2.dll
2012-03-14 22:30:51 443752 ------w- c:\windows\system32\d3dx10_34.dll
2012-03-14 22:30:51 1124720 ------w- c:\windows\system32\D3DCompiler_34.dll
2012-03-14 22:30:47 3497832 ------w- c:\windows\system32\d3dx9_34.dll
2012-03-14 22:30:41 81768 ------w- c:\windows\system32\xinput1_3.dll
2012-03-14 22:30:34 261480 ------w- c:\windows\system32\xactengine2_7.dll
2012-03-14 22:30:27 443752 ------w- c:\windows\system32\d3dx10_33.dll
2012-03-14 22:30:27 1123696 ------w- c:\windows\system32\D3DCompiler_33.dll
2012-03-14 22:25:35 -------- d-----w- c:\documents and settings\cheryl\application data\Roxio Log Files
2012-03-13 22:18:21 -------- d-----w- c:\documents and settings\all users\application data\Premium
2012-03-13 22:12:46 -------- d-----w- c:\documents and settings\all users\application data\TheBflix
2012-03-13 22:12:10 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2012-03-12 20:13:35 -------- d-----w- c:\program files\Full Tilt Poker.Net
2012-03-12 19:59:32 -------- d-----w- c:\program files\Full Tilt Poker
2012-03-12 19:48:42 -------- d-----w- c:\program files\WPT
.
==================== Find3M ====================
.
2012-04-06 16:51:39 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-04-06 16:51:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-04-03 23:48:37 70304 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 01:23:35 43520 ------w- c:\windows\system32\CmdLineExt03.dll
2012-02-03 09:22:18 1860096 ------w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-24 20:11:11 260 ------w- c:\windows\system32\cmdVBS.vbs
2012-01-24 20:11:11 256 ------w- c:\windows\system32\MSIevent.bat
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ------w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 14:17:50.03 ===============


Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:43 PM

Posted 12 April 2012 - 06:05 AM

We are in the process of researching and investigating your log. Please be patient as we develop a fix for your specific problems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 senseless

senseless
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 12 April 2012 - 07:50 AM

quietman7
Thank you.
I formatted and did a reinstall.

For the record, I did get GMER to run once.
It finished with a warning that "rootkit activity had been detected."
Unfortunately I lost the log with the format....thought it was on a stick but no.
For anyone curious, I will post/attach second DDS logs which directly precede the successful run of GMER.
I also have a log from Trendmicro product "Rootkitbuster."

A second attempt to run GMER failed somewhere in the middle and would not save a log.
Not sure what happened there.

Several programs lacked uninstallers or relevant info.
Others were dug in. Lexmark comes to mind. Mother of God, what are they thinking?
I had success reinstalling then deinstalling some programs.

Games were hiding quietly in C:\Windows\system32 and would not reinstall through the add/remove Windows components menu. I created a Games folder and dragged one .exe there...and the rest jumped in like lemmings! Surprised me.

A 4 year-old and a 12 YO were amongst the users of this computer.

Thanks again!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by cheryl at 18:13:53 on 2012-04-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1573 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
I:\Defogger.exe
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net?cid=083109
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3081028
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Zonealarm Helper Object: {2a841f7a-a014-4da5-b6d9-8b913dfb7a8c} - c:\program files\check point software technologies ltd\zonealarm\1.5.20.3\bh\zonealarm.dll
BHO: TheBflix Class: {78d5d320-985a-4435-ba9d-e153ce328680} - c:\documents and settings\all users\application data\thebflix\bhoclass.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Toolbar: {438fae3e-bdef-44d3-ab8b-0c7c8350df59} - c:\program files\check point software technologies ltd\zonealarm\1.5.20.3\zonealarmTlbr.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {9DA1BCF1-77F5-41C5-B7C3-C597DC20752C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [NPSStartup]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISW]
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: mypoints.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268593046807
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268593041370
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bookworm_adventures/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cheryl\application data\mozilla\firefox\profiles\g0nnzsl5.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.8\npapicomadapter.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-23 64288]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-25 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-25 337880]
R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2012-4-5 21752]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-4-7 332248]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2012-4-7 212568]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-3-19 525840]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-25 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-25 44768]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-3-16 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-3-16 497280]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-4-7 69208]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-6 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-9-7 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-6 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2011-11-15 33792]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-4-7 27064]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-4-7 69208]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-4-7 94040]
.
=============== Created Last 30 ================
.
2012-04-07 22:29:25 -------- d-----w- c:\documents and settings\cheryl\local settings\application data\VS Revo Group
2012-04-07 22:29:17 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-04-07 22:29:14 -------- d-----w- c:\program files\VS Revo Group
2012-04-07 12:28:05 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-04-07 12:28:05 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys
2012-04-07 12:27:53 69208 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2012-04-07 12:27:53 332248 ----a-w- c:\windows\system32\drivers\SbFw.sys
2012-04-07 12:08:04 -------- d-----w- c:\documents and settings\cheryl\application data\Check Point Software Technologies LTD
2012-04-07 11:51:51 -------- d-----w- c:\program files\Check Point Software Technologies LTD
2012-04-07 11:51:44 -------- d-----w- c:\documents and settings\cheryl\application data\CheckPoint
2012-04-07 02:28:33 -------- d-----w- c:\program files\CheckPoint
2012-04-07 02:27:57 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2012-04-07 01:14:23 77824 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LXBAPP5C.DLL
2012-04-07 01:14:23 73728 ----a-w- c:\windows\system32\lxbapwr.dll
2012-04-07 01:14:23 57344 ----a-w- c:\windows\system32\lxbacinf.dll
2012-04-07 01:14:23 49152 ----a-w- c:\windows\system32\lxbacoin.dll
2012-04-07 01:14:23 286720 ----a-w- c:\windows\system32\lxbacomm.dll
2012-04-07 01:13:31 86016 ----a-w- c:\windows\system32\LXBAIH.EXE
2012-04-07 01:13:31 77824 ----a-w- c:\windows\system32\LXBALCNP.DLL
2012-04-07 01:13:31 69632 ----a-w- c:\windows\system32\LXBACU.DLL
2012-04-07 01:13:31 544768 ----a-w- c:\windows\system32\LXBALSNT.EXE
2012-04-07 01:13:31 286720 ----a-w- c:\windows\system32\LXBAPMNT.DLL
2012-04-07 01:13:31 217088 ----a-w- c:\windows\system32\LXBALCNT.DLL
2012-04-07 01:13:28 126976 ----a-w- c:\windows\system32\LXBACFG.EXE
2012-04-07 01:13:26 90112 ----a-w- c:\windows\system32\LXBACUR.DLL
2012-04-07 01:13:22 983083 ----a-w- c:\windows\system32\LXBAGF.DLL
2012-04-07 01:13:22 69632 ----a-w- c:\windows\system32\lxbascin.dll
2012-04-07 01:13:22 294912 ----a-w- c:\windows\system32\LXBAUTIL.DLL
2012-04-07 01:13:15 466944 ----a-w- c:\windows\system32\LXBAJSWR.DLL
2012-04-07 01:12:02 -------- d-----w- c:\documents and settings\cheryl\WINDOWS
2012-04-07 00:04:09 -------- d-----w- c:\program files\CCleaner
2012-04-06 20:04:09 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-04-06 19:44:00 -------- d-----w- c:\documents and settings\cheryl\application data\JAM Software
2012-04-06 19:43:52 -------- d-----w- c:\program files\JAM Software
2012-04-06 18:50:42 3584 ----a-r- c:\documents and settings\cheryl\application data\microsoft\installer\{121634b0-2f4b-11d3-ada3-00c04f52dd52}\Icon386ED4E3.exe
2012-04-06 18:50:41 -------- d-----w- c:\program files\Windows Installer Clean Up
2012-04-06 18:50:22 -------- d-----w- c:\program files\MSECACHE
2012-04-06 17:35:47 388096 ----a-r- c:\documents and settings\cheryl\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-04-06 17:35:46 -------- d-----w- c:\program files\Trend Micro
2012-04-06 03:30:39 -------- d-----w- c:\documents and settings\cheryl\local settings\application data\PackageAware
2012-04-06 03:29:52 -------- d-----w- c:\documents and settings\cheryl\application data\IObit
2012-04-06 03:25:34 97280 ----a-w- c:\documents and settings\cheryl\local settings\application data\UrlManager.exe
2012-04-06 01:08:38 -------- d-----w- c:\program files\Defraggler
2012-04-06 01:07:59 -------- d-----w- c:\program files\HWiNFO32
2012-04-06 01:07:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-04-06 01:07:29 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-04-06 00:55:47 -------- d-----w- c:\windows\pss
2012-04-05 23:56:51 -------- d-----w- c:\documents and settings\cheryl\local settings\application data\blekkotb_015
2012-04-05 23:54:12 21504 ------w- c:\windows\system32\hidserv.dll
2012-04-05 23:54:12 21504 ------w- c:\windows\system32\dllcache\hidserv.dll
2012-04-05 18:48:24 -------- d-----w- c:\documents and settings\all users\application data\blekko toolbars
2012-04-03 23:48:37 418464 ------w- c:\windows\system32\FlashPlayerApp.exe
2012-03-31 23:42:07 -------- d-----w- c:\program files\common files\Steam
2012-03-31 22:02:51 -------- d-----w- c:\program files\AWS
2012-03-28 22:14:58 -------- d-----w- c:\program files\VideoLAN
2012-03-22 19:12:12 4435968 ------w- c:\windows\system32\GPhotos.scr
2012-03-14 23:01:30 -------- d-----w- c:\documents and settings\cheryl\application data\Macrovision
2012-03-14 22:31:09 267272 ------w- c:\windows\system32\xactengine2_10.dll
2012-03-14 22:31:07 444776 ------w- c:\windows\system32\d3dx10_36.dll
2012-03-14 22:31:07 1374232 ------w- c:\windows\system32\D3DCompiler_36.dll
2012-03-14 22:31:06 3734536 ------w- c:\windows\system32\d3dx9_36.dll
2012-03-14 22:31:04 267112 ------w- c:\windows\system32\xactengine2_9.dll
2012-03-14 22:31:01 444776 ------w- c:\windows\system32\d3dx10_35.dll
2012-03-14 22:30:59 1358192 ------w- c:\windows\system32\D3DCompiler_35.dll
2012-03-14 22:30:57 3727720 ------w- c:\windows\system32\d3dx9_35.dll
2012-03-14 22:30:53 266088 ------w- c:\windows\system32\xactengine2_8.dll
2012-03-14 22:30:53 17928 ------w- c:\windows\system32\X3DAudio1_2.dll
2012-03-14 22:30:51 443752 ------w- c:\windows\system32\d3dx10_34.dll
2012-03-14 22:30:51 1124720 ------w- c:\windows\system32\D3DCompiler_34.dll
2012-03-14 22:30:47 3497832 ------w- c:\windows\system32\d3dx9_34.dll
2012-03-14 22:30:41 81768 ------w- c:\windows\system32\xinput1_3.dll
2012-03-14 22:30:34 261480 ------w- c:\windows\system32\xactengine2_7.dll
2012-03-14 22:30:27 443752 ------w- c:\windows\system32\d3dx10_33.dll
2012-03-14 22:30:27 1123696 ------w- c:\windows\system32\D3DCompiler_33.dll
2012-03-14 22:25:35 -------- d-----w- c:\documents and settings\cheryl\application data\Roxio Log Files
2012-03-13 22:18:21 -------- d-----w- c:\documents and settings\all users\application data\Premium
2012-03-13 22:12:46 -------- d-----w- c:\documents and settings\all users\application data\TheBflix
2012-03-13 22:12:10 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
.
==================== Find3M ====================
.
2012-04-06 16:51:39 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-04-06 16:51:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-04-03 23:48:37 70304 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-15 01:23:35 43520 ------w- c:\windows\system32\CmdLineExt03.dll
2012-02-03 09:22:18 1860096 ------w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-24 20:11:11 260 ------w- c:\windows\system32\cmdVBS.vbs
2012-01-24 20:11:11 256 ------w- c:\windows\system32\MSIevent.bat
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
.
============= FINISH: 18:15:19.09 ===============





+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 5.0.0.1050
| Computer Name: CHPC
| OS version: 5.1-2600
| User Name: cheryl
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
SubKey : Data
FullLength: 0x5c
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
SubKey : Data 2
FullLength: 0x5e
2 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80616a30
CurrentHandler : 0xa778afc4
ServiceNumber : 0x9
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805a8aba
CurrentHandler : 0xa77ef510
ServiceNumber : 0x11
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805bc530
CurrentHandler : 0xa77ae6a9
ServiceNumber : 0x19
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x8060ef4e
CurrentHandler : 0xa778d456
ServiceNumber : 0x23
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x806172a6
CurrentHandler : 0xa778d4ae
ServiceNumber : 0x24
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80578a86
CurrentHandler : 0xa778d5c4
ServiceNumber : 0x26
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x806240f0
CurrentHandler : 0xa77ae05d
ServiceNumber : 0x29
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x8061769e
CurrentHandler : 0xa778d3ac
ServiceNumber : 0x2b
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805ab3c8
CurrentHandler : 0xa778d4fe
ServiceNumber : 0x32
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x8061504e
CurrentHandler : 0xa778d400
ServiceNumber : 0x33
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80616f6e
CurrentHandler : 0xa778d572
ServiceNumber : 0x36
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80616a22
CurrentHandler : 0xa778afe8
ServiceNumber : 0x3d
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x8062458c
CurrentHandler : 0xa77aed6f
ServiceNumber : 0x3f
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x8062475c
CurrentHandler : 0xa77af025
ServiceNumber : 0x41
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805be008
CurrentHandler : 0xa778d848
ServiceNumber : 0x44
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x8062493c
CurrentHandler : 0xa77aebda
ServiceNumber : 0x47
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80624ba6
CurrentHandler : 0xa77aea45
ServiceNumber : 0x49
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805b2fb2
CurrentHandler : 0xa77ef5c0
ServiceNumber : 0x53
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80584160
CurrentHandler : 0xa778adb2
ServiceNumber : 0x61
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80616a22
CurrentHandler : 0xa778b00c
ServiceNumber : 0x6d
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x806262de
CurrentHandler : 0xa778d9bc
ServiceNumber : 0x6f
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80624f12
CurrentHandler : 0xa778baa4
ServiceNumber : 0x70
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x8060f04e
CurrentHandler : 0xa778d486
ServiceNumber : 0x72
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x8061737e
CurrentHandler : 0xa778d4d6
ServiceNumber : 0x73
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80578b5e
CurrentHandler : 0xa778d5ee
ServiceNumber : 0x75
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x806254ce
CurrentHandler : 0xa77ae3b9
ServiceNumber : 0x77
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80617776
CurrentHandler : 0xa778d3d8
ServiceNumber : 0x78
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805cb440
CurrentHandler : 0xa778d680
ServiceNumber : 0x7a
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805aa3ec
CurrentHandler : 0xa778d53e
ServiceNumber : 0x7d
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80615148
CurrentHandler : 0xa778d42e
ServiceNumber : 0x7e
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805cb6cc
CurrentHandler : 0xa778d764
ServiceNumber : 0x80
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80617090
CurrentHandler : 0xa778d59c
ServiceNumber : 0x83
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805b841e
CurrentHandler : 0xa77ef658
ServiceNumber : 0x89
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80625810
CurrentHandler : 0xa77ae8c0
ServiceNumber : 0xa0
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805c52cc
CurrentHandler : 0xa778b96a
ServiceNumber : 0xa3
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80622314
CurrentHandler : 0xa77ae712
ServiceNumber : 0xb1
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80623b12
CurrentHandler : 0xa77f79e6
ServiceNumber : 0xc0
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80625ad0
CurrentHandler : 0xa77ad6d0
ServiceNumber : 0xcc
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80616a30
CurrentHandler : 0xa778b030
ServiceNumber : 0xd3
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80616a30
CurrentHandler : 0xa778b054
ServiceNumber : 0xd4
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x8060fd06
CurrentHandler : 0xa778ae0c
ServiceNumber : 0xf0
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80653e18
CurrentHandler : 0xa778af48
ServiceNumber : 0xf1
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80622662
CurrentHandler : 0xa77aee76
ServiceNumber : 0xf7
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x80612f90
CurrentHandler : 0xa778af24
ServiceNumber : 0xf9
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x806180ba
CurrentHandler : 0xa778af6c
ServiceNumber : 0xff
ModuleName : a
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : C
OriginalHandler : 0x805fbb6c
CurrentHandler : 0xa778b078
ServiceNumber : 0x10c
ModuleName : a
SDTType : 0x0
No hidden operating system service hooks found.

--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.

Attached Files



#4 mark1956

mark1956

  • Security Colleague
  • 271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spain
  • Local time:09:43 PM

Posted 12 April 2012 - 04:53 PM

Hi Senseless, my name is Mark and I was about to help you try to clean up the machine, but you beat me to it.

The logs I reviewed showed nothing of any significance but several symptoms were apparent that pointed toward a Rootkit infection.

A Format and re-install is often the best approach after a Rootkit has compromised the system and the only way to give a 100% guarantee that the system is completely clean.

One thing that was noticed in the logs was the use of more than one Anti Virus which is not recommended. More than one AV can reduce the systems performance, cause conflicts and actually reduce the systems security. Please read the information in this link:Using more than one anti-virus program is not advisable. Why?

I would also like to draw your attention to the use of Spybot and Ad-Aware.

FYI: mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products).


Ad-Aware...have gone into a downhill spiral over the past five years and recently sold the company to Solaria... Majorgeeks stopped listing Ad-Aware as a “pick” some years ago as we watched the quality of the company slip over the years...it can’t stand up to the new generation of anti-spyware applications...

What does the future hold for Ad-Aware?

Ad-Aware has even been placed into the Installers Hall of Shame for bundling and pre-checking Google Chrome during the installation. Also read Lavasoft Turning to the Dark Side? written by a former volunteer (now a MVP) who provided support for Ad-Aware but no longer uses the program.

As for Spybot S&D, most people don't understand how to use TeaTimer and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows Registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. If you don't have understanding how a particular security tool works, then you probably should not be using it. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and in some cases it will even prevent disinfection of malware by those tools.


Some additional security measures.
If your present security software does not include a third party Firewall or AntiSpyware.

Go Here for a selection of third party Firewalls.

Go Here or Here for Anti Spyware.

Malwarebytes free version (which you may have used during this thread) is worth having for regular scans of your system, always check for updates before using it. If you can afford the Malwarebytes Pro version it will provide even better protection with a full time active scanner. Never have more than one active anti virus, anti spyware or firewall running on your system as it can cause conflicts and slow down the PC. You can safely run the Pro version of Malwarebytes with any Anti Virus software.

WOT (Web OF Trust) Will warn you (in most cases) about dangerous web sites.

Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular"among criminals.

WinPatrol is a useful facility to have. WinPatrol takes snapshots of your critical system resources and alerts you to any changes that may occur without your knowledge. It can also be used to control all your start up programs.

A warning about using Registry Cleaners
The registry contains all the operating system's knowledge of a computer's configuration, hardware devices, installed software and location of the device drivers.
Under normal conditions, we do not recommend people use Registry Cleaners. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.

No registry cleaner is completely safe and the potential is ever present to cause more problems than they claim to fix. Windows is a closed source system, developers of registry cleaners are not working on definitive information, but rather empirical knowledge. Automatic cleaners will usually have to do some guesswork.

If you do have a problem that is rooted in the registry, it would be far better to edit only the specific key/s and/or value/s that are causing the problem. For this you need help from someone with good knowledge and an understanding of the Windows Registry rather than leaving it in the hands of automated software. But, first you need to be sure there is a registry problem and discover what may have caused it.

#5 senseless

senseless
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 12 April 2012 - 07:22 PM

Mark
Thanks for your time.
I really appreciate your recommendations.
It sounds like WOT, Secunia and Winpatrol might be worth adding as extra protection.

I don't usually run more than one AV program, although I sometimes have a couple installed.
Adaware was installed on this machine, and it was a uhhh, PITA to get rid of.
Possibly the program was corrupted by a malware.

I have been doing well with a combo of Zonealarm firewall and Avast AV.
I stopped using teatimer a long time ago, as it seemed to cause more problems than it helped.

I promise not to use a registry cleaner again!

I hit a few bumps with drivers and such, seems mostly sorted out.
Still getting an error popup at reboot from Realtek HD Audio Manager: invalid stream Format

Here's what the machine looks like now:
Thanks again!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by CHERYL at 19:55:48 on 2012-04-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1517 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\docume~1\cheryl\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cheryl\application data\mozilla\firefox\profiles\owsvbkkr.default\
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-4-11 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-4-11 337880]
R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2012-4-11 21752]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-3-19 525840]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-4-11 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-4-11 44768]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-3-16 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-3-16 497280]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
.
=============== Created Last 30 ================
.
2012-04-12 17:47:07 -------- d-----w- C:\CDROM
2012-04-12 02:21:46 266360 ----a-w- c:\windows\system32\TweakUI.exe
2012-04-12 00:21:16 -------- d-----w- c:\documents and settings\cheryl\application data\Ashampoo
2012-04-12 00:04:20 -------- d-----w- c:\documents and settings\cheryl\application data\OpenOffice.org
2012-04-11 23:28:01 -------- d-----w- c:\program files\Foxit Software
2012-04-11 20:49:38 -------- d-----w- c:\documents and settings\cheryl\local settings\application data\ApplicationHistory
2012-04-11 20:03:42 -------- d-----w- c:\windows\system32\XPSViewer
2012-04-11 20:03:21 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-04-11 20:03:12 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-04-11 20:03:12 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-04-11 20:03:12 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-04-11 20:03:12 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-04-11 20:03:12 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-04-11 20:03:12 117760 ------w- c:\windows\system32\prntvpt.dll
2012-04-11 20:03:11 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2012-04-11 20:03:11 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-04-11 20:00:55 -------- d-----w- c:\documents and settings\cheryl\local settings\application data\Identities
2012-04-11 20:00:51 -------- d-----w- c:\documents and settings\cheryl\application data\Windows Desktop Search
2012-04-11 20:00:27 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-04-11 20:00:27 -------- d-----w- c:\program files\Windows Desktop Search
2012-04-11 19:59:43 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2012-04-11 19:59:43 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2012-04-11 19:59:43 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2012-04-11 19:59:18 -------- d-----w- c:\program files\Windows Media Connect 2
2012-04-11 19:58:02 -------- d-----w- c:\windows\system32\LogFiles
2012-04-11 19:56:33 -------- d-----w- c:\windows\system32\URTTemp
2012-04-11 19:33:23 -------- d-sh--w- c:\documents and settings\cheryl\PrivacIE
2012-04-11 19:21:30 -------- d-----w- c:\program files\OpenOffice.org 3
2012-04-11 19:21:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-11 19:08:02 -------- d-sh--w- c:\documents and settings\cheryl\IETldCache
2012-04-11 19:04:00 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-04-11 19:03:34 -------- d-----w- c:\windows\ie8updates
2012-04-11 19:03:22 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-04-11 19:03:22 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-04-11 19:03:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-04-11 19:03:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-04-11 19:03:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-04-11 19:03:21 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-04-11 19:03:21 11082752 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-04-11 19:02:11 -------- dc-h--w- c:\windows\ie8
2012-04-11 18:47:31 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-04-11 18:47:27 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-04-11 18:47:27 3072 ------w- c:\windows\system32\iacenc.dll
2012-04-11 18:44:22 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-04-11 18:44:10 758784 -c--a-w- c:\windows\system32\dllcache\vgx.dll
2012-04-11 18:43:56 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-04-11 18:41:32 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-04-11 18:41:20 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-04-11 18:40:53 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2012-04-11 18:40:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-04-11 18:40:08 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-04-11 18:36:33 -------- d-----w- c:\windows\pss
2012-04-11 18:22:04 -------- d-----w- c:\documents and settings\all users\application data\ZoomBrowser
2012-04-11 18:21:52 -------- d-----w- c:\program files\Canon
2012-04-11 18:21:51 -------- d-----w- c:\program files\common files\Canon
2012-04-11 18:13:51 -------- d-----w- c:\documents and settings\cheryl\application data\GARMIN
2012-04-11 18:13:51 -------- d-----w- c:\documents and settings\all users\application data\GARMIN
2012-04-11 18:09:41 -------- d-----w- c:\program files\nytopo11
2012-04-11 18:09:04 -------- d-----w- c:\program files\NewEnglandtopo
2012-04-11 17:55:36 -------- d-----w- c:\program files\Garmin
2012-04-11 17:51:26 7296 ----a-w- c:\windows\system32\drivers\grmnusb.sys
2012-04-11 17:51:26 17536 ----a-w- c:\windows\system32\drivers\grmn0200.sys
2012-04-11 17:51:26 17024 ----a-w- c:\windows\system32\drivers\grmngen.sys
2012-04-11 17:51:26 16512 ----a-w- c:\windows\system32\drivers\grmn0400.sys
2012-04-11 17:51:26 11776 ----a-w- c:\windows\system32\drivers\grmn1200.sys
2012-04-11 17:48:10 -------- d-----w- C:\Garmin
2012-04-11 17:35:50 6278560 ----a-w- c:\windows\system32\drivers\igxpmp32.sys
2012-04-11 17:35:50 57344 ----a-w- c:\windows\system32\igxprd32.dll
2012-04-11 17:35:50 294912 ----a-w- c:\windows\system32\igldev32.dll
2012-04-11 17:35:50 2686368 ----a-w- c:\windows\system32\igxpdv32.dll
2012-04-11 17:35:49 2342912 ----a-w- c:\windows\system32\iglicd32.dll
2012-04-11 17:35:49 183808 ----a-w- c:\windows\system32\igxpgd32.dll
2012-04-11 17:35:48 3773440 ----a-w- c:\windows\system32\igxpdx32.dll
2012-04-11 17:35:48 155648 ----a-w- c:\windows\system32\igfxCoIn_v5029.dll
2012-04-11 16:21:07 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2012-04-11 16:21:07 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2012-04-11 16:20:58 -------- d-----w- c:\program files\CONEXANT
2012-04-11 16:20:48 680704 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2012-04-11 16:20:48 32218 ----a-w- c:\windows\system32\HSFCI008.dll
2012-04-11 16:20:48 212224 ----a-w- c:\windows\system32\drivers\HSFHWBS2.sys
2012-04-11 16:20:48 1042432 ----a-w- c:\windows\system32\drivers\HSF_DP.sys
2012-04-11 15:22:59 2944 -c--a-w- c:\windows\system32\dllcache\drmkaud.sys
2012-04-11 15:21:21 282624 ----a-w- c:\windows\system32\igfxrsve.lrc
2012-04-11 15:20:59 -------- d-----w- C:\Intel
2012-04-11 15:20:06 876544 ----a-w- c:\windows\system32\TEACico2.dll
2012-04-11 15:19:06 -------- d-----w- c:\documents and settings\cheryl\local settings\application data\BVRP Software
2012-04-11 15:19:03 -------- d-----w- c:\program files\NetWaiting
2012-04-11 15:18:30 -------- d-----w- c:\program files\Digital Line Detect
2012-04-11 14:07:00 -------- d-----w- c:\program files\HWiNFO32
2012-04-11 13:35:12 -------- d-----w- c:\windows\system32\scripting
2012-04-11 13:35:12 -------- d-----w- c:\windows\l2schemas
2012-04-11 13:35:11 -------- d-----w- c:\windows\system32\en
2012-04-11 13:35:11 -------- d-----w- c:\windows\system32\bits
2012-04-11 13:33:03 -------- d-----w- c:\windows\ServicePackFiles
2012-04-11 13:31:08 -------- d-----w- c:\windows\network diagnostic
2012-04-11 13:29:50 -------- d-----w- c:\windows\system32\ReinstallBackups
.
==================== Find3M ====================
.
2012-04-11 15:22:33 315392 ----a-w- c:\windows\HideWin.exe
2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
2012-02-28 18:50:29 81920 ------w- c:\windows\system32\ieencode.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:58:04.51 ===============

Attached Files



#6 mark1956

mark1956

  • Security Colleague
  • 271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spain
  • Local time:09:43 PM

Posted 13 April 2012 - 08:22 AM

Ok, that all seems fine. Just one thing I would recommend is to get the latest Java update from the Oracle site, I've posted my full set of instructions to do the update below.

With the problem concerning your audio driver I would suggest you open a new thread in the general forum where you should receive the help you require, this forum is solely for dealing with Malware related issues.

As your Malware related issues have all been dealt with by a re-installation this thread will now be closed.


Java
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Click on Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u3-windows-i586.exe (or jre-7u3-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

Edited by mark1956, 13 April 2012 - 08:25 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:43 PM

Posted 13 April 2012 - 08:26 AM

As the OP has chosen to reformat and reinstall the OS, this Topic is closed. Should you need it reopened, please contact a Forum Moderator or member of the Malware Removal Team. Include the address of this thread in your request. If you have a new issue, please start a New Topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users