Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox locked, IE runs erratically, lots of threats found. More to go?


  • This topic is locked This topic is locked
22 replies to this topic

#1 NormT

NormT

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakeport in Rural North California
  • Local time:03:42 PM

Posted 27 April 2012 - 12:41 PM

I am working on a friend's computer that has multiple infections. The computer is a Dell Dimension E520 running Windows XP Media Center Edition with SP3, with 2GB of RAM. I started by running SuperAntiSpyware which found and cleaned 2021 threats. I then took her computer, removed the hard disk and scanned it on my computer using MS Security Essentials and SpyBot Search and Destroy, both of which found and removed additional infections. I have backed up all her personal data from the "My Documents" folders for each user onto an external hard drive and am prepared to to a system restore to get rid of all the problems in the event that I can't clean out the infections and get it running well again. An additional run of SAS found and cleaned another 55 threats, including two trojans and numerous spyware and adware threats. I have been trying to sort through and remove various games and other programs which have not been used in 2+ years. Several toolbars would not be removed by Windows Add/remove Programs so I downloaded and ran Revo, which succeeded in removing the toolbars that it found. On booting up I get the message that an error has occurred in Microsoft Security Client and to try to open it again or reinstall it, neither of which has been successful. There is another problem in that Firefox does not respond to searches or URLs, and IE exhibited erratic behavior when run. When FireFox is launched I get the alert stating that the application's security component could not be initialized. It comes up with the MyWebSearch home page and will not respond to searches or entries of URLs. When launching IE, I get the message that a program on the computer has suggested a new default search provider. The home page comes up ok and it surfs to other pages ok. But when I close a tab it restores the tab and when I close it again it gives a message about data eexcution prevention and doesn't close the tab. I can't even close IE at all except through Task Manager by ending the processes. Last night I ran Defogger, DDS and GMER and am including their reports with this post. I am sure with your help This machine will again run like it should.

-- Defogger log:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 02:34 on 27/04/2012 (margaret canada)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

--DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by margaret canada at 2:38:31 on 2012-04-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1426 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PCCBHO.CPCCBHO: {22fc6ce8-7d47-479f-b74a-bfbb04adb9af} - c:\program files\winferno\pc confidential\PCCBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ERBHOMasterObject Class: {5a15ca85-dab9-456c-95ed-06c6e3885c2a} - c:\program files\exitreality\webspace\system\ExitRealityHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {627af46b-2076-42ae-a2fd-8428734d3e74} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {B7D3E479-CC68-42B5-A338-938ECE35F419} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Google Updater] "c:\program files\google\google updater\GoogleUpdater.exe" -check_deprecation
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [EKAiO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.EXE
mRun: [Conime] %windir%\system32\conime.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\margar~1\startm~1\programs\startup\imvu.lnk - c:\documents and settings\margaret canada\application data\imvuclient\IMVUQualityAgent.exe
StartupFolder: c:\docume~1\margar~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &SHOUTcast Search - c:\documents and settings\all users\application data\shoutcast radio toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\margaret canada\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} - hxxp://kr.gameguard.nprotect.com/inca/onscan//tyscan/nps.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game09.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{15389DB7-2F46-4BF9-B21F-680D04DC3AFF} : DhcpNameServer = 192.168.1.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\margaret canada\application data\mozilla\firefox\profiles\htzm7gah.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.mywebsearch.com/index.jhtml?ptnrS=undefined&ptb=undefined&n=undefined
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - plugin: c:\documents and settings\margaret canada\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\margaret canada\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\margaret canada\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\exitreality\webspace\system\mozilla\nperbrowser.dll
FF - plugin: c:\program files\exitreality\webspace\system\mozilla\nperonline.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - true
pref(dom.disable_open_during_load, false);FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl47042de6;MpKsl47042de6;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{440f5ea0-365a-425e-93f6-262c56829b20}\MpKsl47042de6.sys [2012-4-27 29904]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-12-19 394672]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2008-3-10 72672]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2012-2-26 36224]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 584680]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 209512]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\tmntsrv.exe --> c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [?]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\tmpfw.exe --> c:\progra~1\trendm~1\intern~1\TmPfw.exe [?]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys --> c:\windows\system32\drivers\tmpreflt.sys [?]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe --> c:\progra~1\trendm~1\intern~1\tmproxy.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-12 106104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\tm_cfw.sys --> c:\windows\system32\drivers\TM_CFW.sys [?]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2006-8-24 477696]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2012-2-26 134912]
.
=============== Created Last 30 ================
.
2100-02-08 23:03:54 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2012-04-27 07:33:44 -------- d-----w- c:\documents and settings\margaret canada\application data\Skinux
2012-04-27 07:32:46 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{440f5ea0-365a-425e-93f6-262c56829b20}\MpKsl47042de6.sys
2012-04-27 07:05:56 -------- d-----w- C:\HijackThis
2012-04-27 06:32:05 3874 ----a-w- c:\windows\system32\tmp.reg
2012-04-27 05:48:56 -------- d-----w- c:\program files\VS Revo Group
2012-04-27 00:09:26 -------- d-sha-r- C:\cmdcons
2012-04-27 00:06:06 98816 ----a-w- c:\windows\sed.exe
2012-04-27 00:06:06 518144 ----a-w- c:\windows\SWREG.exe
2012-04-27 00:06:06 256000 ----a-w- c:\windows\PEV.exe
2012-04-27 00:06:06 208896 ----a-w- c:\windows\MBR.exe
2012-04-26 23:30:05 6734704 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{440f5ea0-365a-425e-93f6-262c56829b20}\mpengine.dll
2012-04-25 07:40:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-08 23:05:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-04-08 23:05:05 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-04-08 22:51:57 6734704 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M ====================
.
2012-04-25 07:40:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-23 15:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 05:04:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2001-05-08 23:36:42 114688 ----a-w- c:\program files\lxarscan.dll
.
============= FINISH: 2:40:02.09 ===============


--Attach log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/29/2007 2:08:52 PM
System Uptime: 4/27/2012 2:31:25 AM (0 hours ago)
.
Motherboard: Dell Inc. | | 0WG864
Processor: Intel® Core™2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 293 GiB total, 169.375 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Trend Micro Common Firewall Miniport
Device ID: ROOT\TM_CFWMP\0001
Manufacturer: Trend Micro
Name: WAN Miniport (IP) - Trend Micro Common Firewall Miniport
PNP Device ID: ROOT\TM_CFWMP\0001
Service: tmcfw
.
==== System Restore Points ===================
.
RP941: 2/27/2012 6:20:05 PM - System Checkpoint
RP942: 2/28/2012 6:50:29 PM - System Checkpoint
RP943: 2/29/2012 8:43:37 PM - System Checkpoint
RP944: 3/1/2012 9:10:23 AM - System Checkpoint
RP945: 3/2/2012 9:31:15 AM - System Checkpoint
RP946: 3/2/2012 10:22:53 AM - System Checkpoint
RP947: 3/3/2012 12:52:40 PM - System Checkpoint
RP948: 3/4/2012 1:06:56 PM - System Checkpoint
RP949: 3/5/2012 1:10:35 PM - System Checkpoint
RP950: 3/6/2012 1:26:09 PM - System Checkpoint
RP951: 3/7/2012 3:00:22 AM - Software Distribution Service 3.0
RP952: 3/8/2012 3:30:51 AM - System Checkpoint
RP953: 3/9/2012 4:09:34 AM - System Checkpoint
RP954: 3/10/2012 4:31:17 AM - System Checkpoint
RP955: 3/10/2012 7:51:13 AM - System Checkpoint
RP956: 3/11/2012 9:52:45 AM - System Checkpoint
RP957: 3/11/2012 3:02:03 PM - System Checkpoint
RP958: 3/12/2012 4:32:25 PM - System Checkpoint
RP959: 3/13/2012 11:22:53 AM - System Checkpoint
RP960: 3/14/2012 3:00:57 AM - Software Distribution Service 3.0
RP961: 3/15/2012 3:30:52 AM - System Checkpoint
RP962: 3/16/2012 3:42:38 AM - System Checkpoint
RP963: 3/17/2012 4:27:04 AM - System Checkpoint
RP964: 3/17/2012 12:22:44 PM - System Checkpoint
RP965: 3/18/2012 3:15:30 PM - System Checkpoint
RP966: 3/19/2012 4:00:06 PM - System Checkpoint
RP967: 3/19/2012 9:18:43 PM - Removed Skype Toolbars
RP968: 3/19/2012 9:26:51 PM - Removed DANCE!ONLINE.
RP969: 3/19/2012 9:30:26 PM - Removed Get High Speed Internet!
RP970: 3/19/2012 9:35:04 PM - Removed LiveUpdate (Symantec Corporation)
RP971: 3/19/2012 7:38:41 PM - Removed ooVoo
RP972: 3/19/2012 7:42:14 PM - Removed Rhapsody Player Engine
RP973: 3/19/2012 7:59:26 PM - Software Distribution Service 3.0
RP974: 3/19/2012 8:01:24 PM - Software Distribution Service 3.0
RP975: 3/19/2012 8:03:31 PM - Software Distribution Service 3.0
RP976: 3/29/2012 8:31:38 PM - System Checkpoint
RP977: 3/29/2012 8:53:00 PM - Software Distribution Service 3.0
RP978: 3/29/2012 10:34:16 PM - Software Distribution Service 3.0
RP979: 4/8/2012 5:44:39 PM - Software Distribution Service 3.0
RP980: 4/8/2012 7:01:30 PM - Software Distribution Service 3.0
RP981: 4/8/2012 10:26:06 PM - Software Distribution Service 3.0
RP982: 4/8/2012 11:08:01 PM - Software Distribution Service 3.0
RP983: 4/20/2012 12:34:41 PM - Configured Barbie Girls
RP984: 4/20/2012 12:57:00 PM - Software Distribution Service 3.0
RP985: 4/20/2012 1:04:08 PM - Software Distribution Service 3.0
RP986: 4/20/2012 1:05:03 PM - Software Distribution Service 3.0
RP987: 4/25/2012 2:39:53 AM - Removed Java™ 6 Update 11
RP988: 4/25/2012 2:40:16 AM - Installed Java™ 6 Update 31
RP989: 4/25/2012 2:48:46 AM - Software Distribution Service 3.0
RP990: 4/25/2012 4:06:31 PM - Software Distribution Service 3.0
RP991: 4/25/2012 9:32:36 PM - Removed EarthLink Setup Files
RP992: 4/25/2012 9:33:05 PM - Removed EuroTalk Talk Now!
RP993: 4/25/2012 9:37:29 PM - Removed MobileMe Control Panel
RP994: 4/25/2012 9:38:43 PM - Removed Myxer MP3 Downloader
RP995: 4/25/2012 9:59:31 PM - Removed Sudoku Crunch
RP996: 4/25/2012 10:02:11 PM - Removed Vivaty Player.
RP997: 4/25/2012 10:12:17 PM - Software Distribution Service 3.0
RP998: 4/26/2012 12:29:32 AM - Software Distribution Service 3.0
RP999: 4/26/2012 9:46:48 PM - Software Distribution Service 3.0
RP1000: 4/27/2012 12:51:35 AM - Revo Uninstaller's restore point - Freeze.com Toolbar
RP1001: 4/27/2012 12:55:08 AM - Revo Uninstaller's restore point - Internet Service Offers Launcher
RP1002: 4/27/2012 12:57:20 AM - Revo Uninstaller's restore point - Kiwee Toolbar
RP1003: 4/27/2012 1:00:41 AM - Revo Uninstaller's restore point - Big Fish Games: Game Manager
RP1004: 4/27/2012 1:03:55 AM - Revo Uninstaller's restore point - Simppull Toolbar (Remove Toolbar Only)
RP1005: 4/27/2012 1:10:59 AM - Software Distribution Service 3.0
RP1006: 4/27/2012 1:14:20 AM - Revo Uninstaller's restore point - GemMaster Mystic
RP1007: 4/27/2012 1:17:09 AM - Revo Uninstaller's restore point - Games, Music, & Photos Launcher
RP1008: 4/27/2012 1:17:20 AM - Removed Games, Music, & Photos Launcher
.
==== Installed Programs ======================
.
3ivx MPEG-4 5.0.3 (remove only)
Acrobat.com
Adobe Acrobat Reader 3.01
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.1
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
aioscnnr
Any Video Converter 3.0.1
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
Bejeweled 3
Bonjour
C4USelfUpdater
CCScore
center
Cisco Connect
Conexant D850 56K V.9x DFVc Modem
ConvertXtoDVD 4.0.9.322
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell Driver Reset Tool
Dell Support 3.2.1
Dell Support Center (Support Software)
Dell System Restore
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
DVDStyler v1.6.2
EducateU
ESPNMotion
ESSBrwr
ESSCDBK
ESScore
essentials
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
ExitReality
EZ Guitar Tabs
Facebook Plug-In
fflink
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Hoyle Card Games 2005
HUE HD Webcam
Intel® Matrix Storage Manager
Intel® PRO Network Connections
iTunes
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java™ 6 Update 31
Kodak AIO Printer
KODAK AiO Software
Kodak EasyShare software
Lernout & Hauspie TruVoice American English TTS Engine
LyricsSeeker plugins 2.1
Mahjongg - Ancient Mayas
MediaImpression 3.0 for PENTAX
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Mouse Mischief
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008 Equifax Addin
Microsoft Office Accounting 2008 Fixed Asset Manager
Microsoft Office Accounting 2008 PayPal Addin
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Click-to-Run 2010
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Business 2010 - English
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Small Business Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Modem Helper
Mozilla Firefox 11.0 (x86 en-US)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Musicmatch for Windows Media Player
muvee Plugin 1.0
Napster for Windows Media Player
netbrdg
Netflix Movie Viewer
NetWaiting
NVIDIA Drivers
ocr
OfotoXMI
Otto
PC Confidential 2008
PreReq
PrintProjects
Qualxserve Service Agreement
QuickTime
RealPlayer Basic
Revo Uninstaller 1.93
Rhapsody
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Samsung USB Driver (MCCI 4.34) WHQL v3.4
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SFR
SHASTA
Shockwave Player
skin0001
SKINXSDK
Skype™ 5.1
SmartGlobe Deluxe
Smilebox
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Spybot - Search & Destroy
staticcr
SUPERAntiSpyware Free Edition
Trend Micro PC-cillin Internet Security 14
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Video Journal Version 1.4
Virtual DJ - Atomix Productions
Visual Studio Tools for the Office system 3.0 Runtime
VPRINTOL
vSide Beta
WeatherBug
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WIRELESS
Yahoo! Browser Services
Yahoo! BrowserPlus 2.9.8
Yahoo! Detect
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Search Protection
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
4/27/2012 1:36:48 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Cdrom eeCtrl Fips Imapi intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss redbook SASDIFSV SASKUTIL Tcpip tmtdi WS2IFSL
4/26/2012 6:29:52 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.125.111.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8304.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
4/26/2012 6:21:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom eeCtrl Fips Imapi intelppm MpFilter redbook SASDIFSV SASKUTIL tmtdi
4/25/2012 2:42:29 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.125.111.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8304.0 Error code: 0x80040154 Error description: Class not registered
4/25/2012 2:32:39 AM, error: Print [19] - Sharing printer failed + 1722, Printer Send To OneNote 2010 share name Printer.
4/25/2012 10:18:18 PM, error: Service Control Manager [7000] - The SASKUTIL service failed to start due to the following error: The system cannot find the file specified.
4/25/2012 10:18:18 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: The system cannot find the file specified.
4/20/2012 2:13:35 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
4/20/2012 12:56:52 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000030, parameter2 00000005, parameter3 00000000, parameter4 b932b613.
4/20/2012 12:55:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL tmtdi
4/20/2012 12:55:37 PM, error: Service Control Manager [7001] - The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/20/2012 12:55:37 PM, error: Service Control Manager [7001] - The Trend Micro Personal Firewall service depends on the Trend Micro Common Firewall Service service which failed to start because of the following error: The system cannot find the file specified.
4/20/2012 12:55:37 PM, error: Service Control Manager [7001] - The tmxpflt service depends on the tmpreflt service which failed to start because of the following error: The system cannot find the file specified.
4/20/2012 12:55:37 PM, error: Service Control Manager [7000] - The vsapint service failed to start due to the following error: The system cannot find the file specified.
4/20/2012 12:55:37 PM, error: Service Control Manager [7000] - The Trend Micro Real-time Service service failed to start due to the following error: The system cannot find the file specified.
4/20/2012 12:55:37 PM, error: Service Control Manager [7000] - The Trend Micro Common Firewall Service service failed to start due to the following error: The system cannot find the file specified.
4/20/2012 12:55:37 PM, error: Service Control Manager [7000] - The Trend Micro Central Control Component service failed to start due to the following error: The system cannot find the file specified.
4/20/2012 12:55:37 PM, error: Service Control Manager [7000] - The tmpreflt service failed to start due to the following error: The system cannot find the file specified.
4/20/2012 12:55:37 PM, error: Service Control Manager [7000] - The Registry Management Service service failed to start due to the following error: Access is denied.
4/20/2012 12:55:37 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
4/20/2012 12:54:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/20/2012 12:53:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/20/2012 12:52:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/20/2012 12:49:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/20/2012 12:48:37 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Cdrom eeCtrl Fips Imapi intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss redbook SASDIFSV SASKUTIL Tcpip tmtdi
4/20/2012 12:48:37 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
4/20/2012 12:48:37 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/20/2012 12:48:37 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/20/2012 12:48:37 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/20/2012 12:48:37 PM, error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
4/20/2012 12:48:37 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/20/2012 12:48:37 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/20/2012 12:28:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
.
==== End Of File ===========================


--GMER log (ark.txt)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-27 11:38:30
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 ST332063 rev.3.AD
Running: GMERexe zov3z8bk.exe; Driver: C:\DOCUME~1\MARGAR~1\LOCALS~1\Temp\fwtyapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB89EA360, 0x21235D, 0xE8000020]
init C:\WINDOWS\System32\Drivers\ArcRec.SYS entry point in "init" section [0xB0149138]
? C:\DOCUME~1\MARGAR~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device Sftfsxp.sys (Microsoft Application Virtualization File System/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@

---- EOF - GMER 1.0.15 ----


Thanks for your help!

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:42 PM

Posted 01 May 2012 - 10:13 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs and let me know if the problem persists.

#3 NormT

NormT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakeport in Rural North California
  • Local time:03:42 PM

Posted 01 May 2012 - 10:02 PM

Hello nasdaq and thank you for responding to my problem.

I downloaded and executed ComboFix and it flagged that Microsoft Security Essentials was running and asked me to close it.

At windows start I had received the following error message and assumed that Security Essentials wasn't running as there was also no icon in the system tray:

Microsoft Security Client:
An error has occurred in the program. If this problem continues, you'll need to reinstall Microsoft Security Client. Error code 0x80040154


Checked Task Manager and found that MsMpEng.exe was running. Ended its process tree and in a few seconds it came back. It came back a second time and another process, MdCmdRun.exe under the User Name of Network Service, flashed on the task manager window at the same time then disappeared. I couldn't keep Security Essentials from running so I tried to uninstall it so I could run ComboFix. Windows uninstaller wouldn't remove it so I used Revo to clean it off. Then ComboFix appeared to run OK.

Is there a reason for running ComboFix from the desktop other than making it easy to find? I am communicating with you and downloading programs using my personal computer and transferring files to and from the target computer through the use of a USB flash drive. I assume this is OK?

I performed the tasks you requested and restarted the computer. As I had uninstalled Security Essentials I got the message that it was disabled. Opened Firefox and got the same message:

Alert
Could not initialize the application's securithy component.
etc.

Firefox still winn not respond to search or URL input. Internet Explorer gave me the message "Internet Explorer hs closed this webpage to help protect your computer." IE would not close normally and I had to close it through Task Manager. So it seems that nothing much has changed.


ComboFix report:

ComboFix 12-05-01.03 - margaret canada 05/01/2012 21:20:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1370 [GMT -5:00]
Running from: c:\documents and settings\margaret canada\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\margaret canada\Application Data\alot
c:\documents and settings\margaret canada\Application Data\alot\BrowserSearch101\BrowserSearch101.xml
c:\documents and settings\margaret canada\Application Data\alot\BrowserSearch101\BrowserSearch101.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_10\Button_10.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_10\Button_10.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_11\Button_11.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_11\Button_11.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\margaret canada\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\configurator\configurator.xml
c:\documents and settings\margaret canada\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\ErrorSearch101\ErrorSearch101.xml
c:\documents and settings\margaret canada\Application Data\alot\ErrorSearch101\ErrorSearch101.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\margaret canada\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Product_0\Product_0.xml
c:\documents and settings\margaret canada\Application Data\alot\Product_0\Product_0.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Product_1\Product_1.xml
c:\documents and settings\margaret canada\Application Data\alot\Product_1\Product_1.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Product_2\Product_2.xml
c:\documents and settings\margaret canada\Application Data\alot\Product_2\Product_2.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Product_3\Product_3.xml
c:\documents and settings\margaret canada\Application Data\alot\Product_3\Product_3.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Product_4\Product_4.xml
c:\documents and settings\margaret canada\Application Data\alot\Product_4\Product_4.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Product_5\Product_5.xml
c:\documents and settings\margaret canada\Application Data\alot\Product_5\Product_5.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Product_6\Product_6.xml
c:\documents and settings\margaret canada\Application Data\alot\Product_6\Product_6.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\products\products.xml
c:\documents and settings\margaret canada\Application Data\alot\products\products.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\alot.ico
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\alot_brand.bmp
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\alot_brand.png
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\alot_icon_35x16.png
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\alot_installation.bmp
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\alot_search_24x16.bmp
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\backstage.bmp
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\downloadMusic.bmp
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\eMusicSearch.bmp
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\freeRadio.bmp
c:\documents and settings\margaret canada\Application Data\alot\Resources\Images\musicAlerts.bmp
c:\documents and settings\margaret canada\Application Data\alot\Tem18D.tmp
c:\documents and settings\margaret canada\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\margaret canada\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\toolbar.xml
c:\documents and settings\margaret canada\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\margaret canada\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup
c:\documents and settings\margaret canada\Application Data\alot\Updater\Updater.xml
c:\documents and settings\margaret canada\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\margaret canada\Application Data\inst.exe
c:\documents and settings\margaret canada\Application Data\Mozilla\Firefox\Profiles\htzm7gah.default\searchplugins\bing-zugo.xml
c:\documents and settings\margaret canada\Application Data\vso_ts_preview.xml
c:\documents and settings\margaret canada\Local Settings\Application Data\assembly\tmp
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-02 to 2012-05-02 )))))))))))))))))))))))))))))))
.
.
2100-02-08 23:03 . 2001-05-11 18:39 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2012-05-02 01:41 . 2012-05-02 01:41 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{440F5EA0-365A-425E-93F6-262C56829B20}\offreg.dll
2012-04-27 07:33 . 2012-04-27 07:33 -------- d-----w- c:\documents and settings\margaret canada\Application Data\Skinux
2012-04-27 07:05 . 2012-04-27 07:07 -------- d-----w- C:\HijackThis
2012-04-27 05:48 . 2012-04-27 05:48 -------- d-----w- c:\program files\VS Revo Group
2012-04-26 23:57 . 2012-04-26 23:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-04-26 23:30 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{440F5EA0-365A-425E-93F6-262C56829B20}\mpengine.dll
2012-04-25 07:40 . 2012-04-25 07:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-08 23:05 . 2012-04-09 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-04-08 23:05 . 2012-04-08 23:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-04-08 22:51 . 2012-04-13 07:36 6734704 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-25 07:40 . 2010-05-19 22:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-23 15:18 . 2012-03-20 02:18 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 05:04 . 2011-05-26 20:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2005-08-16 10:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2001-05-08 23:36 . 2000-12-05 22:56 114688 ----a-w- c:\program files\lxarscan.dll
2012-03-17 18:10 . 2011-05-11 06:00 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A15CA85-DAB9-456c-95ED-06C6E3885C2A}]
2010-08-04 06:11 155648 ----a-w- c:\program files\ExitReality\WebSpace\System\ExitRealityHelper.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-30 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"snp2std"="c:\windows\vsnp2std.exe" [2005-08-13 348160]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-09-28 161336]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"EKAiO2StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.EXE" [2011-12-10 2756608]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\margaret canada\Start Menu\Programs\Startup\
IMVU.lnk - c:\documents and settings\margaret canada\Application Data\IMVUClient\IMVUQualityAgent.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartGlobeDeluxe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SmartGlobeDeluxe.lnk
backup=c:\windows\pss\SmartGlobeDeluxe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^YourScreen.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\YourScreen.lnk
backup=c:\windows\pss\YourScreen.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 19:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-08-29 03:57 395776 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 11:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 17:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 13:15 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 23:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-16 14:39 7323648 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 20:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"Boonty Games"=3 (0x3)
"Bonjour Service"=2 (0x2)
"OneStep Search Service"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Weather"=c:\program files\AWS\WeatherBug\Weather.exe 1
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Conime"=%windir%\system32\conime.exe
"EKAIO2StatusMonitor"=c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"37676:TCP"= 37676:TCP:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:ooVoo UDP port 37677
"5353:UDP"= 5353:UDP:Bonjour Port 5353
"9322:TCP"= 9322:TCP:EKDiscovery
.
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [12/19/2011 5:32 PM 394672]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [3/10/2008 9:32 AM 72672]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2/26/2012 4:28 PM 36224]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/27/2010 2:55 PM 47360]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 11:23 PM 584680]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 11:23 PM 209512]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 11:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 11:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 8:47 PM 135664]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe --> c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [?]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe --> c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [?]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys --> c:\windows\system32\DRIVERS\tmpreflt.sys [?]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe --> c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/12/2012 11:34 AM 106104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 8:47 PM 135664]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 5:06 AM 21632]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys --> c:\windows\system32\DRIVERS\TM_CFW.sys [?]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 6:44 AM 477696]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2/26/2012 4:28 PM 134912]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ArcRec
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-04-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-30 21:48]
.
2012-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ccdf00792eb7b1.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 01:47]
.
2012-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 01:47]
.
2012-05-02 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2011-02-13 20:10]
.
2012-05-02 c:\windows\Tasks\PrintProjects Communicator.job
- c:\documents and settings\All Users\Application Data\PrintProjects\MessageCheck.exe [2011-11-22 10:11]
.
2012-05-02 c:\windows\Tasks\User_Feed_Synchronization-{67963870-5C5E-49D9-A248-D33C437564F2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &SHOUTcast Search - c:\documents and settings\All Users\Application Data\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\margaret canada\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} - hxxp://kr.gameguard.nprotect.com/inca/onscan//tyscan/nps.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game09.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\margaret canada\Application Data\Mozilla\Firefox\Profiles\htzm7gah.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.mywebsearch.com/index.jhtml?ptnrS=undefined&ptb=undefined&n=undefined
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - true
pref(dom.disable_open_during_load, false);FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{627af46b-2076-42ae-a2fd-8428734d3e74} - (no file)
HKLM-Run-MSC - c:\program files\Microsoft Security Client\msseces.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-01 21:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1690870147-1201465139-1413533619-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-05-01 21:38:51
ComboFix-quarantined-files.txt 2012-05-02 02:38
ComboFix2.txt 2012-04-27 02:33
.
Pre-Run: 181,576,392,704 bytes free
Post-Run: 181,622,169,600 bytes free
.
- - End Of File - - D8D07B083D4C5448C7235538BEA6813D



Security Check report:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Trend Micro PC-cillin Internet Security 14
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Java™ 6 Update 31
Adobe Flash Player 11.1.102.55
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


Awaiting your helpful reply....

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:42 PM

Posted 02 May 2012 - 09:40 AM

Lets check your URL issues.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#5 NormT

NormT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakeport in Rural North California
  • Local time:03:42 PM

Posted 02 May 2012 - 10:59 AM

I downloaded FSS and ran it on the target machine and here is the log:


FSS log:

Farbar Service Scanner Version: 30-04-2012 01
Ran by margaret canada (administrator) on 02-05-2012 at 10:56:02
Running from "C:\Documents and Settings\margaret canada\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) tmcfw(9)
0x09000000040000000100000002000000030000000500000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****


One observation and question.... In the log from ComboFix I noticed one entry that appears strange to me in that the dates are out of range. Is ACMonitor_X73.exe a normal file in Windows?


from ComboFix log:

.
((((((((((((((((((((((((( Files Created from 2012-04-02 to 2012-05-02 )))))))))))))))))))))))))))))))
.
.
2100-02-08 23:03 . 2001-05-11 18:39 53248 ----a-w- c:\program files\ACMonitor_X73.exe

Thanks for your time,

Norm

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:42 PM

Posted 02 May 2012 - 01:16 PM

No problem found with that last log.


===


The file acmonitor_x73.exe and location look good.

Can you relate to this?
http://www.file.net/process/acmonitor_x73.exe.html

If not check the file.

>>> Run Jotti's malware scan: Please copy this line (in bold):
c:\program files\ACMonitor_X73.exe
  • Go to Jotti's malware scan and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Posted Image
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
Please copy and paste these Permalink in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

===

Execute this scan.

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

Please let me know what problem persists.

#7 NormT

NormT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakeport in Rural North California
  • Local time:03:42 PM

Posted 02 May 2012 - 03:28 PM

I ran Jotti's malware scan on the affected computer and it got as far as "Requesting scan..." and stalled. IE is still not working well on that computer. When I tried closing IE after waiting for about 15 minutes for the scans to begin, it wouldn't close except through Task Manager.

I ran SFC and got another problem: it wanted the Windows XP Professional SP3 CD which I do not have. In fact this computer has Windows XP Media Center Edition 2005 OS, not XP Pro. I clicked ignore to bypass that issue and was warned that the CD might be needed later. Could it be looking for XP Pro because ComboFix installed Recovery Console? I had to skip the CD insertion several times to get SFC to complete. It also asked for XP Pro disk 2. Is there a way to get the needed files online? This computer does have a recovery partition but not for XP Pro. Perhaps I should just do a system restore to factory original configuration and then copy the personal files back onto it?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:42 PM

Posted 03 May 2012 - 07:50 AM

Perhaps I should just do a system restore to factory original configuration and then copy the personal files back onto it?


If you can restore to factory config. it will save you a lot or time in identifying this current problem.

#9 NormT

NormT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakeport in Rural North California
  • Local time:03:42 PM

Posted 03 May 2012 - 11:40 AM

OK, That is what I will do. I'll let you know how that turns out.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:42 PM

Posted 09 May 2012 - 09:43 AM

Are you still with me?

#11 NormT

NormT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakeport in Rural North California
  • Local time:03:42 PM

Posted 09 May 2012 - 12:39 PM

I haven't done a system restore yet, as I was hoping to solve the problem without erasing all the programs she installed on her computer. Se said she does have the install disks but that will also be a lot or work. I did save her personal files.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:42 PM

Posted 10 May 2012 - 07:23 AM

I haven't done a system restore yet, as I was hoping to solve the problem without erasing all the programs she installed on her computer. Se said she does have the install disks but that will also be a lot or work.


Before restoring the computer to the manufacturer's specs.


Is there a good restore point on the computer that could be used to restore the system to a date prior to the time the problem started?

#13 NormT

NormT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakeport in Rural North California
  • Local time:03:42 PM

Posted 10 May 2012 - 08:47 PM

No, the computer had been infected for a month or two before the client called me. Then she waited another couple months to get the computer to me. That is the way I have been most successful in disinfecting a computer - by resetting it to an earlier date when all was working well. I had another job with 1400 threats found by SAS, but I was able to clean it up and get it working again. Just not this one, so far.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:42 PM

Posted 11 May 2012 - 09:25 AM

Lets see what else we can find.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#15 NormT

NormT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakeport in Rural North California
  • Local time:03:42 PM

Posted 11 May 2012 - 11:42 AM

Thanks for your continued efforts. I will attempt these next week, as I am away for Mothers' Day.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users