Virus/malware that is not detected

Dell Latitude 2100 laptop computer (inte...
November 28, 2009 at 19:12:41
Specs: Windows XP
EDIT: It appears that everyone else is having a simular problem. I will refer to the other posts in this section tomorow to fix my problems if no-one has posted. Might as well leave up though. *sleeping now*


Ok... So here is the rundown...

I have a netbook (lent from my high-school) and my grandmother's PC which are both infected with somesort of virus/malware.

The netbook can simply be re-imaged, yet my grandmother's PC cannot be. I have a remote connection to her PC through LogMeIn software.


On Grandmother's PC I have tried running:

MalwareBytes, it was updated. In Safe Mode and Normal.
Trend Micro House Call,
AVG Free Anti-Virus, Full System Scan,
and
Spybot Search & Destroy.

On my netbook I have ran a scan with:
AVG Free Anti-Virus,
and IOBit's Security 360 (Free Version)
I cannot seem to install ANY ANTI-VIRUS. I have tried, Avast, MalwareBytes, Avira, and others.


Symptoms on both PC's:
Sporadic/Slow internet connection,
Appearingly random re-directs from search engines links such as Google and Yahoo!,
errors stating that ******** (number) could not be written/read from ******* (number),
Many fake rogue-antivirus pop-ups.

Netbook only error's:
I BSOD upon safe-mode boot.

Safe-mode was, of course, turned off. :(
Both PC's are running XP.

I am not sure if the spec scanner worked or not.

I'm sorry if all that I have said has sounded choppy and illogical, I am somewhat rushed at the moment. I am very computer-literate but am totally clue-less as to what I should do.

And, just curious, what would this type of infection be called? I would assume malware, but thought perhaps... makeyouwannashootyourself-ware?


See More: Virus/malware that is not detected

Report •


#1
November 28, 2009 at 22:06:20
Please save this file to your desktop.

Win32kDiag.exe

Please double click on the Win32kDiag file and post the log it produces. This log might be quite lengthy and may take more than one post to get all of it posted.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply.


Report •

#2
November 29, 2009 at 06:19:48
NETBOOK Log from W32kDiag:

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D1.tmp\ZAP1D1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D3.tmp\ZAP1D3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP237.tmp\ZAP237.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP310.tmp\ZAP310.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP335.tmp\ZAP335.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F8.tmp\ZAP3F8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP430.tmp\ZAP430.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2006-02-28 06:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-14 04:42:22 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-14 04:42:22 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2006-02-28 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 04:41:54 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 04:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 04:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2009-02-06 04:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2006-02-28 06:00:00 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-14 04:42:42 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-14 04:42:42 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 04:10:02 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 04:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e

Mount point destination : \Device\__max++>\^

Finished!


When running RSIT I receive the error:
Error Title: Autolt Error
Message: Line -1:

Error: Variable used without being declared. I try running Hijack This on it's own and receive multiple errors asking if I would like to submit an error report. It appears that the virus deleted Hijack This, as all the shortcuts to it no longer work after running it just once.


Report •

#3
November 29, 2009 at 07:49:21
Please run win32kdiag.exe again, with the following command to fix some malware related changes.
Please make sure that a copy of win32kdiag.exe is located on your desktop.

Click on Start->Run, and copy-paste (or type) the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

You may need to download the to a usb drive or cd and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.

If nothing happens or if the tool does not run, please let me know in your next reply.

Try t orun RSIT again.


Report •

Related Solutions

#4
November 29, 2009 at 12:20:03
NETBOOK LOG:

Running from: C:\Documents and Settings\Administrator\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D1.tmp\ZAP1D1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D1.tmp\ZAP1D1.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D3.tmp\ZAP1D3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D3.tmp\ZAP1D3.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP237.tmp\ZAP237.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP237.tmp\ZAP237.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP310.tmp\ZAP310.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP310.tmp\ZAP310.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP335.tmp\ZAP335.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP335.tmp\ZAP335.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F8.tmp\ZAP3F8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F8.tmp\ZAP3F8.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP430.tmp\ZAP430.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP430.tmp\ZAP430.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2006-02-28 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 04:41:54 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 04:41:54 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 04:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e

Finished!

RSIT still gave the same error as before even after running rkill.


Report •

#5
November 29, 2009 at 15:22:01
Please run the following command from the Command Prompt, to do so:


1. Click on Start then Run
2. Type cmd in to the area to the right of Open:
3. Click OK
•In the Command Prompt window that opens, copy and paste the Bold text below:


copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y


4. Press the Enter key on your keyboard.
5. If successful, you should receive the following message within the Command Prompt window:
1 file(s) copied
6.Exit the Command Prompt window.

Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below between the X's to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to move:
C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

See if you can post the RSIT log.


Report •

#6
November 29, 2009 at 16:17:05
testtttttttttttttttttttttttt

Report •

#7
November 29, 2009 at 16:19:07
testtttttttttttttttttttttttt

Just an FYI, this website HATES me... It's almost impossible to post a reply. It tells me there is no subject... But anyways..

I did what you said and the RSIT tool still did not work. :(


I am not sure as to how to post again... I am told I need to provide a subject even though it is just a reply... So, Jabuck, here is my SECOND computer's log files. (Not the netbook) I ran the files you provided in your first post on my other question.
Log file from other PC: (I followed the instructions in your first post)



Report •

#8
November 29, 2009 at 16:19:56
It seems that I have to break them up to get it to work:

Log file:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-11-29 14:07:32
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 29 GB (73%) free of 39 GB
Total RAM: 766 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:41 PM, on 11/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1187272840\ee\AOLSoftware.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\nuisii.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187272840\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [mhjury] RUNDLL32.EXE C:\WINDOWS\system32\msynldks.dll,w
O4 - HKLM\..\Run: [rojaponiw] Rundll32.exe "c:\windows\system32\miharewo.dll",a
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EPSON NX110 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBA.EXE /FU "C:\DOCUME~1\Owner\LOCALS~1\Temp\E_S72.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [nuisii] C:\Documents and Settings\Owner\nuisii.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\miharewo.dll,dahovibo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: kizemupiy - {73dbd1f9-c277-4d0f-8447-876e0d2f366e} - c:\windows\system32\miharewo.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {73dbd1f9-c277-4d0f-8447-876e0d2f366e} - c:\windows\system32\miharewo.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

--
End of file - 9194 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-08-04 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-08-19 1111320]



Report •

#9
November 29, 2009 at 16:20:01
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}]
SidebarAutoLaunch Class - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 124032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-11-26 2029336]
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe [2006-07-21 129536]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2005-11-07 26112]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-03-14 77824]
"QAGENT"=C:\Program Files\QUICKENW\QAGENT.EXE [2001-08-01 94208]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2003-01-13 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2003-01-13 114688]
"HostManager"=C:\Program Files\Common Files\AOL\1187272840\ee\AOLSoftware.exe [2006-09-25 50736]
"LifeCam"=C:\Program Files\Microsoft LifeCam\LifeExp.exe [2009-03-17 157552]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe /runcleanupscript []
"mhjury"=C:\WINDOWS\system32\msynldks.dll [2009-11-27 32768]
"rojaponiw"=c:\windows\system32\miharewo.dll,a []
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-08-11 63048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"EPSON NX110 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBA.EXE [2008-09-26 199680]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-10-09 25623336]
"nuisii"=C:\Documents and Settings\Owner\nuisii.exe [2009-11-27 86016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
TrueAssistant.lnk - C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\windows\system32\miharewo.dll,dahovibo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-08-19 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-01-13 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2009-09-28 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-08-24 133120]
kizemupiy - {73dbd1f9-c277-4d0f-8447-876e0d2f366e} - c:\windows\system32\miharewo.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
gahurihor - {73dbd1f9-c277-4d0f-8447-876e0d2f366e} - c:\windows\system32\miharewo.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
jitodujo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\Program Files\Microsoft LifeCam\LifeCam.exe"="C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\Program Files\Microsoft LifeCam\LifeEnC2.exe"="C:\Program Files\Microsoft LifeCam\LifeEnC2.exe:*:Enabled:LifeEnC2.exe"
"C:\Program Files\Microsoft LifeCam\LifeExp.exe"="C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\Program Files\Microsoft LifeCam\LifeTray.exe"="C:\Program Files\Microsoft LifeCam\LifeTray.exe:*:Enabled:LifeTray.exe"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\WINDOWS\system32\rtcshare.exe"="C:\WINDOWS\system32\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\lsm32.sys"="C:\WINDOWS\system32\lsm32.sys:*:Enabled:lsm32"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1df16658-0906-11db-b3f0-00038a000015}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NoTES.exe


======List of files/folders created in the last 1 months======

2009-11-29 14:07:32 ----D---- C:\rsit
2009-11-28 20:14:20 ----D---- C:\Program Files\Panda Security
2009-11-28 08:24:00 ----D---- C:\Documents and Settings\All Users\Application Data\LogMeIn
2009-11-28 08:23:03 ----A---- C:\WINDOWS\system32\LMIport.dll
2009-11-28 08:23:00 ----A---- C:\WINDOWS\system32\LMIRfsClientNP.dll
2009-11-28 08:21:13 ----A---- C:\WINDOWS\system32\LMIinit.dll
2009-11-28 08:17:37 ----D---- C:\Program Files\LogMeIn
2009-11-28 07:39:54 ----D---- C:\WINDOWS\LastGood
2009-11-27 22:06:22 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-11-27 22:06:22 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2009-11-27 22:05:00 ----D---- C:\Program Files\NortonInstaller
2009-11-27 22:05:00 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-11-27 21:48:59 ----A---- C:\WINDOWS\DCEBoot.exe
2009-11-27 21:31:22 ----A---- C:\WINDOWS\system32\msynldks.dll
2009-11-27 20:48:57 ----A---- C:\WINDOWS\ntbtlog.txt
2009-11-27 12:56:58 ----D---- C:\Documents and Settings\Owner\Application Data\skypePM
2009-11-27 12:51:05 ----D---- C:\Documents and Settings\Owner\Application Data\Skype
2009-11-27 11:11:30 ----D---- C:\Program Files\Common Files\Skype
2009-11-27 11:11:27 ----RD---- C:\Program Files\Skype
2009-11-27 11:11:21 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-11-25 17:37:12 ----D---- C:\Program Files\Microsoft
2009-11-25 17:36:54 ----D---- C:\Program Files\Windows Live SkyDrive
2009-11-25 17:36:28 ----D---- C:\Program Files\Windows Live
2009-11-25 17:27:29 ----D---- C:\Program Files\Common Files\Windows Live
2009-11-25 17:25:31 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2009-11-25 16:58:15 ----A---- C:\WINDOWS\system32\LCCoin20.dll
2009-11-25 16:57:15 ----D---- C:\Program Files\Microsoft LifeCam
2009-11-25 16:54:40 ----D---- C:\4e92d93e4eb6e1ccc931e7e6e9dc09
2009-11-25 16:17:49 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-11-25 16:12:49 ----D---- C:\Program Files\MSBuild
2009-11-25 16:06:53 ----D---- C:\WINDOWS\system32\XPSViewer
2009-11-25 16:05:22 ----D---- C:\Program Files\Reference Assemblies
2009-11-25 16:03:56 ----N---- C:\WINDOWS\system32\spmsg2.dll
2009-11-25 15:56:51 ----RSD---- C:\WINDOWS\assembly
2009-11-25 15:56:04 ----D---- C:\WINDOWS\Microsoft.NET
2009-11-25 15:53:24 ----A---- C:\WINDOWS\system32\xactengine2_10.dll
2009-11-25 15:53:22 ----A---- C:\WINDOWS\system32\d3dx9_36.dll
2009-11-25 15:53:22 ----A---- C:\WINDOWS\system32\d3dx10_36.dll
2009-11-25 15:53:22 ----A---- C:\WINDOWS\system32\D3DCompiler_36.dll
2009-11-25 15:53:20 ----A---- C:\WINDOWS\system32\xactengine2_9.dll
2009-11-25 15:53:20 ----A---- C:\WINDOWS\system32\d3dx10_35.dll
2009-11-25 15:53:19 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2009-11-25 15:53:19 ----A---- C:\WINDOWS\system32\D3DCompiler_35.dll
2009-11-25 15:53:18 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2009-11-25 15:53:18 ----A---- C:\WINDOWS\system32\X3DAudio1_2.dll
2009-11-25 15:53:17 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2009-11-25 15:53:17 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2009-11-25 15:53:12 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2009-11-25 15:53:07 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2009-11-25 15:53:01 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2009-11-25 15:52:52 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2009-11-25 15:52:52 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2009-11-25 15:52:50 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2009-11-25 15:52:49 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2009-11-25 15:52:48 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2009-11-25 15:52:47 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2009-11-25 15:52:47 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2009-11-25 15:52:47 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2009-11-25 15:52:46 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-11-25 15:52:45 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2009-11-25 15:52:45 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2009-11-25 15:52:44 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2009-11-25 15:52:44 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2009-11-25 15:52:43 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2009-11-25 15:52:42 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2009-11-25 15:52:41 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2009-11-25 15:52:41 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2009-11-25 15:52:41 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2009-11-25 15:52:40 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2009-11-25 15:52:39 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2009-11-25 15:52:39 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2009-11-25 15:52:38 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2009-11-25 15:52:37 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2009-11-25 15:52:37 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2009-11-25 15:34:05 ----D---- C:\Documents and Settings\All Users\Application Data\EPSON
2009-11-25 15:33:52 ----A---- C:\WINDOWS\system32\E_FLBFBA.DLL
2009-11-25 15:33:52 ----A---- C:\WINDOWS\system32\E_FD4BFBA.DLL
2009-11-25 08:34:36 ----D---- C:\Program Files\VS Revo Group

======List of files/folders modified in the last 1 months======

2009-11-29 13:25:03 ----D---- C:\WINDOWS\Prefetch
2009-11-29 12:14:54 ----D---- C:\WINDOWS\system32
2009-11-29 12:14:42 ----D---- C:\WINDOWS\Temp
2009-11-29 10:13:26 ----D---- C:\WINDOWS
2009-11-28 21:55:23 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-28 20:15:09 ----D---- C:\WINDOWS\system32\drivers
2009-11-28 20:14:20 ----RD---- C:\Program Files
2009-11-28 20:14:18 ----HD---- C:\WINDOWS\inf
2009-11-28 20:12:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-28 19:24:42 ----D---- C:\Documents and Settings
2009-11-28 08:25:04 ----SHD---- C:\WINDOWS\Installer
2009-11-28 08:04:42 ----SD---- C:\WINDOWS\Tasks
2009-11-28 07:39:55 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-28 07:26:13 ----D---- C:\Program Files\TrueSwitchAT&TYahoo
2009-11-27 21:31:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-27 21:20:09 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-11-27 21:19:59 ----D---- C:\Program Files\SpywareBlaster
2009-11-27 20:48:03 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-27 19:45:53 ----D---- C:\DELL
2009-11-27 19:43:48 ----HD---- C:\$AVG8.VAULT$
2009-11-27 11:11:30 ----D---- C:\Program Files\Common Files
2009-11-27 10:47:56 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2009-11-26 12:02:11 ----D---- C:\Program Files\NetMeeting
2009-11-25 17:37:27 ----D---- C:\WINDOWS\WinSxS
2009-11-25 17:36:59 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-11-25 17:36:59 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-11-25 17:36:35 ----RSD---- C:\WINDOWS\Fonts
2009-11-25 16:58:32 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-11-25 16:58:20 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-25 16:55:44 ----D---- C:\WINDOWS\system32\en-US
2009-11-25 16:53:10 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-11-25 16:33:19 ----D---- C:\WINDOWS\system32\DirectX
2009-11-25 16:18:04 ----D---- C:\Program Files\Windows Media Player
2009-11-25 16:04:23 ----D---- C:\WINDOWS\system32\spool
2009-11-25 16:02:10 ----D---- C:\Program Files\Yahoo!
2009-11-25 16:01:24 ----A---- C:\YServer.txt
2009-11-25 15:56:07 ----D---- C:\WINDOWS\system32\mui
2009-11-25 15:56:04 ----D---- C:\WINDOWS\PCHealth
2009-11-25 15:40:07 ----D---- C:\WINDOWS\twain_32
2009-11-25 10:59:19 ----A---- C:\WINDOWS\dellstat.ini
2009-11-25 09:40:59 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-11-25 09:19:07 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 09:12:02 ----D---- C:\Program Files\Common Files\Motive
2009-11-25 08:55:14 ----D---- C:\Program Files\SBC Self Support Tool
2009-11-25 08:45:59 ----D---- C:\Program Files\RegCure
2009-11-25 08:45:56 ----D---- C:\Program Files\Common Files\AOL
2009-11-25 08:44:48 ----D---- C:\WINDOWS\Motive
2009-11-25 08:43:35 ----D---- C:\Documents and Settings\All Users\Application Data\Motive
2009-11-25 08:32:20 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-11-20 09:11:49 ----A---- C:\WINDOWS\QUICKEN.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-08-19 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-08-19 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-10 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2005-11-07 8552]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 34712]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-01-14 108736]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-01-14 78272]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2002-12-17 42368]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-01-14 87803]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-08-11 10144]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver; C:\WINDOWS\System32\Drivers\nx6000.sys [2009-03-17 30560]
R3 radpms;Driver for RADPMS Device; C:\WINDOWS\system32\DRIVERS\radpms.sys [2008-08-11 12192]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-12-19 539008]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\America Online 8.0\ATWPKT2.SYS []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS []
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-08-19 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-08-19 297752]
R2 BtwSrv;BtwSrv; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 fastnetsrv;fastnetsrv Service; C:\WINDOWS\system32\FastNetSrv.exe [2002-09-03 57344]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-04-07 303104]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2009-09-28 116032]
R2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-08-11 63040]
R2 MSCamSvc;MSCamSvc; C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2009-03-17 161632]
S2 SSHNAS;SSHNAS; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

Info file from other PC:
info.txt logfile of random's system information tool 1.06 2009-11-29 14:10:52

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
AT&T Yahoo! Applications-->C:\PROGRA~1\Yahoo!\Common\uninstall.exe
ATT-AACE-->C:\PROGRA~1\ATT\UNWISE.EXE C:\PROGRA~1\ATT\INSTALL.LOG
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BCM V.92 56K Modem-->C:\WINDOWS\BCMSMU.exe quiet
Broadcom 440x Driver Installer-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
BroadJump Client Foundation-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Classic PhoneTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\setup.exe" -l0x9 ControlPanel
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
EasyCleaner-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
EPSON NX110 Series Printer Uninstall-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FINSFBA.EXE /R /APD /P:"EPSON NX110 Series"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
LogMeIn-->MsiExec.exe /I{34F93E31-E1A0-421C-8E86-BCF7C4193A91}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Corporation-->MsiExec.exe /I{7B08D306-7266-4647-A926-2F78817ED1E0}
Microsoft LifeCam-->MsiExec.exe /X{195FF80D-6C1E-4B7A-A48E-45C0AEAC0F24}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Quicken 2002 New User Edition-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
RegCure 1.5.0.1-->C:\Program Files\RegCure\uninst.exe
Revo Uninstaller 1.83-->C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
TrueSwitch Wizard AT&T Yahoo!-->C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe -uninstall
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=... [2008-08-12]
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll (file missing) [2008-08-12]
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe [2008-08-12]
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll (file missing) [2008-08-12]
R3 - Default URLSearchHook is missing [2008-08-12]
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe [2008-08-12]

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus Free (disabled)

======System event log======

Computer Name: COMPUTER
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Record Number: 40030
Source Name: W32Time
Time Written: 20091023160358.000000-300
Event Type: error
User:

Computer Name: COMPUTER
Event Code: 17
Message: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Record Number: 40029
Source Name: W32Time
Time Written: 20091023160358.000000-300
Event Type: error
User:

Computer Name: COMPUTER
Event Code: 4
Message: Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 40028
Source Name: bcm4sbxp
Time Written: 20091023160357.000000-300
Event Type: warning
User:

Computer Name: COMPUTER
Event Code: 2504
Message: The server could not bind to the transport \Device\NetBT_Tcpip_{B08E7431-0BA0-4EBA-BAC2-DF25F0703324}.

Record Number: 40025
Source Name: Server
Time Written: 20091023160330.000000-300
Event Type: warning
User:

Computer Name: COMPUTER
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Record Number: 40024
Source Name: W32Time
Time Written: 20091023160329.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------


W32kDiag file:

Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Please note again that this is the not my netbook.



Report •

#10
November 29, 2009 at 20:19:15

Remember...your antivirus and any anti-spyware programs you have must be turned off or disabled before you run ComboFix. You do not need to turn off Malwarebtes but Spybot and AVG must be disabled.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#11
November 30, 2009 at 09:00:36
I scanned the registry for all files related to FortiClient (an anti-virus already installed by my school) and deleted all that I could. (I had used Revo Uninstaller to remove it, yet it froze and didn't remove the registry files)

The log from combo fix...

ComboFix 09-11-29.06 - Administrator 11/30/2009 9:06.1.2 - x86
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: FortiClient AntiVirus *On-access scanning enabled* (Updated) {C86EC76D-5A4C-40E7-BD94-59358E544D81}
FW: FortiClient Personal Firewall *enabled* {528CB157-D384-4593-AAAA-E42DFF111CED}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\notes.exe
c:\documents and settings\Administrator\ntuser.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Administrator\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\NetworkService\ntuser.dll
c:\windows\system32\calc.dll
c:\windows\system32\fgjk4wvb.dll
c:\windows\system32\repozuyi.dll
c:\windows\system32\suwunahe.dll
c:\windows\system32\wmzt1hf.dll
c:\windows\system32\wurubawu.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\Tasks\lljvfqec.job

----- BITS: Possible infected sites -----

hxxp://82.98.231.102
hxxp://nisdsoftwareupd.nisdtx.org
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 03:05 . 2009-11-30 03:05 -------- d-----w- c:\program files\ESET
2009-11-29 14:06 . 2009-11-29 14:06 -------- d-----w- c:\program files\Trend Micro
2009-11-29 13:55 . 2009-11-29 13:55 -------- d-----w- C:\rsit
2009-11-29 02:53 . 2009-11-29 02:53 195584 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\5\27706285-331a615e-n\WMINative.dll
2009-11-29 02:50 . 2009-11-29 02:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LastPass
2009-11-29 02:28 . 2009-11-29 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2009-11-29 02:28 . 2009-11-29 02:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\LogMeIn
2009-11-26 15:21 . 2009-11-26 15:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-11-25 19:36 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 19:36 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 17:23 . 2009-11-10 16:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-25 17:23 . 2009-11-10 16:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-25 17:23 . 2009-10-28 07:36 1152444 ----a-w- c:\windows\UDB.zip
2009-11-25 17:23 . 2008-11-26 18:08 131 ----a-w- c:\windows\IDB.zip
2009-11-25 17:23 . 2009-11-10 16:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-25 17:23 . 2009-11-10 16:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-25 17:22 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-25 17:22 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-25 17:22 . 2009-10-06 22:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-25 17:21 . 2009-09-03 15:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-25 17:21 . 2009-11-25 18:34 -------- d-----w- c:\program files\Spyware Doctor
2009-11-25 17:21 . 2009-11-25 17:23 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-25 17:21 . 2009-11-25 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-25 17:21 . 2009-11-25 17:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-11-25 17:20 . 2009-11-25 18:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-25 16:58 . 2009-11-25 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-24 21:49 . 2009-11-30 14:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-11-24 19:35 . 2009-11-24 19:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2009-11-24 17:31 . 2009-11-24 17:21 25736 ----a-w- c:\windows\system32\drivers\swmsflt.sys
2009-11-24 17:21 . 2009-11-25 15:53 -------- d-----w- c:\program files\Sierra Wireless Inc
2009-11-24 15:19 . 2009-11-24 15:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-23 22:00 . 2008-04-14 10:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-11-22 23:46 . 2009-11-29 23:51 0 ----a-w- c:\windows\win32k.sys
2009-11-20 00:55 . 2009-11-05 22:38 1669120 ----a-w- c:\windows\system32\BootMan.exe
2009-11-20 00:55 . 2009-09-16 22:55 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2009-11-20 00:55 . 2009-09-14 15:21 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2009-11-20 00:55 . 2009-08-26 18:45 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2009-11-20 00:55 . 2009-04-22 20:28 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2009-11-20 00:55 . 2009-11-20 00:55 -------- d-----w- c:\program files\EASEUS
2009-11-20 00:26 . 2009-11-20 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2009-11-20 00:24 . 2009-11-20 00:26 -------- d-----w- c:\program files\Raxco
2009-11-19 15:00 . 2009-11-19 15:00 -------- d-----w- c:\program files\winMd5Sum
2009-11-19 00:02 . 2009-11-19 00:04 -------- d-----w- c:\program files\Aspell
2009-11-18 23:57 . 2009-11-18 23:57 -------- d-----w- c:\program files\Common Files\GTK
2009-11-18 17:18 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-18 17:18 . 2008-04-14 11:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-18 17:18 . 2008-04-14 06:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-18 17:18 . 2008-04-14 06:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-17 14:28 . 2009-11-17 14:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-11-17 14:27 . 2009-11-24 19:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-11-17 00:03 . 2009-11-17 00:03 -------- d-----w- c:\program files\Microsoft
2009-11-16 02:17 . 2009-11-30 14:13 -------- d-----w- c:\program files\CCleaner
2009-11-15 23:57 . 2009-11-15 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-11-15 22:47 . 2009-11-15 23:06 5136072 ----a-w- c:\program files\Common Files\lpuninstall.exe
2009-11-15 22:45 . 2009-11-15 23:57 -------- d-----w- c:\program files\LastPass
2009-11-13 16:23 . 2009-11-13 16:23 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-13 15:41 . 2009-11-16 00:04 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-13 12:50 . 2009-11-13 12:50 -------- d-----w- c:\program files\iPod
2009-11-13 12:50 . 2009-11-13 12:53 -------- d-----w- c:\program files\iTunes
2009-11-13 12:50 . 2009-11-13 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-13 05:13 . 2009-11-29 19:01 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-12 22:58 . 2009-11-12 22:58 -------- d-----w- C:\games
2009-11-09 19:21 . 2009-11-12 22:23 -------- d-----w- c:\program files\Corkboard
2009-11-08 21:23 . 2009-11-09 18:14 -------- d-----w- c:\program files\NaturalSoft
2009-11-04 03:05 . 2009-11-04 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-11-04 02:25 . 2009-11-04 02:25 -------- d-----w- c:\program files\NOS
2009-11-04 02:22 . 2009-11-04 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2009-11-03 17:17 . 2009-11-03 17:17 -------- d-----w- c:\program files\VS Revo Group
2009-11-01 21:57 . 2009-08-19 11:18 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-11-01 21:57 . 2009-11-01 21:57 -------- d-----w- c:\windows\system32\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 02:49 . 2009-09-28 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-24 22:42 . 2009-08-17 22:14 -------- d-----w- c:\program files\Fortinet
2009-11-24 14:09 . 2006-02-28 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-20 02:42 . 2009-07-30 15:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-19 01:34 . 2009-07-29 15:11 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-17 00:03 . 2009-10-09 16:03 -------- d-----w- c:\program files\Windows Live
2009-11-16 02:20 . 2009-07-29 16:36 -------- d-----w- c:\program files\QuickTime
2009-11-13 21:23 . 2009-10-24 17:28 -------- d-----w- c:\program files\Cheat Engine
2009-11-13 12:50 . 2009-07-29 16:34 -------- d-----w- c:\program files\Common Files\Apple
2009-11-12 22:18 . 2009-07-22 12:38 75240 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-09 19:20 . 2009-10-27 00:13 -------- d-----w- c:\program files\IObit
2009-11-04 02:26 . 2009-07-29 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-27 00:19 . 2009-10-27 00:19 -------- d-----w- c:\program files\YourWare Solutions
2009-10-24 18:14 . 2009-10-24 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-10-24 18:13 . 2009-10-24 17:54 -------- d-----w- c:\program files\Messenger Plus! Live
2009-10-24 18:13 . 2009-10-24 18:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion
2009-10-23 17:33 . 2009-10-23 17:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-23 00:57 . 2009-10-23 00:57 -------- d-----w- c:\program files\VideoLAN
2009-10-22 09:19 . 2009-11-03 17:26 5939712 ----a-w- c:\windows\system32\SET85.tmp
2009-10-19 14:35 . 2009-07-22 18:09 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-16 19:13 . 2009-07-30 15:17 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2009-10-09 16:04 . 2009-10-09 16:04 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-09 15:54 . 2009-10-09 15:54 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-05 02:00 . 2009-10-05 02:00 -------- d-----w- c:\program files\MSECache
2009-09-29 00:34 . 2009-10-16 19:15 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-09-29 00:34 . 2009-10-16 19:15 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-09-16 21:55 . 2009-09-16 21:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 14:11 . 2009-09-16 14:11 0 ----a-w- c:\windows\nsreg.dat
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


Report •

#12
November 30, 2009 at 09:00:57

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-16 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-16 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-16 131072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-12 17531392]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^..]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\..
backup=c:\windows\pss\..Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Student^Start Menu^Programs^Startup^..]
path=c:\documents and settings\Student\Start Menu\Programs\Startup\..
backup=c:\windows\pss\..Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eInstruction\\eInstruction vClicker\\_jvm\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-06 1684736]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-08-26 13192]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-09-16 8456]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 Rx2Engine;Rx2Engine;c:\program files\Raxco\PerfectSpeed20\Rx2Engine.exe [2009-11-18 943368]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\DRIVERS\WSUSBDMAN.sys [2009-01-16 21504]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-09 207792]
S2 Rx2Agent;Rx2Agent;c:\program files\Raxco\PerfectSpeed20\Rx2Agent.exe [2009-11-18 779528]
S2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2009-01-16 147456]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.plusnetwork.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-notes - c:\documents and settings\Administrator\notes.exe
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
SharedTaskScheduler-{52d63edf-0b56-4f46-99fb-3faa6a31c29c} - (no file)
SSODL-tabokepad-{52d63edf-0b56-4f46-99fb-3faa6a31c29c} - (no file)
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose
AddRemove-Tweak UI 2.10 - c:\windows\system32\mshta.exe res://c:\windows\system32\TweakUI.exe/uninstall.hta

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 09:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x8A9A6369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f5fcb8
\Driver\atapi -> atapi.sys @ 0xb9ef1852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Dell Wireless 1510 Wireless-N WLAN Mini-Card -> SendCompleteHandler -> NDIS.sys @ 0xb9df8bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e05a21
SendHandler -> NDIS.sys @ 0xb9de387b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,90,82,c7,39,62,10,b0,4d,b3,00,75,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,90,82,c7,39,62,10,b0,4d,b3,00,75,\

[HKEY_USERS\S-1-5-21-1659004503-839522115-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,19,f6,93,c9,0e,e4,47,af,4c,bb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,19,f6,93,c9,0e,e4,47,af,4c,bb,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1592)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-11-30 09:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 15:33

Pre-Run: 1,526,882,304 bytes free
Post-Run: 1,555,869,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2D5CEE4B8EACA86BA9CAFDA19A637E08


Report •

#13
November 30, 2009 at 15:14:10
Are you still being redirected?

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.


Report •

#14
November 30, 2009 at 17:45:55
I am still being redirected and am getting really pissed off. I uninstalled ComboFix as you said, ran AFT cleaner, and attempted to turn System restore off and then back on. When I got to the check box option it said "Disabled by Group Policy manager." I am really close to just saying forget it and ditching Windows... I can just virtualize it on Ubuntu. I ended up getting this same spyware on my OTHER computer, because my netbook (the one that originally had the virus) couldn't connect to the internet. So I figured I'd just download the AFT tool onto a USB, which happened to be infected... So much for ESET being a good anti-virus..

Report •

#15
November 30, 2009 at 18:29:30
Looks like you are posting info from two different computers. You say you have two different computers, your Granma's and your nettie .

So, Jabuck, here is my SECOND computer's log files. (Not the netbook) I ran the files you provided in your first post on my other question. Log file from other PC:

We can only work on one computer at a time, sorry I missed this earlier. Its a wonder it isn't toast. These baddies are so manipulating that it would be very confusing to try to deal with two computers in one post.

If you want to continue choose the computer you wish to repair and post a the scans from response #1...... makeyouwannashootyourself in the foot.


Report •

#16
November 30, 2009 at 19:14:31
Thank you.....


Jeez. That was the first response I found to be somewhat personal.. Felt like I was talking to a machine. Ok. We'll restart from step one. I will fix my netbook on my own by having it reformatted by my high school or by myself. (It is on lend to me) This 3rd computer that I mentioned will also be fixed by reformatting it. (No big, I have nothing on it) So we can now focus on my Grandmothers. I have to connect to it remotely using LogMeIn software... which I am having problems with. Any advice for a bullet-proof remote control software? The Windows Remote Assistance service does not work.


Report •


Ask Question