lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Windows Vista Won't Update

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules


Register


Reply
Page 1 of 6 1 23456
 
Thread Tools
  #1  
Old 23rd May 2009, 09:33
Donor Group
  
I'm on a friends computer, Vista, and windows won't update. So far I have found and removed Internet Anti-Virus, Win32Adload.r, and video.exe. They also had that coupon spyware and their son kept loading limewire. I removed both (LOL Limewire installs itself in 400 places, I had to go through every folder and file to get rid of that). But still windows won't update. I'm getting a code 80072efd which says there is a firewall preventing window from updating. I cannot find any firewall other than the Windows and I have looked in every folder. Here are the three logs, I can't find anything, have I missed anything?

NOTE: I can't upload any of the three logs. I keep getting invalid file from the site. What's up with that? Do I have too many uploads here? let me try a copy paste:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/23/2009 at 04:42 AM

Application Version : 4.26.1002

Core Rules Database Version : 3908
Trace Rules Database Version: 1852

Scan type : Complete Scan
Total Scan Time : 03:45:40

Memory items scanned : 831
Memory threats detected : 0
Registry items scanned : 6407
Registry threats detected : 0
File items scanned : 326608
File threats detected : 78

Adware.Tracking Cookie
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@2o7[2].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@interclick[1].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@msnportal.112.2o7[1].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@tribalfusion[1].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@realmedia[2].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@ad.yieldmanager[2].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@adopt.specificclick[1].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@microsoftinternetexplorer.112.2o7[1].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@specificclick[1].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@msnservices.112.2o7[1].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@media6degrees[1].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@revsci[1].txt
C:\Users\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@2o7[2].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@ad.yieldmanager[2].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@adopt.specificclick[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@interclick[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@media6degrees[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@microsoftinternetexplorer.112.2o7[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@msnportal.112.2o7[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@msnservices.112.2o7[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@realmedia[2].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@revsci[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@specificclick[1].txt
C:\Documents and Settings\Shirley\AppData\Roaming\Microsoft\Windows \Cookies\shirley@tribalfusion[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@2o7[2].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@ad.yieldman ager[2].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@adopt.speci ficclick[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@interclick[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@media6degre es[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@microsoftin ternetexplorer.112.2o7[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@microsoftwi ndows.112.2o7[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@msnportal.1 12.2o7[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@msnservices .112.2o7[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@realmedia[2].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@revsci[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@specificcli ck[1].txt
C:\Documents and Settings\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@tribalfusio n[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@2o7[2].txt
C:\Documents and Settings\Shirley\Cookies\shirley@ad.yieldmanager[2].txt
C:\Documents and Settings\Shirley\Cookies\shirley@adopt.specificcli ck[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@interclick[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@media6degrees[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@microsoftinternet explorer.112.2o7[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@microsoftwindows. 112.2o7[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@msnportal.112.2o7[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@msnservices.112.2 o7[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@realmedia[2].txt
C:\Documents and Settings\Shirley\Cookies\shirley@revsci[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@specificclick[1].txt
C:\Documents and Settings\Shirley\Cookies\shirley@tribalfusion[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@2o7[2].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@ad.yieldman ager[2].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@adopt.speci ficclick[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@interclick[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@media6degre es[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@microsoftin ternetexplorer.112.2o7[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@microsoftwi ndows.112.2o7[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@msnportal.1 12.2o7[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@msnservices .112.2o7[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@realmedia[2].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@revsci[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@specificcli ck[1].txt
C:\Users\Shirley\Application Data\Microsoft\Windows\Cookies\shirley@tribalfusio n[1].txt
C:\Users\Shirley\Cookies\shirley@2o7[2].txt
C:\Users\Shirley\Cookies\shirley@ad.yieldmanager[2].txt
C:\Users\Shirley\Cookies\shirley@adopt.specificcli ck[1].txt
C:\Users\Shirley\Cookies\shirley@interclick[1].txt
C:\Users\Shirley\Cookies\shirley@media6degrees[1].txt
C:\Users\Shirley\Cookies\shirley@microsoftinternet explorer.112.2o7[1].txt
C:\Users\Shirley\Cookies\shirley@microsoftwindows. 112.2o7[1].txt
C:\Users\Shirley\Cookies\shirley@msnportal.112.2o7[1].txt
C:\Users\Shirley\Cookies\shirley@msnservices.112.2 o7[1].txt
C:\Users\Shirley\Cookies\shirley@realmedia[2].txt
C:\Users\Shirley\Cookies\shirley@revsci[1].txt
C:\Users\Shirley\Cookies\shirley@specificclick[1].txt
C:\Users\Shirley\Cookies\shirley@tribalfusion[1].txt

Malwarebytes' Anti-Malware 1.36
Database version: 2150
Windows 6.0.6001 Service Pack 1

5/19/2009 8:40:58 AM
mbam-log-2009-05-19 (08-40-58).txt

Scan type: Quick Scan
Objects scanned: 71524
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\fe345.fe345mgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{65768b48-b004-4b26-9bac-a3bac39643d1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{65768b48-b004-4b26-9bac-a3bac39643d1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{65768b48-b004-4b26-9bac-a3bac39643d1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fe345.fe345mgr.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\internet antivirus pro_is1 (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\199638 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\199638\199638.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\796525\796525.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Users\Shirley\AppData\Local\Temp\jopaxx_1241669 819.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\InternetAntivirusPro.exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Windows\msmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\t55ft2668f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\t55ft2695f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\t55ft3105f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\f5087.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
(above was the first log, below is the current one)

Malwarebytes' Anti-Malware 1.36
Database version: 2150
Windows 6.0.6001 Service Pack 1

5/23/2009 9:03:23 AM
mbam-log-2009-05-23 (09-03-23).txt

Scan type: Quick Scan
Objects scanned: 70234
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:09 AM, on 5/23/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\ehome\ehmsas.exe
C:\Users\Shirley\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:7171
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCEtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} -
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxce_device - - C:\Windows\system32\lxcecoms.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 9919 bytes
  #2  
Old 23rd May 2009, 23:45
Malware Group
  
Hi Bubba....

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As.

* Save it to your Desktop.
* Double-click ResetTeaTimer.zip
* Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

A Tutorial for Tea Timer can be found here -> http://russelltexas.com/malware/teatimer.htm

===========================================

Download and scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs including winpatrol so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

===========================================

Go to Start menu > Select Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.
__________________
Proud member of ASAP & UNITE
__________________

My System: Steves Rig

Processor(s):
AMD Athlon 64x2 6000+
Motherboard:
ASUS M3N78 Pro
RAM Memory:
Corsair 4GB Dual Channel
Graphics Card(s):
NVIDIA GeForce 8400 GS
Sound Card:
Onboard
Hard Drive(s):
640GB Western Digital HD
Optical Drive(s):
LG Lightscribe
Case / PSU:
Cooling:
Stock HSF
Network / Internet:
20Mb Virgin Media Broadband
Monitor(s):
Hanns-G 19" Widescreen
Operating System(s):
Vista Premium 64x
  #3  
Old 24th May 2009, 02:33
Donor Group
  
A few things before I post the logs:

1. In the Tea timer tutorial you linked, it said to also disable the resident SDHelper so I did.
2. ComboFix did not display the back up regisdtry screen unless it is a quick screen and I missed it while looking at my computer (remember this on is a friends). It did not disconnect from the internet nor did I notice it changing the time. Both icons were visible while combo fix was running. Is this a problem? Also, after running Combofix, the wallpaper was distorted, so I rebooted. When the computerstarted back up, the wallpaper was gone, Firefox was no longer the default browser and a message popped up that the IE homepage had been changed to MSN (I think). Is this normal? Also, Winpatrol noted that a new service had been added: appmgmts.dll.

3. Before you responded to this, I got rid of the Google toolbar. Several of the HJT entries looked odd. In 018 for instance, it was called x-sdCH instead of x-sdHC.......... Besides lol, I hate tool bars and they can always add it back if they want it. Regardless, that changed the HJT log. I also got rid of the 2- 02's that had no file associated with them.

4. What are we looking for in the Combofix? LOL i started to download and run it before I posted this thread, but decided I just know know enough yet to mess with it.

And without further ado:

ComboFix 09-05-23.04 - Shirley 05/24/2009 4:48.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1916 [GMT -4:00]
Running from: c:\users\Shirley\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-22 23:57 . 2009-05-24 08:40 117760 ----a-w c:\users\Shirley\AppData\Roaming\SUPERAntiSpyware. com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-22 23:56 . 2009-05-22 23:56 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-05-22 23:52 . 2009-05-22 23:52 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-22 23:52 . 2009-05-22 23:52 -------- d-----w c:\users\Shirley\AppData\Roaming\SUPERAntiSpyware. com
2009-05-22 20:36 . 2009-05-22 20:36 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-22 15:06 . 2009-02-05 20:06 51376 ----a-w c:\windows\system32\drivers\aswTdi.sys
2009-05-22 15:06 . 2009-02-05 20:06 23152 ----a-w c:\windows\system32\drivers\aswRdr.sys
2009-05-22 15:06 . 2009-02-05 20:07 114768 ----a-w c:\windows\system32\drivers\aswSP.sys
2009-05-22 15:06 . 2009-02-05 20:07 20560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
2009-05-22 15:06 . 2009-02-05 20:04 97480 ----a-w c:\windows\system32\AvastSS.scr
2009-05-22 15:06 . 2009-02-05 20:11 1256296 ----a-w c:\windows\system32\aswBoot.exe
2009-05-22 15:06 . 2009-02-05 20:06 51792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2009-05-22 15:06 . 2009-05-22 15:06 -------- d-----w c:\program files\Alwil Software
2009-05-22 04:38 . 2009-05-22 04:38 738120 ----a-w c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll
2009-05-20 12:43 . 2008-06-20 01:14 97800 ----a-w c:\windows\system32\infocardapi.dll
2009-05-20 12:43 . 2008-06-20 01:14 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNativ e_v0300.dll
2009-05-20 12:43 . 2008-06-20 01:14 11264 ----a-w c:\windows\system32\icardres.dll
2009-05-20 12:43 . 2008-06-20 01:14 622080 ----a-w c:\windows\system32\icardagt.exe
2009-05-20 12:43 . 2008-06-20 01:14 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll
2009-05-20 12:43 . 2008-06-20 01:14 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll
2009-05-20 12:43 . 2008-06-20 01:14 326160 ----a-w c:\windows\system32\PresentationHost.exe
2009-05-20 12:33 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll
2009-05-20 12:33 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll
2009-05-20 12:33 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-05-20 12:32 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll
2009-05-20 12:32 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll
2009-05-20 11:39 . 2009-05-20 11:39 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-20 04:03 . 2009-05-20 11:00 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-19 23:20 . 2009-05-19 23:20 -------- d-----w c:\users\Shirley\AppData\Local\Acer DV Magician
2009-05-19 23:10 . 2009-05-19 23:10 -------- d-----w c:\windows\Sun
2009-05-19 20:40 . 2009-05-19 20:40 -------- d-----w c:\users\Shirley\AppData\Roaming\com.adobe.mauby.4 875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-19 20:40 . 2009-05-19 11:41 38200 ----a-w c:\users\Shirley\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinsta ller.exe
2009-05-19 18:24 . 2009-05-24 08:38 -------- d-----w c:\users\Shirley\AppData\Local\Eraser
2009-05-19 18:24 . 2009-05-19 18:24 -------- d--h--w c:\users\Shirley\AppData\Local\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-05-19 18:24 . 2009-05-19 18:24 -------- d-----w c:\program files\Eraser
2009-05-19 17:20 . 2009-05-19 17:20 -------- d-----w c:\users\Shirley\AppData\Roaming\eSobi
2009-05-19 17:11 . 2008-07-10 06:32 538 ----a-w c:\windows\system32\RegRaidSedona.bat
2009-05-19 17:07 . 2009-05-19 17:07 -------- d-----w C:\NVIDIA
2009-05-19 14:04 . 2009-05-19 14:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-19 14:04 . 2009-05-19 14:05 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-05-19 13:01 . 2009-05-19 13:01 -------- d-----w c:\users\Shirley\AppData\Roaming\WinPatrol
2009-05-19 13:01 . 2006-09-18 21:43 10 ----a-w c:\users\Shirley\AppData\Roaming\WinPatrol\Config. sys
2009-05-19 13:01 . 2006-09-18 21:43 24 ----a-w c:\users\Shirley\AppData\Roaming\WinPatrol\Autoexe c.bat
2009-05-19 13:01 . 2009-05-19 13:01 -------- d-----w c:\program files\BillP Studios
2009-05-19 12:26 . 2009-05-19 12:26 -------- d-----w c:\users\Shirley\AppData\Roaming\Malwarebytes
2009-05-19 12:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 12:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 12:26 . 2009-05-19 13:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 12:26 . 2009-05-19 12:26 -------- d-----w c:\programdata\Malwarebytes
2009-05-19 11:53 . 2009-05-19 11:53 0 ----a-w c:\windows\nsreg.dat
2009-05-19 11:53 . 2009-05-19 11:53 -------- d-----w c:\users\Shirley\AppData\Local\Mozilla
2009-05-19 11:41 . 2009-05-19 11:41 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-19 11:38 . 2009-05-19 12:45 -------- d-----w c:\programdata\NOS
2009-05-19 11:29 . 2009-05-19 11:29 -------- d-----w c:\users\Shirley\AppData\Local\Seven Zip
2009-05-19 10:41 . 2009-03-19 20:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-19 10:41 . 2008-04-17 16:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-05-19 10:41 . 2009-05-20 01:10 -------- d-----w c:\program files\iPod
2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w c:\program files\iTunes
2009-05-19 10:38 . 2009-05-19 10:38 -------- d-----w c:\program files\QuickTime
2009-05-19 10:34 . 2009-05-19 10:34 75048 ----a-w c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-19 10:34 . 2009-05-19 10:34 -------- d-----w c:\program files\Bonjour
2009-05-19 10:33 . 2009-05-19 10:33 416128 ----a-w c:\programdata\Microsoft\eHome\Packages\NetTV\Brow se\NetTVResources.dll
2009-05-19 10:29 . 2009-05-19 10:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-12 02:36 . 2009-05-12 02:36 2930 ---h--w c:\windows\ms49f4d98.dat
2009-05-11 23:55 . 2009-04-14 00:39 4656976 ----a-w c:\programdata\Microsoft\Windows Defender\Definition Updates\{DD7D9A19-5FB4-4855-A8E0-F0A00524AD5E}\mpengine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-24 08:39 . 2009-02-17 13:54 602 ----a-w c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-05-24 04:22 . 2008-09-12 01:46 -------- d-----w c:\program files\Google
2009-05-20 11:55 . 2008-09-11 17:01 104472 ----a-w c:\users\Shirley\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-20 11:51 . 2008-02-05 19:30 -------- d-----w c:\programdata\Microsoft Help
2009-05-20 11:49 . 2008-02-05 19:31 -------- d-----w c:\program files\Microsoft Works
2009-05-20 03:54 . 2008-09-12 14:01 -------- d-----w c:\program files\Lx_cats
2009-05-20 00:42 . 2008-02-05 20:19 -------- d-----w c:\program files\Common Files\Adobe
2009-05-19 23:28 . 2008-02-05 19:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-19 23:27 . 2008-02-05 19:49 -------- d-----w c:\program files\Acer Arcade Live
2009-05-19 23:20 . 2008-09-15 23:24 -------- d-----w c:\users\Shirley\AppData\Roaming\CyberLink
2009-05-19 21:38 . 2008-09-12 20:56 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-05-19 21:04 . 2008-09-12 14:09 1664 ----a-w c:\users\Shirley\AppData\Roaming\wklnhst.dat
2009-05-19 17:29 . 2009-03-04 15:55 -------- d-----w c:\users\Shirley\AppData\Roaming\Sony
2009-05-19 17:20 . 2008-02-05 19:22 -------- d-----w c:\programdata\NVIDIA
2009-05-19 16:54 . 2008-02-05 18:03 36864 ----a-w c:\windows\system32\nvcod100.dll
2009-05-19 16:54 . 2007-10-25 11:02 147456 ----a-w c:\windows\system32\nvcolor.exe
2009-05-19 16:13 . 2008-09-12 01:47 -------- d-----w c:\users\Shirley\AppData\Roaming\LimeWire
2009-05-19 11:32 . 2008-02-05 20:08 -------- d-----w c:\program files\Yahoo!
2009-05-19 11:05 . 2008-09-12 01:45 -------- d-----w c:\program files\Java
2009-05-19 10:41 . 2008-09-13 03:14 -------- d-----w c:\program files\Common Files\Apple
2009-05-19 10:38 . 2008-09-13 03:15 -------- d-----w c:\programdata\Apple Computer
2009-05-11 12:10 . 2009-05-11 12:10 78260 ----a-w c:\programdata\SPL23D4.tmp
2009-04-17 10:12 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-02 22:13 . 2009-04-02 22:13 702127 ----a-w c:\programdata\SPLFB91.tmp
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 03:38 . 2009-04-17 05:22 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 05:22 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-08 11:34 . 2009-05-20 03:47 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-05-20 03:47 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-05-20 03:47 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-05-20 03:47 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-05-20 03:47 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-05-20 03:47 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-05-20 03:47 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-05-20 03:47 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-05-20 03:47 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-05-20 03:47 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-05-20 03:47 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-05-20 03:47 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-05-20 03:47 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-05-20 03:47 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-05-20 03:47 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-05-20 03:47 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-05-20 03:47 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-05-20 03:47 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-17 05:22 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 05:22 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-17 05:22 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 05:22 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 05:22 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 05:22 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 05:22 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 05:22 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 05:22 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 05:22 17408 ----a-w c:\windows\system32\iashost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-11-07 95536]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2007-12-30 34552]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-01-10 326176]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-10-15 3387392]
"NVRaidService"="c:\windows\system32\nvraidservice .exe" [2008-11-12 203296]
"LXCECATS"="c:\windows\system32\spool\DRIVERS\W32X 86\3\LXCEtime.dll" [2007-02-22 73728]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2007-05-17 205744]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2007-05-17 103344]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-19 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-16 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-01-16 92704]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-11 4702208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-2-5 535336]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{2E9A4533-1359-46B6-B326-2B899D73FD10}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{ADE9CF49-7A0E-4076-9B85-7648EC5E7736}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6299EEE5-1856-4B10-9916-798B1C1AEF89}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{F3CFA48D-AE6A-482E-96D7-2390C5C0FDF5}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{D430641B-178B-4C39-B53C-F6B3221DB01A}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{948000F3-8719-4206-B4C5-6506B663184F}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{8BCD640B-594A-465F-8A9E-E5A6C07DC081}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{7B6B3B53-9D2B-40C9-B91F-FE85E1D6A25A}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{CA5E49E2-2662-4B15-BE6C-0FC7F1CC3A1B}"= UDP:c:\windows\System32\lxcecoms.exe:Lexmark Communications System
"{61DAEE1D-D19E-4F1A-B41E-603246AF524C}"= TCP:c:\windows\System32\lxcecoms.exe:Lexmark Communications System
"{EB8798E6-358B-4DDA-A219-21BBC5D3C79A}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxc epswx.exe:Printer Status Window
"{C513D5EB-73E1-4ED7-A04C-C37C9E69B4B0}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxc epswx.exe:Printer Status Window
"{99976595-B4E1-4C9A-A3DE-A67AEDEE9B55}"= c:\program files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{7A37205C-E643-4464-8C27-FAFCC859102D}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1DF156D1-94E3-4B3D-A91E-724DFC89819E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B7DA4A0B-FA80-40F6-A9A6-B737F64A2D2D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D7D156E3-7B84-41F2-9FD8-CF9860453F65}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F8CDA590-0FD3-4E40-8A6C-9850B1E5C2AB}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F6A110DE-6630-4823-B892-60950EB9ED71}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8640BFAB-1B85-48CC-95D5-9AABB44E4D95}"= UDP:c:\program files\BillP Studios\WinPatrol\WinPatrol.exe:WinPatrol
"{6CC4A3BE-8F00-4983-B199-3050D54509B8}"= TCP:c:\program files\BillP Studios\WinPatrol\WinPatrol.exe:WinPatrol
"{1EA08720-DA12-4CDE-8A5A-AF15D91C1E5F}"= UDP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware
"{DDDCF108-71DF-48CD-AD53-71D17C3F2C5C}"= TCP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware
"{F98C3B13-2099-40EC-B504-2445C9C5B1B0}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{3DB81CCD-4E96-40B3-8CA9-0089C89C294B}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{918FE1A4-6957-4640-97D9-C85BED212614}"= UDP:c:\program files\Spybot - Search & Destroy\SDUpdate.exe:Update Spybot-S&D
"{877DB07F-9298-486A-BB5B-930AF3A683AA}"= TCP:c:\program files\Spybot - Search & Destroy\SDUpdate.exe:Update Spybot-S&D
"{5A664831-D250-4805-BB75-32612C9742F8}"= UDP:c:\windows\ehome\ehshell.exe:Windows Media Center
"{2A157C0E-5966-4B7E-8D49-178D75EA6009}"= TCP:c:\windows\ehome\ehshell.exe:Windows Media Center

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [5/22/2009 11:06 AM 114768]
R1 FAMv4;FAMv4;c:\windows\System32\drivers\FAMv4.sys [12/14/2007 3:35 PM 132120]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswF sBlk.sys [5/22/2009 11:06 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\as wMonFlt.sys [5/22/2009 11:06 AM 51792]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [12/30/2007 5:54 PM 21752]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [12/30/2007 5:55 PM 54520]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [12/30/2007 5:54 PM 136440]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/19/2009 10:04 AM 1153368]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
FF - ProfilePath - c:\users\Shirley\AppData\Roaming\Mozilla\Firefox\P rofiles\j0dqrqc6.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.us.acer.yahoo.com/
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 04:54
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCEtim e.dll,_RunDLLEntry@16????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-24 4:55
ComboFix-quarantined-files.txt 2009-05-24 08:55

Pre-Run: 173,756,547,072 bytes free
Post-Run: 173,859,581,952 bytes free

269 --- E O F --- 2009-05-17 10:04

ADD REMOVE PROGRAMS

Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
netbrdg
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
NTI Open File Manager (remove only)
NVIDIA Drivers
OfotoXMI
OLYMPUS Master 2
OLYMPUS muvee theaterPack
PCDADDIN
PCDHELP
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
SFR
SHASTA
skin0001
SKINXSDK
Spybot - Search & Destroy
staticcr
SUPERAntiSpyware Free Edition
tooltips
Turbo Pizza
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VPRINTOL
Windows Live OneCare safety scanner
WinPatrol 2009
WIRELESS
Zuma Deluxe

EDIT: Three more questions: I noticed a Limewire DLL, can we kill that?

Although LTI is a legitimate program, is it necessary? I think it came bundled with this stupid Acer computer (man do they load these things up with junk), and is made redundant by the built in MicroSoft program.

LT Cats, is a built in spyware from the lprinter manufacturer, Lenmark. I thought I got it pertinent parts out but I wasn't sure how much to axe without disabling the printer. Can more go or is what is left fine?
  #4  
Old 24th May 2009, 04:03
Malware Group
  
Hi Bubba

Please dont play with HJT unless you understand the workings of it. You must remember that HJT is in effect a registry editor tool in a different context. I would hate you to turn the PC into an expensive doorstep! The two 02 entries which you deleted are legit, although it reports the file as missing this is not always the case. HJT is known to misreport certain entries.

Regarding limewire, have you uninstalled it via control panel? If so then we can flush a couple of more redundant items that are left over.

I see a few bits which relate to Norton, was this bundled on the PC at one time? Please run the norton removal tool to clean out the reminants. You can find the tool here : Norton Removal Tool

Once done......

Combofix

  • Close any open browsers.
  • Close any security applications (Antivirus, Antimalware etc..)
  • Open notepad and copy/paste the text in the box below into it:
Quote:
DDS::
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=localhost:7171

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ComboFix.txt for further review.

=====================================

I notice that the uninstall log was cut off at the top, can you repost it for me please. Also keep me updated on how things are system wise
__________________
Proud member of ASAP & UNITE
  #5  
Old 24th May 2009, 04:53
Donor Group
  
Limewire would not show up in the programs and feature panel to uninstall. the files to "run" it I found were app files, not exe, so I trudged through the C drive and erased everything I could find. I see I missed at least one in the registry though.

As for Norton........ yeah, Acer loaded a trial version on. I uninstalled it through control panel and then used the Norton removal tool. (That was the first thing i did, even before I loaded spybot, Winpatrol, and the rest of the stuff.) When I was going through the C drive files, I kept finding more remnants of Norton and erased them as I went. It never occured to me to run it again, but I will do so now.

LOL Those three files in Combofix were the three I was most curious about. There shouldn't BE a proxy host, nor did I think the profiles should be locked to everyone. But I haven't studied Combofix yet which is why I didn't use it myself, as such, I was clueless as to what to do with those three, or even if they were in fact "bad."

Sorry about cutting the head off the uninstall log, what's silly is I looked at it twice since it had no setting, and missed my mistake both times.

EDIT: and I STILL forgot to post it:

2007 Microsoft Office Suite Service Pack 2 (SP2)
Acer Arcade Live Main Page
Acer Empowering Technology
Acer ePerformance Management
Acer eSettings Management
Acer GameZone Console DTV 2.0.1.1
Acer Registration
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
Adobe Shockwave Player 11.5
Agatha Christie Death on the Nile
Alice Greenfingers
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
avast! Antivirus
Azada
Backspin Billiards
Big Kahuna Reef
Bonjour
Bookworm Deluxe
Bricks of Egypt
Cake Mania
CCScore
Chicken Invaders 3
Chuzzle
Diner Dash Flo on the Go
Eraser
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
Flip Words 2
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 13
Jewel Quest Solitaire
kgcbaby
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kick N Rush
Kodak EasyShare software
KODAK Gallery Upload Software
Lexmark 4300 Series
Mahjong Escape Ancient China
Mahjongg Artifacts
Malwarebytes' Anti-Malware
Memorex exPressit Label Design Studio
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
netbrdg
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
NTI Open File Manager (remove only)
NVIDIA Drivers
OfotoXMI
OLYMPUS Master 2
OLYMPUS muvee theaterPack
PCDADDIN
PCDHELP
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
SFR
SHASTA
skin0001
SKINXSDK
Spybot - Search & Destroy
staticcr
SUPERAntiSpyware Free Edition
tooltips
Turbo Pizza
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VPRINTOL
Windows Live OneCare safety scanner
WinPatrol 2009
WIRELESS
Zuma Deluxe
  #6  
Old 24th May 2009, 05:58
Malware Group
  
Hi there Bubba

Thanks for updated uninstall list - can you post the new combofix log for me as requested.

Quote:
What are we looking for in the Combofix?
Basically just anything malicious, combofix is mainly an advanced analysis tool which gives us more info than HJT

Regarding LTCats:
From what I can tell this is a valid entry, but is classified as 'user's choice' on whether it runs on start up

Regarding Limewire:
I can see a couple of entries that are still in there but we can ge them with the next run of combofix
__________________
Proud member of ASAP & UNITE
  #7  
Old 24th May 2009, 07:03
Donor Group
  
Ouch, the computer locked up and shut down as it looked like Combofix was about to finish up. It rebooted and I selected safemode. I don't think it created the log, but I don't know for sure. Here is the Microsoft popup.

Windows has recovered from an unexpected shutdown.

Problem signature:
Problem Event Name: Blue Screen
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 1033

Additional information about the problem:

BCCODE: 50
BCP1: E0858E9B
BCP2: 00000000
BCP3: 9B9D2D10
BCP4: 00000002
OS VERSION: 6_6_6001
SERVICE PACK: 1_0
PRODUCT: 768_1

FILES THAT DESCRIBE THE PROBLEM:

C\Windows\minidump\mini052409-01.dmp
C\Users\Shirley\appdata\temp\WER-85644-0.systemdata.xml
C\Users\Shirley\Appdata\Local\Temp\WERC6C7.tmp.ver sion.txt

I have left that computer on that screen in safemode. What do you want me to do with it? I'm leaving it in safemode until I hear something, I have to go film now, be back in about 3 hours. Man it's nice working on someone else's computer so I have mine to still get help here on.

EDIT: I haven't tried, but I'm sure I can get those files in safemode if you need to know what they say, but I also don't know how to open an XML file.
  #8  
Old 24th May 2009, 07:11
Malware Group
  
Hi Bubba

Try rebooting and see if it boots successfully again, if not try pressing F8 to access the boot screen on start up and choose the option for Last Known Good Configuration.
__________________
Proud member of ASAP & UNITE
  #9  
Old 24th May 2009, 07:50
Donor Group
  
It booted and there was a ComboFix2 log there, it is fairly identical to the first one but there is a 10:04 timestamp refering to a quarantine log. The quarentine log is empty. Here is the file, I don't know if it is complete or what you want. NOW I have to split.

ComboFix 09-05-23.04 - Shirley 05/24/2009 4:48.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1916 [GMT -4:00]
Running from: c:\users\Shirley\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-22 23:57 . 2009-05-24 08:40 117760 ----a-w c:\users\Shirley\AppData\Roaming\SUPERAntiSpyware. com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-22 23:56 . 2009-05-22 23:56 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-05-22 23:52 . 2009-05-22 23:52 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-22 23:52 . 2009-05-22 23:52 -------- d-----w c:\users\Shirley\AppData\Roaming\SUPERAntiSpyware. com
2009-05-22 20:36 . 2009-05-22 20:36 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-22 15:06 . 2009-02-05 20:06 51376 ----a-w c:\windows\system32\drivers\aswTdi.sys
2009-05-22 15:06 . 2009-02-05 20:06 23152 ----a-w c:\windows\system32\drivers\aswRdr.sys
2009-05-22 15:06 . 2009-02-05 20:07 114768 ----a-w c:\windows\system32\drivers\aswSP.sys
2009-05-22 15:06 . 2009-02-05 20:07 20560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
2009-05-22 15:06 . 2009-02-05 20:04 97480 ----a-w c:\windows\system32\AvastSS.scr
2009-05-22 15:06 . 2009-02-05 20:11 1256296 ----a-w c:\windows\system32\aswBoot.exe
2009-05-22 15:06 . 2009-02-05 20:06 51792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2009-05-22 15:06 . 2009-05-22 15:06 -------- d-----w c:\program files\Alwil Software
2009-05-22 04:38 . 2009-05-22 04:38 738120 ----a-w c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll
2009-05-20 12:43 . 2008-06-20 01:14 97800 ----a-w c:\windows\system32\infocardapi.dll
2009-05-20 12:43 . 2008-06-20 01:14 105016 ----a-w c:\windows\system32\PresentationCFFRasterizerNativ e_v0300.dll
2009-05-20 12:43 . 2008-06-20 01:14 11264 ----a-w c:\windows\system32\icardres.dll
2009-05-20 12:43 . 2008-06-20 01:14 622080 ----a-w c:\windows\system32\icardagt.exe
2009-05-20 12:43 . 2008-06-20 01:14 43544 ----a-w c:\windows\system32\PresentationHostProxy.dll
2009-05-20 12:43 . 2008-06-20 01:14 781344 ----a-w c:\windows\system32\PresentationNative_v0300.dll
2009-05-20 12:43 . 2008-06-20 01:14 326160 ----a-w c:\windows\system32\PresentationHost.exe
2009-05-20 12:33 . 2008-07-27 18:03 96760 ----a-w c:\windows\system32\dfshim.dll
2009-05-20 12:33 . 2008-07-27 18:03 282112 ----a-w c:\windows\system32\mscoree.dll
2009-05-20 12:33 . 2008-07-27 18:03 41984 ----a-w c:\windows\system32\netfxperf.dll
2009-05-20 12:32 . 2008-07-27 18:03 158720 ----a-w c:\windows\system32\mscorier.dll
2009-05-20 12:32 . 2008-07-27 18:03 83968 ----a-w c:\windows\system32\mscories.dll
2009-05-20 11:39 . 2009-05-20 11:39 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-20 04:03 . 2009-05-20 11:00 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-19 23:20 . 2009-05-19 23:20 -------- d-----w c:\users\Shirley\AppData\Local\Acer DV Magician
2009-05-19 23:10 . 2009-05-19 23:10 -------- d-----w c:\windows\Sun
2009-05-19 20:40 . 2009-05-19 20:40 -------- d-----w c:\users\Shirley\AppData\Roaming\com.adobe.mauby.4 875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-19 20:40 . 2009-05-19 11:41 38200 ----a-w c:\users\Shirley\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-05-19 18:24 . 2009-05-24 08:38 -------- d-----w c:\users\Shirley\AppData\Local\Eraser
2009-05-19 18:24 . 2009-05-19 18:24 -------- d--h--w c:\users\Shirley\AppData\Local\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-05-19 18:24 . 2009-05-19 18:24 -------- d-----w c:\program files\Eraser
2009-05-19 17:20 . 2009-05-19 17:20 -------- d-----w c:\users\Shirley\AppData\Roaming\eSobi
2009-05-19 17:11 . 2008-07-10 06:32 538 ----a-w c:\windows\system32\RegRaidSedona.bat
2009-05-19 17:07 . 2009-05-19 17:07 -------- d-----w C:\NVIDIA
2009-05-19 14:04 . 2009-05-19 14:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-19 14:04 . 2009-05-19 14:05 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-05-19 13:01 . 2009-05-19 13:01 -------- d-----w c:\users\Shirley\AppData\Roaming\WinPatrol
2009-05-19 13:01 . 2006-09-18 21:43 10 ----a-w c:\users\Shirley\AppData\Roaming\WinPatrol\Config. sys
2009-05-19 13:01 . 2006-09-18 21:43 24 ----a-w c:\users\Shirley\AppData\Roaming\WinPatrol\Autoexe c.bat
2009-05-19 13:01 . 2009-05-19 13:01 -------- d-----w c:\program files\BillP Studios
2009-05-19 12:26 . 2009-05-19 12:26 -------- d-----w c:\users\Shirley\AppData\Roaming\Malwarebytes
2009-05-19 12:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 12:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 12:26 . 2009-05-19 13:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 12:26 . 2009-05-19 12:26 -------- d-----w c:\programdata\Malwarebytes
2009-05-19 11:53 . 2009-05-19 11:53 0 ----a-w c:\windows\nsreg.dat
2009-05-19 11:53 . 2009-05-19 11:53 -------- d-----w c:\users\Shirley\AppData\Local\Mozilla
2009-05-19 11:41 . 2009-05-19 11:41 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-19 11:38 . 2009-05-19 12:45 -------- d-----w c:\programdata\NOS
2009-05-19 11:29 . 2009-05-19 11:29 -------- d-----w c:\users\Shirley\AppData\Local\Seven Zip
2009-05-19 10:41 . 2009-03-19 20:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-19 10:41 . 2008-04-17 16:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-05-19 10:41 . 2009-05-20 01:10 -------- d-----w c:\program files\iPod
2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w c:\program files\iTunes
2009-05-19 10:38 . 2009-05-19 10:38 -------- d-----w c:\program files\QuickTime
2009-05-19 10:34 . 2009-05-19 10:34 75048 ----a-w c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-19 10:34 . 2009-05-19 10:34 -------- d-----w c:\program files\Bonjour
2009-05-19 10:33 . 2009-05-19 10:33 416128 ----a-w c:\programdata\Microsoft\eHome\Packages\NetTV\Brow se\NetTVResources.dll
2009-05-19 10:29 . 2009-05-19 10:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-12 02:36 . 2009-05-12 02:36 2930 ---h--w c:\windows\ms49f4d98.dat
2009-05-11 23:55 . 2009-04-14 00:39 4656976 ----a-w c:\programdata\Microsoft\Windows Defender\Definition Updates\{DD7D9A19-5FB4-4855-A8E0-F0A00524AD5E}\mpengine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-24 08:39 . 2009-02-17 13:54 602 ----a-w c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2009-05-24 04:22 . 2008-09-12 01:46 -------- d-----w c:\program files\Google
2009-05-20 11:55 . 2008-09-11 17:01 104472 ----a-w c:\users\Shirley\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-20 11:51 . 2008-02-05 19:30 -------- d-----w c:\programdata\Microsoft Help
2009-05-20 11:49 . 2008-02-05 19:31 -------- d-----w c:\program files\Microsoft Works
2009-05-20 03:54 . 2008-09-12 14:01 -------- d-----w c:\program files\Lx_cats
2009-05-20 00:42 . 2008-02-05 20:19 -------- d-----w c:\program files\Common Files\Adobe
2009-05-19 23:28 . 2008-02-05 19:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-19 23:27 . 2008-02-05 19:49 -------- d-----w c:\program files\Acer Arcade Live
2009-05-19 23:20 . 2008-09-15 23:24 -------- d-----w c:\users\Shirley\AppData\Roaming\CyberLink
2009-05-19 21:38 . 2008-09-12 20:56 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-05-19 21:04 . 2008-09-12 14:09 1664 ----a-w c:\users\Shirley\AppData\Roaming\wklnhst.dat
2009-05-19 17:29 . 2009-03-04 15:55 -------- d-----w c:\users\Shirley\AppData\Roaming\Sony
2009-05-19 17:20 . 2008-02-05 19:22 -------- d-----w c:\programdata\NVIDIA
2009-05-19 16:54 . 2008-02-05 18:03 36864 ----a-w c:\windows\system32\nvcod100.dll
2009-05-19 16:54 . 2007-10-25 11:02 147456 ----a-w c:\windows\system32\nvcolor.exe
2009-05-19 16:13 . 2008-09-12 01:47 -------- d-----w c:\users\Shirley\AppData\Roaming\LimeWire
2009-05-19 11:32 . 2008-02-05 20:08 -------- d-----w c:\program files\Yahoo!
2009-05-19 11:05 . 2008-09-12 01:45 -------- d-----w c:\program files\Java
2009-05-19 10:41 . 2008-09-13 03:14 -------- d-----w c:\program files\Common Files\Apple
2009-05-19 10:38 . 2008-09-13 03:15 -------- d-----w c:\programdata\Apple Computer
2009-05-11 12:10 . 2009-05-11 12:10 78260 ----a-w c:\programdata\SPL23D4.tmp
2009-04-17 10:12 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-02 22:13 . 2009-04-02 22:13 702127 ----a-w c:\programdata\SPLFB91.tmp
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-17 03:38 . 2009-04-17 05:22 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 05:22 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-08 11:34 . 2009-05-20 03:47 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-05-20 03:47 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-05-20 03:47 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-05-20 03:47 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-05-20 03:47 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-05-20 03:47 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-05-20 03:47 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-05-20 03:47 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-05-20 03:47 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-05-20 03:47 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-05-20 03:47 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-05-20 03:47 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-05-20 03:47 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-05-20 03:47 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-05-20 03:47 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-05-20 03:47 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-05-20 03:47 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-05-20 03:47 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-17 05:22 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 05:22 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-17 05:22 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 05:22 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 05:22 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 05:22 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 05:22 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 05:22 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 05:22 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 05:22 17408 ----a-w c:\windows\system32\iashost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-11-07 95536]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2007-12-30 34552]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-01-10 326176]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-10-15 3387392]
"NVRaidService"="c:\windows\system32\nvraidservice .exe" [2008-11-12 203296]
"LXCECATS"="c:\windows\system32\spool\DRIVERS\W32X 86\3\LXCEtime.dll" [2007-02-22 73728]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2007-05-17 205744]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2007-05-17 103344]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-19 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-16 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-01-16 92704]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-11 4702208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-2-5 535336]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{2E9A4533-1359-46B6-B326-2B899D73FD10}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{ADE9CF49-7A0E-4076-9B85-7648EC5E7736}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6299EEE5-1856-4B10-9916-798B1C1AEF89}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{F3CFA48D-AE6A-482E-96D7-2390C5C0FDF5}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{D430641B-178B-4C39-B53C-F6B3221DB01A}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{948000F3-8719-4206-B4C5-6506B663184F}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{8BCD640B-594A-465F-8A9E-E5A6C07DC081}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{7B6B3B53-9D2B-40C9-B91F-FE85E1D6A25A}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{CA5E49E2-2662-4B15-BE6C-0FC7F1CC3A1B}"= UDP:c:\windows\System32\lxcecoms.exe:Lexmark Communications System
"{61DAEE1D-D19E-4F1A-B41E-603246AF524C}"= TCP:c:\windows\System32\lxcecoms.exe:Lexmark Communications System
"{EB8798E6-358B-4DDA-A219-21BBC5D3C79A}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxc epswx.exe:Printer Status Window
"{C513D5EB-73E1-4ED7-A04C-C37C9E69B4B0}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxc epswx.exe:Printer Status Window
"{99976595-B4E1-4C9A-A3DE-A67AEDEE9B55}"= c:\program files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{7A37205C-E643-4464-8C27-FAFCC859102D}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1DF156D1-94E3-4B3D-A91E-724DFC89819E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B7DA4A0B-FA80-40F6-A9A6-B737F64A2D2D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D7D156E3-7B84-41F2-9FD8-CF9860453F65}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F8CDA590-0FD3-4E40-8A6C-9850B1E5C2AB}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F6A110DE-6630-4823-B892-60950EB9ED71}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8640BFAB-1B85-48CC-95D5-9AABB44E4D95}"= UDP:c:\program files\BillP Studios\WinPatrol\WinPatrol.exe:WinPatrol
"{6CC4A3BE-8F00-4983-B199-3050D54509B8}"= TCP:c:\program files\BillP Studios\WinPatrol\WinPatrol.exe:WinPatrol
"{1EA08720-DA12-4CDE-8A5A-AF15D91C1E5F}"= UDP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware
"{DDDCF108-71DF-48CD-AD53-71D17C3F2C5C}"= TCP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware
"{F98C3B13-2099-40EC-B504-2445C9C5B1B0}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{3DB81CCD-4E96-40B3-8CA9-0089C89C294B}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{918FE1A4-6957-4640-97D9-C85BED212614}"= UDP:c:\program files\Spybot - Search & Destroy\SDUpdate.exe:Update Spybot-S&D
"{877DB07F-9298-486A-BB5B-930AF3A683AA}"= TCP:c:\program files\Spybot - Search & Destroy\SDUpdate.exe:Update Spybot-S&D
"{5A664831-D250-4805-BB75-32612C9742F8}"= UDP:c:\windows\ehome\ehshell.exe:Windows Media Center
"{2A157C0E-5966-4B7E-8D49-178D75EA6009}"= TCP:c:\windows\ehome\ehshell.exe:Windows Media Center

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [5/22/2009 11:06 AM 114768]
R1 FAMv4;FAMv4;c:\windows\System32\drivers\FAMv4.sys [12/14/2007 3:35 PM 132120]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswF sBlk.sys [5/22/2009 11:06 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\as wMonFlt.sys [5/22/2009 11:06 AM 51792]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [12/30/2007 5:54 PM 21752]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [12/30/2007 5:55 PM 54520]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [12/30/2007 5:54 PM 136440]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/19/2009 10:04 AM 1153368]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
FF - ProfilePath - c:\users\Shirley\AppData\Roaming\Mozilla\Firefox\P rofiles\j0dqrqc6.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.us.acer.yahoo.com/
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 04:54
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCEtim e.dll,_RunDLLEntry@16????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-24 4:55
ComboFix-quarantined-files.txt 2009-05-24 08:55

Pre-Run: 173,756,547,072 bytes free
Post-Run: 173,859,581,952 bytes free

269 --- E O F --- 2009-05-17 10:04

EDIT: nope, quick comparison of the first one, I think it's identical.
  #10  
Old 24th May 2009, 10:38
Malware Group
  
Hi Bubba,

Quote:
EDIT: nope, quick comparison of the first one, I think it's identical.
Yes you are right - that is from the first run of combofix

The current log can be found at C:/combofix.txt.
__________________
Proud member of ASAP & UNITE
Reply
Page 1 of 6 1 23456

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.