lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Anitspyware 2009 MS antispyware disabled pictures

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules

Register


 Default 

Anitspyware 2009 MS antispyware disabled pictures




Reply
Page 2 of 2 1 2
 
Thread Tools
  #11  
Old 7th Jan 2009, 08:22
Member Group
  
Default Anitspyware 2009 MS antispyware disabled pictures

I hope this is correct. my computer shut down automatically when the scan was finished. .


ComboFix 09-01-06.02 - j.wall 2009-01-07 10:13:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1543 [GMT -5:00]
Running from: c:\documents and settings\j.wall\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081223120435359.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081223130128609.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081223212923546.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081224132709078.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081224234313359.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20081225141512937.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\MS AntiSpyware 2009\MS AntiSpyware 2009.lnk
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\svhost.exe
C:\test.txt
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\drivers\ati3ktxx.sys
c:\windows\system32\foyelabi.dll
c:\windows\system32\jbxuxktp.dll
c:\windows\system32\nfwmljf.dll
c:\windows\system32\nfwmljf32.dll
c:\windows\system32\otplrbcw.dll
c:\windows\system32\pyljqj.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\teyalt.dll
c:\windows\system32\winscenter.exe
----- BITS: Possible infected sites -----
hxxp://wsus
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ATI3KTXX
-------\Legacy_FCI
-------\Legacy_TDSSSERV.SYS
-------\Service_ati3ktxx
-------\Service_TDSSserv.sys

((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.
2009-01-05 14:23 . 2009-01-05 14:23 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 14:30 . 2009-01-06 23:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-25 14:30 . 2008-12-25 14:30 <DIR> d-------- c:\documents and settings\j.wall\Application Data\Malwarebytes
2008-12-25 14:30 . 2008-12-25 14:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-25 14:30 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-25 14:30 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 11:44 . 2008-12-23 11:44 <DIR> d-------- C:\fsaua.data
2008-12-22 22:15 . 2008-12-22 22:15 29,701 --a------ C:\vnql.exe
2008-12-22 22:15 . 2008-12-22 22:15 2 --a------ C:\407686963
2008-12-22 22:15 . 2009-01-05 14:18 0 --a------ c:\windows\system32\drivers\a6f4c9db.sys
2008-12-11 07:41 . 2008-12-11 07:41 <DIR> d-------- c:\program files\K-Lite Codec Pack
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-23 02:59 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-17 20:44 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-18 12:38 --------- d-----w c:\program files\eInstruction
2008-11-18 12:38 --------- d-----w c:\program files\DIFX
2008-11-18 12:38 --------- d-----w c:\program files\Common Files\FSCreations Shared
2007-11-09 17:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Ic onOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2007-08-10 15:27 598016 --a------ c:\windows\system32\PGPfsshl.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2007-09-19 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-11-08 159744]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-03 143360]
"nwiz"="nwiz.exe" [2007-09-19 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-09-19 c:\windows\system32\nvhotkey.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\ Flash\FlashUtil9f.exe" [2008-03-24 218496]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PGPtray.exe.lnk - c:\windows\Installer\{C03CC9D4-9F65-427A-8919-CE8DD26F8308}\Icon6560581611.exe [2007-12-12 55296]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.l3codec"= l3codecp.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=copy_grcdat.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=delprof.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=create-als-folders.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=klcpf.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\4\0]
"Script"=set-data-path.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\5\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\6\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\4\0]
"Script"=set-data-path.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\5\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\4\0]
"Script"=set-data-path.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\5\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\6\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\4\0]
"Script"=set-data-path.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\5\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe



AND from Hijackthis. . . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33, on 2009-01-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\ScholasticAgent\bin\AgentServi ce.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\ScholasticAgent\jre\0\bin\java w.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.greene.k12.ga.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.microsoft.com/?kbid=936357
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O4 - Global Startup: PGPtray.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://regiong.georgiaoas.org
O15 - Trusted Zone: http://*.greene.k12.ga.us
O15 - Trusted Zone: http://www.platoweb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1230041783609
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1230041776718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {bdbde413-7b1c-4c68-a8ff-c5b2b4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = greene.k12.ga.us
O17 - HKLM\Software\..\Telephony: DomainName = greene.k12.ga.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = greene.k12.ga.us
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScholasticAgent - Unknown owner - C:\WINDOWS\system32\ScholasticAgent\bin\AgentServi ce.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7847 bytes
  #12  
Old 7th Jan 2009, 09:46
Moderator Group
  
Default Anitspyware 2009 MS antispyware disabled pictures

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User \'SYSTEM\')
- O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User \'Default user\')

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
KillAll::

Driver::
TDSSSERV
TDSSserv

Folder::
C:\fsaua.data
C:\407686963

File::
C:\fsaua.data
C:\vnql.exe
c:\windows\system32\drivers\a6f4c9db.sys

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
  #13  
Old 7th Jan 2009, 11:05
Member Group
  
Default Anitspyware 2009 MS antispyware disabled pictures

ComboFix 09-01-06.02 - j.wall 2009-01-07 12:13:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1466 [GMT -5:00]
Running from: c:\documents and settings\j.wall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\j.wall\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
C:\fsaua.data
C:\vnql.exe
c:\windows\system32\drivers\a6f4c9db.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\407686963\
C:\fsaua.data
c:\windows\system32\drivers\a6f4c9db.sys
.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.
2009-01-07 10:34 . 2009-01-07 10:34 0 --a------ c:\windows\VPC32.INI
2009-01-05 14:23 . 2009-01-05 14:23 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 14:30 . 2009-01-06 23:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-25 14:30 . 2008-12-25 14:30 <DIR> d-------- c:\documents and settings\j.wall\Application Data\Malwarebytes
2008-12-25 14:30 . 2008-12-25 14:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-25 14:30 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-25 14:30 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 09:16 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-22 22:15 . 2008-12-22 22:15 2 --a------ C:\407686963
2008-12-11 07:41 . 2008-12-11 07:41 <DIR> d-------- c:\program files\K-Lite Codec Pack
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-23 02:59 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-17 20:44 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-18 12:38 --------- d-----w c:\program files\eInstruction
2008-11-18 12:38 --------- d-----w c:\program files\DIFX
2008-11-18 12:38 --------- d-----w c:\program files\Common Files\FSCreations Shared
2007-11-09 17:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-07_10.20.42.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 22:35:24 556,376 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 19:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-01-23 22:34:24 36,184 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 19:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2008-01-23 22:35:24 556,376 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 19:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2008-01-23 22:34:24 36,184 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2008-01-23 22:34:52 44,888 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
+ 2009-01-07 18:01:42 16,384 ----atw c:\windows\temp\Perflib_Perfdata_728.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Ic onOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2007-08-10 15:27 598016 --a------ c:\windows\system32\PGPfsshl.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2007-09-19 81920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-11-08 159744]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-03 143360]
"nwiz"="nwiz.exe" [2007-09-19 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-09-19 c:\windows\system32\nvhotkey.dll]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PGPtray.exe.lnk - c:\windows\Installer\{C03CC9D4-9F65-427A-8919-CE8DD26F8308}\Icon6560581611.exe [2007-12-12 55296]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.l3codec"= l3codecp.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=copy_grcdat.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=delprof.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=create-als-folders.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=klcpf.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\4\0]
"Script"=set-data-path.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\5\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1279\Scripts\Logon\6\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\4\0]
"Script"=set-data-path.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-1290\Scripts\Logon\5\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\4\0]
"Script"=set-data-path.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\5\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-14522\Scripts\Logon\6\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\4\0]
"Script"=set-data-path.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-28797\Scripts\Logon\5\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logoff\0\0]
"Script"=logoff.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logon\0\0]
"Script"=printer_deployment.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logon\1\0]
"Script"=My_Docs_Icon_to_Username.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logon\2\0]
"Script"=my_computer_to_computer_name.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-1285639578-2061926910-2655282357-500\Scripts\Logon\3\0]
"Script"=logon.bat
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 18:56 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--a------ 2006-10-20 17:23 118784 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-02-19 14:26 303104 c:\windows\stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-08-10 97792]
R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2007-08-10 168960]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-15 99376]
R4 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdis k.sys [2007-08-10 224256]
R4 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\driv ers\PGPsdk.sys [2007-08-10 33792]
R4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
R4 ScholasticAgent;ScholasticAgent;c:\windows\system3 2\ScholasticAgent\bin\AgentService.exe [2008-10-31 77824]
S1 a6f4c9db;a6f4c9db;c:\windows\system32\drivers\a6f4 c9db.sys --> c:\windows\system32\drivers\a6f4c9db.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-01-07 c:\windows\Tasks\xfgstawx.job
- c:\windows\system32\rundll32.exe [2004-08-03 18:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.greene.k12.ga.us
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: regiong.georgiaoas.org
Trusted Zone: *.greene.k12.ga.us
Trusted Zone: *.microsoft.com
Trusted Zone: www.platoweb.com
FF - ProfilePath - c:\documents and settings\j.wall\Application Data\Mozilla\Firefox\Profiles\vmxmmb2f.default\
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30109.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
ATTENTION: FIREFOX POLICIES ARE IN FORCE
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.obscure_value", 0); // for MCD .cfg files
c:\program files\Mozilla Firefox\greprefs\all.js - pref("general.config.filename", "mozilla.cfg");
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 13:00:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\PGPlsp.dll
- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\PGPlsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\scardsvr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PGPserv.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\ScholasticAgent\jre\0\bin\javaw.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe
.
************************************************** ************************
.
Completion time: 2009-01-07 13:02:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 18:02:50
ComboFix2.txt 2009-01-07 15:21:24
Pre-Run: 64,553,127,936 bytes free
Post-Run: 64,549,408,768 bytes free
265 --- E O F --- 2008-12-17 20:44:04
  #14  
Old 7th Jan 2009, 11:10
Moderator Group
  
Default Anitspyware 2009 MS antispyware disabled pictures

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:
:Processes
explorer.exe

:files
c:\windows\Tasks\xfgstawx.job
C:\407686963

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.
__________________
  #15  
Old 7th Jan 2009, 11:34
Member Group
  
Default Anitspyware 2009 MS antispyware disabled pictures

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\Tasks\xfgstawx.job moved successfully.
C:\407686963 moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\J~1.WAL\LOCALS~1\Temp\~DFD5C4.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\J~1.WAL\LOCALS~1\Temp\~DFD5D1.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\1052 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_728.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01072009_133242



and i wanted to say thanks again for all the help.
  #16  
Old 7th Jan 2009, 11:35
Moderator Group
  
Default Anitspyware 2009 MS antispyware disabled pictures

Your welcome.

How is the computer running now?
__________________
  #17  
Old 7th Jan 2009, 11:58
Member Group
  
Default Anitspyware 2009 MS antispyware disabled pictures

running fine. . but still no images. i will go back and try the reset thing at the beginning of this thread to see if that fixes the problem. . right?
  #18  
Old 7th Jan 2009, 12:05
Member Group
  
Default Anitspyware 2009 MS antispyware disabled pictures

I did the reset and everything is working fine.

the one problem i see that i haven't seen before is something popped up saying my Symantec anit virus was not running.

I think it was the program put on the computer by the school tech department.

should i try to get that running or use something else like Avg?

Thanks for all the help. i have no idea what you did but it worked.
  #19  
Old 7th Jan 2009, 13:22
Moderator Group
  
Default Anitspyware 2009 MS antispyware disabled pictures

I would uninstall Symantec and use Avast Home Free.

To completely remove Norton/Symantec go to add remove programs and uninstall anything with Norton, Symantec or Live Update in the name.

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.
  • Go to your desktop and double click on the removal tool and then click Setup.
  • Once open Click Next
  • Accept the license agreement and click Next
  • Type in the letters/numbers that you see into the text box then click Next.
  • Then click Next and the tool will start running.
  • Once finished restart the PC and run the tool again to ensure everything has been removed.
  • Delete Nortonremoval tool from your Desktop.

----------

Before we continue download and install a free antivirus.

Remember to only install one antivirus!

1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal

----------

Final cleanup steps.
  • Click START then RUN
  • Now type Combofix /u in the runbox
  • Make sure there's a space between Combofix and /u
  • Then hit Enter.
The above procedure will:
  • Delete:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.

----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt3 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • When finished exit out of OTMoveIt3

----------

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.
  • Click Start Now
  • Check the box next to Enable thorough system inspection.
  • Click Start
  • Allow the scan to finish and scroll down to see if any updates are needed.
  • Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

Make sure all of your security programs are up to date and run scans with them regularly.

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox.

To prevent unknown applications from being installed on your computer install WinPatrol
* Using Winpatrol to protect your computer from malicious software

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
__________________
Reply
Page 2 of 2 1 2

Register

Bookmarks

Similar Threads
Thread Thread Starter Forum Replies Last Post
I Cannot Update Antivirus and Antispyware midnight11 Virus, Spyware & Security 3 26th Oct 2009 09:37
Antispyware log stephencastellani Virus, Spyware & Security 1 7th Mar 2008 16:04
Should i use on-access antispyware? runoades Virus, Spyware & Security 1 13th Feb 2008 16:09
Removing AntiSpyware Removal Progams chrisleech11 Virus, Spyware & Security 13 27th Dec 2007 12:54
SWS AntiSpyware Virus Removal connolly269 Virus, Spyware & Security 1 4th Dec 2007 01:57
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.