Avast WEBforum
Other => Viruses and worms => Topic started by: Maze on July 05, 2007, 01:46:25 PM
-
I have the fotomoto trojan on my pc. Avast does not find it, but Windows Defender does. Everytime it catches it, Win-defender gives me the option to remove, and afterwards tells me the computer is clean. But after every reeboot, Fotomoto is still running wild on my pc. Does anyone have a solution? Thanks in advance.
-
Hi Maze,
Fotomoto is possibly a variant of Begin2Search/B2Search/eZula.
First go to Start>Control Panel>Add/Remove Programs and remove this program if found under any of the above names. (It may not be there.)
Then try the usual free adware/spyware scanners.
AVG Anti-Spyware Free (http://www.ewido.net/en/product/) (Requires Win2k/XP)
Ad-Aware Free (http://www.download.com/3000-2144-10045910.html)
Spybot Search & Destroy (http://www.safer-networking.org/en/download/index.html)
SUPERAntiSpyware Free (http://www.superantispyware.com/)
a-Squared Free (http://www.emsisoft.com/en/software/free/)
Download, install and update all the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode (http://www.pchell.com/support/safemode.shtml) if possible.
If still having problems, post a HijackThis! log (http://www.bleepingcomputer.com/tutorials/tutorial42.html).
-
Before dealing with it, if you know the file name and location, send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
-
Thanks both of you. I will perform the recommendations above, you both mentioned, one by one and then post a reply later today.
Avast also detects "Win32:Agent-ISI[Trj]" and "Win32:VBStat-C[Trj]". I was going to search the threads and start a new one if these haven't been discussed already. Just mentioning in case these will also be solved by the above process or are related. I have been moving the files to chest, but these keep coming back.
-
You must uncheck system restore.
-
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
This is likely to be of more help to us than the malware name alone.
-
But these keep coming back.
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:
1. Disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887) or Windows XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).
2. Clean your temporary files. You can use CleanUp (http://www.stevengould.org/downloads/cleanup/) or the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features for that.
3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).
4. It will be good if you download, install, update and run AVG Antispyware (http://www.ewido.net/en/). Some users recommend SUPERantispyware (http://www.superantispyware.com), Spyware Terminator (http://www.spywareterminator.com/) and/or a-squared (http://www.emsisoft.com/en/software/free/) (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0), Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx) and/or F-Secure BlackLight (http://www.f-secure.com/blacklight/try_blacklight.html).
6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here and, specially, scan and submit to on-line analysis the RunScanner (http://www.runscanner.net/) log would help to identify the problem and the solution.
7. After you're clean, use the immunization of SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or, which is better, the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.
8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/) to update insecure applications and avoid reinfection.
-
Hi guys,
Unfortunately I wasn't aware of unchecking System Restore, and ran scans for the last two days in safe mode with internet plugged off, just logged back in normal with internet on, and I am back to square one. Would you suggest I redo everything with System Restore turned off. (I just turned it off).
Question: I currently have Avast, Windows Defender and Spybot Search and Destroy installed. Would it conflict if I install more spyware like "AVG Antispyware" that you guys have recommended. If so should all the programs run scans simultaneously or one by one. Is there any particular order that is most effective. Also in safe mode Avast senstivity was disabled (even though I tried changing it to high), is that normal or is avast infected?
I have noted down results of the scans and the file names and locations (pasted below). It was 3 pages in Word, so its long. Hopefully the information you all will need is in here. I will wait for a reply and then install more spyware and redo the scans with system restore turned off.
=====================================
Below steps were performed in Safe mode with the internet connection turned off but after updating Spybot Search and Destroy, Windows Defender and Avast to the latest version.
Step1: Spybot scan results
Step2: Windows Defender scan results
Step3: Avast Thorough scan results
Step4: Avast activity after first normal boot.
-----------------------------------------------
Step I. Ran “Spybot Search and Destroy 1.2”
Results:
1)Mediaplex: Tracking cookie or cookie of tracking site
File: Mediaplex[1].txt in documents and settings
2,3,4) Windows Media Player (WMP) Registry change
I tried fixing the Mediaplex and left the WMP registry change as it is. A warning message came up saying
“Some problems couldn’t be fixed; the reason could be that the associated files are still in use (in memory). This could be fixed after a restart. May SpyBot-S&D run on your next system startup?” - I clicked “Yes”.
I have been through this process before with Mediaplex and Spybot, but it keeps coming back every time.
Note: Spybot did not find Fotomoto
--------------------------------------
Step II. Full System scan with “Windows Defender”
Results:
Trojan: Win32/Fotomoto.A (Alert Level: Severe)
Category:
Trojan
Description:
This program is dangerous and can hide programs or bypass security.
Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.
Resources:
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1382\A0234026.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1379\A0233839.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1379\A0233798.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1378\A0233710.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1376\A0233657.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1375\A0233549.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233439.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1372\A0233336.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1371\A0233244.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1369\A0233166.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1368\A0233087.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1367\A0233067.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1366\A0232958.exe
file:
C:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1364\A0232853.exe
I am not sure how to find these files and send them to you. I tried opening avast to try and save them to chest, but the chest did not open in safe mode. Hence I quarantined fotomoto using Windows Defender. Again, I have done this before. It keeps coming back.
Upon checking with Software Explorer that comes with Windows Defender, I found a program “jusched.exe” running. The following is the information that was available. Should this be disabled?
File Name: jusched.exe
Display Name: jusched.exe
Description: Not Available
Publisher: Not Available
Digitally Signed By: NOT SIGNED
File Type: Application
Startup Value: C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
File Path: C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
File Size: 32881
File Version: Not Available
Date Installed: 2/22/2068 11:44:46 PM
Startup Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Permitted
Ships with Operating System: No
--------------------------------------------------------
Step III: Avast Version 4.7 Home Edition Thorough Scan
Note: Resident sensitivity for avast keeps resetting from high to disabled??
Scan results:
1) File name: c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233532.dll
Malware name: Win32:BHO-ES[Trj] (deleted by avast)
2) File name: c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233533.exe
Malware name: Win32:Agent-HZS [Trj] (deleted by avast)
3) File name: c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233534.exe\[Embedded#0eb0]
Malware name: Win32:Zlob-ZL [Trj] (deleted by avast)
4) File name: c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233535.exe
Malware name: Win32:Agent-HZS [Trj] (deleted by avast)
5) File name: c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233536.dll
Malware name: Win32:BHO-EP [Trj] (deleted by avast)
6) File name: c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233537.exe
Malware name: Win32:Agent-HZS [Trj] (deleted by avast)
7) File name: c:\System Volume Information\_restore{3AC556E8-4D1E-451F-AB89-281471EC0853}\RP1373\A0233538.exe
Malware name: Win32:Agent-HZS [Trj] (deleted by avast)
8) File name: c:\WINDOWS\Temp\0lebapmc.TMP\WEDDINGC.AVI
Avast Result: Unable to scan: the file is a decompression bomb
9) File name: c:\WINDOWS\Temp\9bb1ut1z.TMP\WEDDING.AVI
Avast Result: Unable to scan: the file is a decompression bomb
Malware Type: Trojan Horse
VPS version: 000754-3, 07/06/2007
10) whole bunch of user@servedby.advertising[1].txt & user@advertising[1].txt
Action Taken: Permanently deleted the above files since chest was not working in safe mode.
Step IV:
Logged back into Windows XP Pro – Normal boot (internet connected)
Avast detected the following Trojans
File name: DOCUME~1\Family\LOCALS~1\Temp\kfquukys.exe\[PECompact]
Malware name: Win32:Agent-ISI [Trj]
Malware type: Trojan Horse
VPS Version: 000754-4, 07/06/2007
Action taken: File moved to chest
File name: C:\WINDOWS\SYSTEM32\DKXSKSOR.DLL
File name: C:\DOCUME~1\Family\LOCALS~1\Temp\seokwdqy.dll
Malware name: Win32:Virtumonde-BA [Adw]
Malware type: Adware
VPS Version: 000754-4, 07/06/2007
Action taken: 000754-4, 07/06/2007
File name: C:\DOCUME~1\Family\LOCALS~1\Temp\yxygbfdk.dll
Malware name: Win32:VBStat-C [Trj]
Malware type: Trojan Horse
VPS Version: 000754-4, 07/06/2007
Action taken: File moved to chest
Thanks for the help.
-
You can install for on demmand scan AVG antispyware free and SuperAntispyware. You'll have no problems.
You'd may redo all with system restore unchecked
-
If those don't solve the problem try this:
Download ATF Cleaner from here
http://www.atribune.org/content/view/25/2/
It does not need to be installed - just download it to your desktop and double click to run it. The directions are on the page I linked to but, instead of leaving all options checked I would un-check the Prefetch option.
After running ATF Cleaner download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
When Combofix has finished run HijackThis and post the log.
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
-
Hi everyone,
Thanks for all the help and I have done everything or almost everything you all recommended.
1) Checked for unknown problems in Add/Remove Programs - did not find any
2) Disabled system restore
3) Updated all antivirus programs and plugged off the internet
4) Restarted in Safe Mode
5) Ran and cleaned Temporary Files using both Windows Advanced Care and ATF Cleaner
6) Ran Avast (hung after 3 hours of scanning, so though the scan was over, action could not be taken)
7) Ran AVG Anti-Spyware simultaneosly and fixed/quarantined problems
8) Ran SuperAntiSpyware simultaneously and fixed/quarantined problems
9) Ran Anti-rootkit applications AVG and Panda (panda shut down without working)
10) Ran Spybot Search and Destroy - found 3 Windows Media Player registry change-I assumed they are OK? (Multiplex[1].txt did not show up this time)
11) Immunized using Spybot, did not find an "immunization option in Windows Advanced Care"
12) Ran Combofix and saved log (will paste below)
13) Tried running Secunia Software Inspector from the site, but Java did not load.
14) Ran HijackThis and saved log (will post below)
15) Ran Runscanner and saved log (will post below)
I have been online for 30min, till now nothing has popped up.
Since there are 3 logs and they are long, I will post them as 3 separate posts in the following order:
HijackThis log
RunScanner log
Combofix log
Thanks for all the help, do recommend any fixes that need to made according to hijackthis, runscanner and combofix logs.
-
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:13 PM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed Utilities\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
E:\Program Files\Anti Virus\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
E:\Program Files\Anti Virus\Avast\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe
E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
E:\Program Files\Utilities\Quicktime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet\Mozilla\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Anti Virus\HijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://officeupdate.microsoft.com/outlook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Internet\Logitech WebCam\ISStart.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\Utilities\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - E:\Program Files\Utilities\PDFill\\DownloadPDF.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/14.21/uploader2.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab
O16 - DPF: {611627F1-D9A5-4235-958E-618E483BF8E7} (AutoUploader Class) - http://www.splashbulb.com/uploader/lib/uploader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
--
End of file - 7798 bytes
Next post: Runscanner log
-
Runscanner log
Runscanner logfile http://www.runscanner.net
000 General info
----------------
Computer name : HOMEUSER
Type of scan : Full scan
RunScanner Version : 0.9.0.0
Creation time : 7/8/2007 3:27:21 PM
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
User Language : English (United States)
IE version : 7.0.5730.11
Windows folder : C:\WINDOWS
001 Running processes
---------------------
* e:\program files\anti virus\avast\aswupdsv.exe (ALWIL Software)
* e:\program files\anti virus\avast\ashserv.exe (ALWIL Software)
* e:\program files\anti virus\avg anti-spyware 7.5\guard.exe (GRISOFT s.r.o.)
c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
* c:\program files\siteadvisor\6066\saservice.exe (McAfee, Inc.)
* e:\program files\anti virus\avast\ashmaisv.exe (ALWIL Software)
* e:\program files\anti virus\avast\ashwebsv.exe (ALWIL Software)
c:\program files\java\j2re1.4.2_04\bin\jusched.exe
e:\program files\internet\logitech webcam\logitray.exe (Logitech Inc.)
* c:\program files\common files\aol\1141834038\ee\aolsoftware.exe (America Online, Inc.)
c:\program files\common files\real\update_ob\realsched.exe (RealNetworks, Inc.)
e:\program files\utilities\itunes&quicktime\ituneshelper.exe (Apple Computer, Inc.)
* e:\progra~1\antivi~1\avast\ashdisp.exe (ALWIL Software)
e:\program files\utilities\quicktime\qttask.exe (Apple Computer, Inc.)
c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Company)
c:\program files\ipod\bin\ipodservice.exe (Apple Computer, Inc.)
c:\program files\olympus\devicedetector\devdtct2.exe (OLYMPUS Corporation.)
c:\program files\palmone\hotsync.exe (PalmSource, Inc)
c:\windows\system32\lvcoms.exe (Logitech Inc.)
c:\program files\hp\digital imaging\bin\hpqgalry.exe (Hewlett-Packard Co.)
* e:\program files\internet\mozilla\firefox.exe (Mozilla Corporation)
* c:\program files\siteadvisor\6066\siteadv.exe (McAfee, Inc.)
* e:\program files\anti virus\hijackthis\hijackthis.exe (Trend Micro Inc.)
e:\program files\anti virus\runscanner.exe (Runscanner.net)
002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\program files\java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\nwiz.exe (NVIDIA Corporation)
e:\program files\internet\logitech webcam\logitray.exe (Logitech Inc.)
e:\program files\internet\logitech webcam\isstart.exe (Logitech Inc.)
* c:\program files\common files\aol\1141834038\ee\aolsoftware.exe (America Online, Inc.)
c:\program files\common files\real\update_ob\realsched.exe (RealNetworks, Inc.)
e:\program files\utilities\itunes&quicktime\ituneshelper.exe (Apple Computer, Inc.)
* e:\progra~1\antivi~1\avast\ashdisp.exe (ALWIL Software)
e:\program files\utilities\quicktime\qttask.exe (Apple Computer, Inc.)
c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Company)
003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
- e:\program files\utilities\foldershare\foldershare.exe
005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-------------------------------------------------------------------
c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe (Adobe Systems, Inc.)
c:\progra~1\olympus\device~1\devdtct2.exe (OLYMPUS Corporation.)
c:\progra~1\palmone\hotsync.exe (PalmSource, Inc)
c:\progra~1\hp\digita~1\bin\hpqthb08.exe (Hewlett-Packard Co.)
010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
* e:\program files\anti virus\avast\aswupdsv.exe (avast! iAVS4 Control Service)
* e:\program files\anti virus\avast\ashserv.exe (avast! Antivirus)
* e:\program files\anti virus\avast\ashmaisv.exe (avast! Mail Scanner)
* e:\program files\anti virus\avast\ashwebsv.exe (avast! Web Scanner)
* e:\program files\anti virus\avg anti-spyware 7.5\guard.exe (AVG Anti-Spyware Guard)
c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe (InstallDriver Table Manager)
c:\program files\ipod\bin\ipodservice.exe (iPodService)
C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Driver Helper Service)
c:\windows\system32\hpzipm12.exe (Pml Driver HPZ12)
* c:\program files\siteadvisor\6066\saservice.exe (SiteAdvisor Service)
011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Audio Noise Cancellation Driver)
C:\WINDOWS\system32\drivers\avgarkt.sys (AVG Anti-Rootkit)
* e:\program files\anti virus\avg anti-spyware 7.5\guard.sys (AVG Anti-Spyware Driver)
C:\WINDOWS\system32\drivers\avgarcln.sys (Avg Anti-Rootkit Clean Driver)
* C:\WINDOWS\system32\drivers\avgascln.sys (AVG Anti-Spyware Clean Driver)
- c:\docume~1\family\locals~1\temp\catchme.sys (Base)
C:\WINDOWS\system32\drivers\sqcaptur.sys (Dual-Mode DSC(2770))
C:\WINDOWS\system32\drivers\dvdriver.sys (DVdriver)
C:\WINDOWS\system32\drivers\el2k_xp.sys (3Com 3C2000x EtherLink XL Adapter)
* C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEARAspiWDM)
* C:\WINDOWS\system32\drivers\hpzid412.sys (IEEE-1284.4 Driver HPZid412)
* C:\WINDOWS\system32\drivers\hpzipr12.sys (Print Class Driver for IEEE-1284.4 HPZipr12)
* C:\WINDOWS\system32\drivers\hpzius12.sys (USB to IEEE-1284.4 Translation Driver HPZius12)
* C:\WINDOWS\system32\drivers\icrecusb.sys (IC Recorder Driver)
C:\WINDOWS\system32\drivers\intelc51.sys (Driver executs DSP proccessing)
C:\WINDOWS\system32\drivers\intelc52.sys (Intel(R) 537 Data Fax Voice V.92 Modem)
C:\WINDOWS\system32\drivers\intelc53.sys (Driver executs AFE proccessing)
- c:\docume~1\family\locals~1\temp\jgameenp.sys (jgameenp)
- c:\windows\system32\drivers\fw220.sys (McAfee Firewall Network Filter Miniport)
C:\WINDOWS\system32\drivers\nv4_mini.sys (Video)
* C:\WINDOWS\system32\drivers\palmusbd.sys (USB Driver for Palm OS Handheld Devices)
C:\WINDOWS\system32\drivers\camdrl21.sys (Logitech QuickCam Pro 3000(PID_08B0))
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
e:\program files\anti virus\superantispyware\sasdifsv.sys (SASDIFSV)
e:\program files\anti virus\superantispyware\sasenum.sys (SASENUM)
e:\program files\anti virus\superantispyware\saskutil.sys (SASKUTIL)
C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\silvrlnk.sys (Texas Instruments SilverLink (USB GraphLink) Cable)
* C:\WINDOWS\system32\drivers\smwdm.sys (SoundMAX Integrated Digital Audio)
C:\WINDOWS\system32\drivers\sscdbus.sys (SAMSUNG USB Composite Device driver (WDM))
C:\WINDOWS\system32\drivers\viaraid.sys (SCSI Miniport)
C:\WINDOWS\system32\drivers\vnusb.sys (VN Series Device)
- c:\windows\system32\drivers\wanatw4.sys (WAN Miniport (ATW))
- f:\winio.sys (WINIO)
030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\program files\hp\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}
c:\program files\common files\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
* c:\program files\siteadvisor\6066\siteadv.dll (McAfee, Inc.) {3A5DC592-7723-4EAA-9EE6-AF4222BCF879}
ComboFix Log will continue in next post since it exceeds max char limit
-
Sorry - I meant Runscanner log continues here:
035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
-------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}
036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
----------------------------------------------------------------
About:Home
041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
* c:\program files\siteadvisor\6066\siteadv.dll (McAfee, Inc.) {0BF43445-2F28-4351-9252-17FE6E806AA0}
042 HKLM\Software\Microsoft\Internet Explorer\Extensions
--------------------------------------------------------
e:\program files\utilities\pdfill\\downloadpdf.exe (PlotSoft LLC) {FB858B22-55E2-413f-87F5-30ADC5552151}
050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
-----------------------------------------------------------------------------
* e:\program files\anti virus\avg anti-spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.) {57B86673-276A-48B2-BAE7-C6DBB3020EB8}
e:\program files\anti virus\superantispyware\sasseh.dll (SuperAdBlocker.com) {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
* c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
* c:\program files\siteadvisor\6066\siteadv.dll (McAfee, Inc.) {089FD14D-132B-48FC-8861-0048AE113215}
061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
----------------------------------------------------------------------------
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
c:\windows\system32\nvshell.dll (NVIDIA Corporation) {1CDB2949-8F65-4355-8456-263E7C208A5D}
c:\windows\system32\nvshell.dll (NVIDIA Corporation) {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
e:\program files\internet\logitech webcam\namespc2.dll (Logitech Inc.) {400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}
c:\program files\real\realplayer\rpshell.dll (RealNetworks, Inc.) {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
* c:\program files\microsoft office\visio11\visshe.dll {506F4668-F13E-4AA1-BB04-B43203AB3CC0}
* c:\program files\microsoft office\visio11\visshe.dll {D66DC78C-4F61-447F-942B-3FB6980118CF}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
e:\program files\utilities\itunes&quicktime\itunesminiplayer.dll (Apple Computer, Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
* e:\program files\anti virus\avast\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
-------------------------------------------------------
c:\program files\common files\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
autocheck autochk *
067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
e:\program files\anti virus\superantispyware\saswinlo.dll (SUPERAntiSpyware.com)
-
069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
C:\WINDOWS\system32\custmon2k.dll
* C:\WINDOWS\system32\hpzlnt10.dll (HP)
073 %windir%\Tasks
------------------
c:\windows\tasks\mp scheduled scan.job
100 Internet Explorer settings
------------------------------
Start Page HKCU : www.bbc.co.uk
Start Page HKLM : about:blank
Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
Default_Page_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
ShellNext HKCU : http://officeupdate.microsoft.com/outlook
104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
c:\windows\downloaded program files\yinsthelper.dll (Yahoo! Inc.) {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
* c:\windows\downloaded program files\uploaderx.dll {474F00F5-3853-492C-AC3A-476512BBC336}
c:\windows\downloaded program files\uploader.dll {611627F1-D9A5-4235-958E-618E483BF8E7}
c:\program files\java\j2re1.4.2_04\bin\npjpi142_04.dll (JavaSoft / Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
c:\program files\java\j2re1.4.2_04\bin\npjpi142_04.dll (JavaSoft / Sun Microsystems, Inc.) {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}
* c:\windows\system32\macromed\flash\flash9b.ocx (Adobe Systems, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000}
106 HKLM\Software\Microsoft\Windows\CurrentVersion\URL
------------------------------------------------------
Default : http://
ftp : ftp://
gopher : gopher://
home : http://
mosaic : http://
www : http://
147 HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders
-----------------------------------------------------------------------------
C:\WINDOWS\system32\zwebauth.dll
161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1
173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
* e:\program files\anti virus\avast\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
* e:\program files\anti virus\avg anti-spyware 7.5\context.dll (GRISOFT s.r.o.) {8934FCEF-F5B8-468f-951F-78A921CD3920}
180 FileType Hijacking
----------------------
HKEY_CLASSES_ROOT batfile : "%1" %*
HKEY_CLASSES_ROOT cmdfile : "%1" %*
HKEY_CLASSES_ROOT comfile : "%1" %*
HKEY_CLASSES_ROOT exefile : "%1" %*
HKEY_CLASSES_ROOT htafile : C:\WINDOWS\system32\mshta.exe "%1" %*
HKEY_CLASSES_ROOT piffile : "%1" %*
HKEY_CLASSES_ROOT scrfile : "%1" /S
Next post: ComboFix log
-
ComboFix Log
"Mr.C!" - 2007-07-08 14:45:21 - ComboFix 07-07-07.3 - Service Pack 2
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\#SharedObjects\8FSAHFWA\www.broadcaster.com
C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Family\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Family\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\zxdnt3d.cfg
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))
2007-07-08 14:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-08 14:30 8,704 --a------ C:\WINDOWS\system32\drivers\njyoxcnhlwus.sys
2007-07-08 11:18 <DIR> d-------- C:\DOCUME~1\Family\Pavark
2007-07-07 17:59 <DIR> d-------- C:\HijackThis
2007-07-07 17:51 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-07 17:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 17:41 <DIR> d-------- C:\DOCUME~1\Family\APPLIC~1\SUPERAntiSpyware.com
2007-07-07 17:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 17:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-19 22:43 <DIR> d-------- C:\DOCUME~1\Jiggy\APPLIC~1\SiteAdvisor
2007-06-11 12:20 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\SiteAdvisor
2007-06-11 09:49 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2007-06-11 09:49 56,832 --a------ C:\WINDOWS\system32\sol.exe
2007-06-11 09:49 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-06-11 09:49 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-06-11 09:49 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2007-06-11 09:49 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2007-06-11 09:49 31,744 --a------ C:\WINDOWS\system32\fxsroute.dll
2007-06-11 09:49 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2007-06-11 09:49 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2007-06-11 09:49 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-06-11 09:49 132,608 --a------ C:\WINDOWS\system32\fxsclntR.dll
2007-06-11 09:49 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2007-06-11 09:49 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2007-06-11 09:49 114,688 --a------ C:\WINDOWS\system32\calc.exe
2007-06-11 09:49 111,104 --a------ C:\WINDOWS\system32\fxscfgwz.dll
2007-06-11 09:49 11,264 --a------ C:\WINDOWS\system32\fxssend.exe
2007-06-11 09:49 <DIR> d-------- C:\WINDOWS\system32\FxsTmp
2007-06-08 18:23 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-06-08 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hewlett-Packard
2007-06-08 18:13 17,176 --------- C:\WINDOWS\hpomdl04.dat
2007-06-08 18:13 104,549 --a------ C:\WINDOWS\hpoins04.dat
2007-06-08 15:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-08 14:41 <DIR> d-------- C:\Program Files\Common Files\HP
2007-06-08 14:26 <DIR> d-------- C:\temp\HP_WebRelease
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-07 19:00:11 1,844,926 --sh--w C:\WINDOWS\system32\rqtss.bak2
2007-06-16 19:31:56 -------- d-----w C:\Program Files\PERRLA
2007-06-11 13:49:21 -------- d-----w C:\Program Files\Windows NT
2007-06-08 22:23:35 -------- d-----w C:\Program Files\HP
2007-06-07 11:17:14 -------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2007-06-04 02:56:24 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\SiteAdvisor
2007-06-04 02:49:53 -------- d-----w C:\Program Files\SiteAdvisor
2007-06-04 01:52:39 -------- d-----w C:\Program Files\Installed Utilities
2007-06-03 16:26:56 -------- d-----w C:\Program Files\Real
2007-06-02 20:05:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-02 20:02:21 -------- d-----w C:\DOCUME~1\Family\APPLIC~1\Symantec
2007-06-02 18:07:42 1,583,854 --sh--w C:\WINDOWS\system32\rqtss.bak1
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 16:53:49 11,029 ----a-w C:\WINDOWS\mozver.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{089FD14D-132B-48FC-8861-0048AE113215}]
2007-03-30 11:41 1099304 --a------ C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44]
"nwiz"="nwiz.exe" [2003-06-18 01:31 C:\WINDOWS\system32\nwiz.exe]
"LogitechVideoTray"="E:\Program Files\Internet\Logitech WebCam\LogiTray.exe" [2003-08-29 15:20]
"LogitechVideoRepair"="E:\Program Files\Internet\Logitech WebCam\ISStart.exe" [2003-08-29 15:17]
"HostManager"="C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe" [2005-11-02 23:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-25 20:53]
"iTunesHelper"="E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe" [2006-06-14 16:24]
"avast!"="E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe" [2007-04-30 11:42]
"QuickTime Task"="E:\Program Files\Utilities\Quicktime\qttask.exe" [2007-02-16 10:54]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"FolderShare"="E:\Program Files\Utilities\FolderShare\FolderShare.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="E:\Program Files\Anti Virus\SuperAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
Contents of the 'Scheduled Tasks' folder
2007-07-08 18:29:47 C:\WINDOWS\tasks\MP Scheduled Scan.job
**************************************************************************
disk not found C:\
scanning hidden processes ...
scanning hidden autostart entries ...
**************************************************************************
Completion time: 2007-07-08 14:51:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-08 14:51
--- E O F ---
Thanks Again.
-
One more - ComboFix Quarantined Files:
2003-08-13 12:08 135168 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2003-08-13 12:08 36864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
2006-06-27 10:39 767 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\Family\Desktop\Internet Explorer.lnk.vir
2007-04-01 14:05 89 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\Family\APPLIC~1\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol.vir
2007-06-02 16:00 21 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\zxdnt3d.cfg.vir
2007-07-08 14:47 2956 --a------ C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-07-08 14:47 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
Folder PATH listing
Volume serial number is 70BA-881B
C:\QOOBOX
\---Quarantine
+---C
| +---DOCUME~1
| | \---Family
| | +---APPLIC~1
| | | \---Macromedia
| | | \---Flash Player
| | | \---macromedia.com
| | | \---support
| | | \---flashplayer
| | | \---sys
| | | \---#www.broadcaster.com
| | | settings.sol.vir
| | |
| | \---Desktop
| | Internet Explorer.lnk.vir
| |
| \---WINDOWS
| \---system32
| packet.dll.vir
| wpcap.dll.vir
| zxdnt3d.cfg.vir
|
\---Registry_backups
LEGACY_DOMAINSERVICE.reg.cf
services_DomainService.reg.cf
-
You have some very old, exploitable Java on this computer.
There is an uninstaller for Microsoft Java here
http://www.softpedia.com/get/System/System-Miscellaneous/MSJVM-Removal-Tool.shtml
You will see all sorts of warnings that once uninstalled you can't go back. It's best disposed of and replaced by the current Sun Java which you can download from
http://filehippo.com/download_java_runtime/
Once you've installed this open Add/Remove Programs in the Control Panel and uninstall any older versions of Java you find (particularly 1.4.2). You will need this step because neither the MS uninstaller nor the Sun update will remove these versions.
After your finished with that upload this file to Virus Total (http://www.virustotal.com/en/indexf.html) and post the analysis results.
C:\WINDOWS\system32\drivers\njyoxcnhlwus.sys
Now open HJT again and click to do a System Scan Only. Place a check mark next to these lines
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
Close all other windows, including your browser, and click Fix Checked. Close HJT when that's complete.
You seem to either be in the middle of installing a program called Narrator or the installation hung. Are you aware of the program? Has the installation completed successfully?
-
Hi Mauserme,
The only Narrator I am aware of is the MS text to speech program, I probably did check it out when I first installed XP, but never after that. Is there a way to stop it if its still installing?
Also one other recent pop up that came up was that of a program called "Magic Folders". Its basically a program that hides folders. I tried the program during the trial period. I have been trying to uninstall it but it gives me a error saying "try after disabling Spyagent monitoring". Upon googling Spyagent and reading up on their site its a software that actually saves keystrokes, and remote monitoring option. That is even worse than Viruses and trojans. Are there any processes that can be stopped through Hijackthis to prevent spyagent or disable it. I have searched high and low on my computer but been unable to track it down.
As per your suggestion, posting report from Virus Total: (thanks)
C:\WINDOWS\system32\drivers\njyoxcnhlwus.sys
==========
Complete scanning result of "njyoxcnhlwus.sys", received in VirusTotal at 07.09.2007, 01:02:13 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.7.7.0 07.06.2007 no virus found
AntiVir 7.4.0.39 07.08.2007 no virus found
Authentium 4.93.8 07.07.2007 no virus found
Avast 4.7.997.0 07.08.2007 no virus found
AVG 7.5.0.476 07.08.2007 no virus found
BitDefender 7.2 07.09.2007 no virus found
CAT-QuickHeal 9.00 07.07.2007 no virus found
ClamAV devel-20070416 07.08.2007 no virus found
DrWeb 4.33 07.08.2007 no virus found
eSafe 7.0.15.0 07.08.2007 no virus found
eTrust-Vet 30.8.3769 07.07.2007 no virus found
Ewido 4.0 07.08.2007 no virus found
FileAdvisor 1 07.09.2007 no virus found
Fortinet 2.91.0.0 07.09.2007 no virus found
F-Prot 4.3.2.48 07.06.2007 no virus found
Ikarus T3.1.1.8 07.08.2007 no virus found
Kaspersky 4.0.2.24 07.08.2007 no virus found
McAfee 5069 07.06.2007 no virus found
Microsoft 1.2704 07.09.2007 no virus found
NOD32v2 2384 07.08.2007 no virus found
Norman 5.80.02 07.06.2007 no virus found
Panda 9.0.0.4 07.08.2007 no virus found
Sophos 4.19.0 07.06.2007 no virus found
Sunbelt 2.2.907.0 07.07.2007 no virus found
Symantec 10 07.08.2007 no virus found
TheHacker 6.1.6.143 07.05.2007 no virus found
VBA32 3.12.0.2 07.08.2007 no virus found
VirusBuster 4.3.23:9 07.08.2007 no virus found
Webwasher-Gateway 6.0.1 07.08.2007 no virus found
Aditional Information
File size: 8704 bytes
MD5: 34d44edd829476e085f5c22ac9dfe315
SHA1: 409f8e1239c67925b4f7d137af35a30ddb40235a
===============
-
Click Start and open Control Panel>Administrative Tools>Services. Scroll down the list to Narrator and double click it. In the window that opens click the Stop button. Then, just above the the Stop button drop down the Start Up Type and choose Disabled. Click OK and close the Services, Administrative Tools, and Control Panel windows.
Now open HJT, place a check next to these lines, and fix them after closing all other windows
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
I don't see Spyagent on the HJT log so lets try something different.
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
I would also like you to download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer. Save it to your desktop but don't do anything with it just yet.
Do you recall how long ago you installed Magic Folders/Spyagent?
-
Narrator is not in the “Services” List within Administrative Tools. Could I still go ahead and use HJT to fix the Narrator service or does something else have to be done before?
Magic Folders Uninstallation/Spyagent Error
As of July 9, 2007 I have exceeded the “Magic Folders” evaluation period by 227 days. So a total of 257 days. I installed it, checked it out, but then completely forgot about it, until all this came up.
This is my personal computer, but I do a lot of work-related stuff on it too. So I would never install something like Spyagent on this. I became aware of it when I tried uninstalling Magic Folders and Magic Folders uninstallation conflicted with SpyAgent. So I contacted Spytech technical support and in report to my query they emailed the following:
“If you do not see the program installed in either of folders , it is likely that the program magic folders, gives false positive & spyagent is not actually there.
SpyAgent Stealth Install Directory: c:/program files/sysconfig
Default non-stealth Install Directory:
c:/program files/spytech software/spytech spyagent”
These folders were not in the computer, unless they are masked in some way. Hence I searched MagicFolders FAQs and as per their instruction re-installed mfx.exe and retried without effect. I have sent an email out to their helpdesk, but no reply yet. Also I do not know how to deal with false positives if it is one. But I am really concerned about a keystroke capturing program like SpyAgent being installed on my computer. That could be quite disastrous.
Winpfind3u log will follow in the next few posts. Its big, so am dividing it up as you suggested.
-
Winp3u log:
WinPFind3 logfile created on: 7/9/2007 11:30:11 AM
WinPFind3U by OldTimer - Version 1.0.39 Folder = E:\Program Files\Anti Virus\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
1022.73 Mb Total Physical Memory | 614.86 Mb Available Physical Memory | 60.12% Memory free
2.40 Gb Paging File | 2.10 Gb Available in Paging File | 87.52% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 15.24 Gb Free Space | 52.04% Space Free
Drive D: | 29.29 Gb Total Space | 4.20 Gb Free Space | 14.33% Space Free
Drive E: | 53.19 Gb Total Space | 14.00 Gb Free Space | 26.32% Space Free
F: Drive not present or media not loaded
Computer Name: HOMEUSER
Current User Name: Mr.C!
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
aolsoftware.exe -> %CommonProgramFiles%\AOL\1141834038\ee\AOLSoftware.exe -> America Online, Inc. [Ver = 1.4.9.1 | Size = 50792 bytes | Modified Date = 11/2/2005 11:01:14 PM | Attr = ]
ashdisp.exe -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr = ]
ashmaisv.exe -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
ashserv.exe -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
ashwebsv.exe -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
aswupdsv.exe -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
devdtct2.exe -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr = ]
firefox.exe -> E:\Program Files\Internet\Mozilla\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.4: 2007051502 | Size = 7637104 bytes | Modified Date = 5/15/2007 3:33:24 PM | Attr = ]
guard.exe -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
hotsync.exe -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 520192 bytes | Modified Date = 5/28/2004 11:08:52 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
ituneshelper.exe -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr = ]
jusched.exe -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr = ]
logitray.exe -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr = ]
lvcoms.exe -> %System32%\LVComS.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 135214 bytes | Modified Date = 8/29/2003 2:44:50 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
qttask.exe -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr = ]
saservice.exe -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr = ]
winpfind3u.exe -> E:\Program Files\Anti Virus\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr = ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr = ]
(SiteAdvisor Service) SiteAdvisor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr = ]
Winp3u log will continue in next post
-
Hi Mauseme,
Additional scans: the "check list" in your post wasn't visible I had to select all. The log generated is huge, its going to take at the least 25-30 posts and it may be more helpful and short if you could repost the checks marks I have to make in Winp3u log (it shows up as <list of options> in your previous post), else I will post the entire log. There is no way to upload a text file in here is there?
Thanks!
-
Also in Winp3u should I select files created within the last 30,60,90 days or none? Sorry just trying to narrow this down to make a concise list.
-
Well it would be nice if I would give you all the infomration you need ...
These settings should be fine
(http://img65.imageshack.us/img65/8284/winpfindsettingslh4.jpg) (http://imageshack.us)
Shot at 2007-07-09
-
Hi Thanks for the info.
Below is the winpfind3u log. (5 posts including this one)
WinPFind3 logfile created on: 7/9/2007 12:46:11 PM
WinPFind3U by OldTimer - Version 1.0.39 Folder = E:\Program Files\Anti Virus\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
1022.73 Mb Total Physical Memory | 661.89 Mb Available Physical Memory | 64.72% Memory free
2.40 Gb Paging File | 2.14 Gb Available in Paging File | 89.18% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 15.24 Gb Free Space | 52.03% Space Free
Drive D: | 29.29 Gb Total Space | 4.20 Gb Free Space | 14.33% Space Free
Drive E: | 53.19 Gb Total Space | 14.00 Gb Free Space | 26.31% Space Free
F: Drive not present or media not loaded
Computer Name: HOMEUSER
Current User Name: Mr.C!
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
aolsoftware.exe -> %CommonProgramFiles%\AOL\1141834038\ee\AOLSoftware.exe -> America Online, Inc. [Ver = 1.4.9.1 | Size = 50792 bytes | Modified Date = 11/2/2005 11:01:14 PM | Attr = ]
ashdisp.exe -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr = ]
ashmaisv.exe -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
ashserv.exe -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
ashwebsv.exe -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
aswupdsv.exe -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
devdtct2.exe -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr = ]
guard.exe -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
hotsync.exe -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 520192 bytes | Modified Date = 5/28/2004 11:08:52 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
ituneshelper.exe -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr = ]
jusched.exe -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr = ]
logitray.exe -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr = ]
lvcoms.exe -> %System32%\LVComS.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 135214 bytes | Modified Date = 8/29/2003 2:44:50 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
qttask.exe -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr = ]
saservice.exe -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr = ]
winpfind3u.exe -> E:\Program Files\Anti Virus\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr = ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr = ]
(SiteAdvisor Service) SiteAdvisor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr = ]
HostManager -> %CommonProgramFiles%\AOL\1141834038\ee\AOLSoftware.exe -> America Online, Inc. [Ver = 1.4.9.1 | Size = 50792 bytes | Modified Date = 11/2/2005 11:01:14 PM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr = ]
iTunesHelper -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr = ]
WinpFind3u continues in next post.
-
WinpFind3u log continues:
LogitechVideoRepair -> E:\Program Files\Internet\Logitech WebCam\ISStart.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 188416 bytes | Modified Date = 8/29/2003 3:17:26 PM | Attr = ]
LogitechVideoTray -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 323584 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
QuickTime Task -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr = ]
SunJavaUpdateSched -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Aim6 -> -> File not found
FolderShare -> E:\Program Files\Utilities\FolderShare\FolderShare.exe -> File not found
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Gamma Loader.exe.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 11/4/1999 4:06:48 PM | Attr = ]
%AllUsersStartup%\Device Detector 2.lnk -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr = ]
%AllUsersStartup%\HotSync Manager.lnk -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr = ]
%AllUsersStartup%\HP Image Zone Fast Start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 53248 bytes | Modified Date = 5/28/2004 11:06:36 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 8:29:58 AM | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> E:\Program Files\Anti Virus\SuperAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
zwebauth.dll -> %System32%\ZWebAuth.dll -> [Ver = | Size = 16973 bytes | Modified Date = 9/18/2001 7:37:34 PM | Attr = ]
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
NavLogon -> Reg Data - Value does not exist -> File not found
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\AllowLegacyWebView -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\AllowUnhashedWebView -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoResolveSearch -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\\NoResolveTrack -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 36 ->
WinpFind3u log continues in next post:
-
WinpFind3u log continues from previous post:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> ÿÿÿÿ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\Shell\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> www.bbc.co.uk ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr = ]
{089FD14D-132B-48FC-8861-0048AE113215} [HKLM] -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll [Reg Data - Value does not exist] -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> E:\Program Files\Utilities\Java Runtime Environment\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 509592 bytes | Modified Date = 6/14/2007 6:32:36 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{0BF43445-2F28-4351-9252-17FE6E806AA0} [HKLM] -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll [McAfee SiteAdvisor] -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Value does not exist [&Google] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %System32%\msjava.dll [MenuText: Sun Java Console] -> File not found
{4528BBE0-4E08-11D5-AD55-00010333D0AD} -> Reg Data - Value does not exist [ButtonText: Messenger] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
{FB858B22-55E2-413f-87F5-30ADC5552151} -> E:\Program Files\Utilities\PDFill\DownloadPDF.exe [ButtonText: PDFill PDF Editor] -> PlotSoft LLC [Ver = 1.1 | Size = 172032 bytes | Modified Date = 2/23/2006 9:26:38 PM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{26BD2C10-1C5D-4554-ACE7-5448D9FEC5F2} -> (3Com Gigabit LOM (3C940)) ->
{3757A94B-D174-4396-B478-AF4C6442B82E} -> (1394 Net Adapter) ->
{FBEE8126-A5B5-43FA-9CA2-6548B4BE79E4} -> () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
siteadvisor -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -> YInstStarter Class - CodeBase = http://download.yahoo.com/dl/installs/yinst0401.cab ->
{474F00F5-3853-492C-AC3A-476512BBC336} -> UploadListView Class - CodeBase = http://picasaweb.google.com/s/v/14.21/uploader2.cab ->
{4CCA4E6B-9259-11D9-AC6E-444553544200} -> - CodeBase = http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab ->
{611627F1-D9A5-4235-958E-618E483BF8E7} -> AutoUploader Class - CodeBase = http://www.splashbulb.com/uploader/lib/uploader.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37988.6395486111 ->
{BAC01377-73DD-4796-854D-2A8997E3D68A} -> - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab ->
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
[Files/Folders - Created Within 30 days]
78875.sym -> %SystemDrive%\78875.sym -> [Ver = | Size = 2711 bytes | Created Date = 7/8/2007 6:08:40 PM | Attr = ]
mfx_temp -> %SystemDrive%\mfx_temp -> [Folder | Created Date = 7/9/2007 9:53:52 AM | Attr = ]
ord.htm -> %SystemDrive%\ord.htm -> [Ver = | Size = 418 bytes | Created Date = 7/9/2007 9:54:36 AM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 7/8/2007 1:47:16 PM | Attr = ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Created Date = 6/15/2007 8:11:25 AM | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Created Date = 6/15/2007 8:09:53 AM | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Created Date = 6/15/2007 8:11:13 AM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 104960 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 7/8/2007 1:47:31 PM | Attr = ]
WinPFind3u log continues in next post
-
WinPfind3u log continues from previous post:
fw20.vxd -> %SystemRoot%\fw20.vxd -> [Ver = | Size = 79947 bytes | Created Date = 2/24/2067 3:21:18 PM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 6/20/2007 12:10:57 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 6/20/2007 12:10:57 PM | Attr = H ]
awgvioka.ini -> %System32%\awgvioka.ini -> [Ver = | Size = 903273 bytes | Created Date = 6/18/2007 9:32:17 PM | Attr = HS]
awwqhkbm.ini -> %System32%\awwqhkbm.ini -> [Ver = | Size = 2608880 bytes | Created Date = 6/25/2007 10:06:40 AM | Attr = HS]
btuceges.ini -> %System32%\btuceges.ini -> [Ver = | Size = 4004 bytes | Created Date = 7/5/2007 9:23:40 AM | Attr = HS]
byctvjad.ini -> %System32%\byctvjad.ini -> [Ver = | Size = 1832150 bytes | Created Date = 6/13/2007 12:02:30 PM | Attr = HS]
cokqgjee.ini -> %System32%\cokqgjee.ini -> [Ver = | Size = 3967346 bytes | Created Date = 7/2/2007 7:47:35 AM | Attr = HS]
eclblhoy.ini -> %System32%\eclblhoy.ini -> [Ver = | Size = 2610513 bytes | Created Date = 6/24/2007 7:19:28 AM | Attr = HS]
epimlscn.ini -> %System32%\epimlscn.ini -> [Ver = | Size = 922340 bytes | Created Date = 6/14/2007 12:09:35 PM | Attr = HS]
esagrbsj.ini -> %System32%\esagrbsj.ini -> [Ver = | Size = 2825021 bytes | Created Date = 6/29/2007 12:25:21 PM | Attr = HS]
fxscount.h -> %System32%\fxscount.h -> [Ver = | Size = 1361 bytes | Created Date = 6/11/2007 8:49:11 AM | Attr = ]
fxsperf.ini -> %System32%\fxsperf.ini -> [Ver = | Size = 1793 bytes | Created Date = 6/11/2007 8:49:11 AM | Attr = ]
FxsTmp -> %System32%\FxsTmp -> [Folder | Created Date = 6/11/2007 8:49:47 AM | Attr = ]
ggfccaun.ini -> %System32%\ggfccaun.ini -> [Ver = | Size = 899002 bytes | Created Date = 6/17/2007 1:15:12 PM | Attr = HS]
hanujeoc.ini -> %System32%\hanujeoc.ini -> [Ver = | Size = 902645 bytes | Created Date = 6/19/2007 10:18:40 PM | Attr = HS]
hfeblegh.ini -> %System32%\hfeblegh.ini -> [Ver = | Size = 1836902 bytes | Created Date = 6/11/2007 11:03:32 PM | Attr = HS]
honmjkuk.ini -> %System32%\honmjkuk.ini -> [Ver = | Size = 2607208 bytes | Created Date = 6/26/2007 10:11:50 AM | Attr = HS]
hticons.dll -> %System32%\hticons.dll -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Created Date = 6/11/2007 8:49:21 AM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 69632 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 139264 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr = ]
jyuukovc.ini -> %System32%\jyuukovc.ini -> [Ver = | Size = 2605510 bytes | Created Date = 6/27/2007 10:28:04 AM | Attr = HS]
kadhngey.ini -> %System32%\kadhngey.ini -> [Ver = | Size = 1861349 bytes | Created Date = 6/15/2007 12:09:39 PM | Attr = HS]
knircdfl.ini -> %System32%\knircdfl.ini -> [Ver = | Size = 2831368 bytes | Created Date = 6/28/2007 12:29:12 PM | Attr = HS]
kycvaurl.ini -> %System32%\kycvaurl.ini -> [Ver = | Size = 838518 bytes | Created Date = 6/21/2007 9:59:22 PM | Attr = HS]
mapisvc.inf -> %System32%\mapisvc.inf -> [Ver = | Size = 535 bytes | Created Date = 6/11/2007 8:49:32 AM | Attr = ]
meskflyf.ini -> %System32%\meskflyf.ini -> [Ver = | Size = 3584 bytes | Created Date = 7/3/2007 8:31:48 AM | Attr = HS]
qoorjrbi.ini -> %System32%\qoorjrbi.ini -> [Ver = | Size = 3765 bytes | Created Date = 7/4/2007 8:49:17 AM | Attr = HS]
rosksxkd.ini -> %System32%\rosksxkd.ini -> [Ver = | Size = 4064 bytes | Created Date = 7/6/2007 9:37:35 AM | Attr = HS]
seglavgs.ini -> %System32%\seglavgs.ini -> [Ver = | Size = 3812146 bytes | Created Date = 7/1/2007 12:04:31 AM | Attr = HS]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 7/8/2007 1:44:52 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 7/8/2007 1:44:52 PM | Attr = ]
tuikrbvg.ini -> %System32%\tuikrbvg.ini -> [Ver = | Size = 1861408 bytes | Created Date = 6/16/2007 12:11:17 PM | Attr = HS]
veiixtnf.ini -> %System32%\veiixtnf.ini -> [Ver = | Size = 1699502 bytes | Created Date = 6/22/2007 10:04:01 PM | Attr = HS]
vfind.exe -> %System32%\vfind.exe -> [Ver = | Size = 49152 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr = ]
vwhpwrca.ini -> %System32%\vwhpwrca.ini -> [Ver = | Size = 1858630 bytes | Created Date = 6/16/2007 12:19:32 PM | Attr = HS]
wvejtjfw.ini -> %System32%\wvejtjfw.ini -> [Ver = | Size = 891854 bytes | Created Date = 6/20/2007 9:53:33 PM | Attr = HS]
htrn_jis.dll -> %System32%\dllcache\htrn_jis.dll -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 13312 bytes | Created Date = 6/11/2007 8:49:21 AM | Attr = ]
AvgArCln.sys -> %System32%\drivers\AvgArCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 7/7/2007 4:51:23 PM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 7/7/2007 4:30:25 PM | Attr = ]
njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys -> [Ver = | Size = 8704 bytes | Created Date = 7/8/2007 1:30:26 PM | Attr = ]
[Files/Folders - Modified Within 30 days]
78875.sym -> %SystemDrive%\78875.sym -> [Ver = | Size = 2711 bytes | Modified Date = 7/8/2007 7:08:42 PM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 7/8/2007 6:58:38 PM | Attr = H ]
mfx_temp -> %SystemDrive%\mfx_temp -> [Folder | Modified Date = 7/9/2007 11:03:50 AM | Attr = ]
ord.htm -> %SystemDrive%\ord.htm -> [Ver = | Size = 418 bytes | Modified Date = 7/9/2007 10:54:38 AM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 7/8/2007 2:47:18 PM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 7/7/2007 5:32:44 PM | Attr = HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 7/9/2007 10:57:18 AM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 6/15/2007 9:07:08 AM | Attr = H ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Modified Date = 6/15/2007 9:11:28 AM | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Modified Date = 6/15/2007 9:09:56 AM | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Modified Date = 6/15/2007 9:11:16 AM | Attr = H ]
addins -> %SystemRoot%\addins -> [Folder | Modified Date = 6/11/2007 9:49:14 AM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 7/9/2007 10:56:00 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 104960 bytes | Modified Date = 7/4/2007 7:21:06 PM | Attr = ]
Cursors -> %SystemRoot%\Cursors -> [Folder | Modified Date = 6/11/2007 9:49:28 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 7/8/2007 2:47:32 PM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 7/8/2007 6:53:52 PM | Attr = ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 6/15/2007 9:08:40 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 6/15/2007 9:11:22 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 7/8/2007 6:53:52 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 7/8/2007 6:58:38 PM | Attr = HS]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Modified Date = 6/17/2007 12:11:58 AM | Attr = ]
pfirewall.log.old -> %SystemRoot%\pfirewall.log.old -> [Ver = | Size = 4026387 bytes | Modified Date = 6/22/2007 11:02:46 AM | Attr = ]
WinWinPfind3u log continues in next post
-
WinPfind3u log post (final)
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 7/9/2007 11:28:06 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 6/20/2007 1:10:58 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 6/23/2007 6:21:22 PM | Attr = H ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 6/11/2007 11:09:58 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 7/8/2007 6:58:26 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 7/9/2007 10:59:04 AM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 7/9/2007 11:33:10 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 1088 bytes | Modified Date = 7/6/2007 12:36:54 PM | Attr = ]
MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job -> [Ver = | Size = 370 bytes | Modified Date = 7/9/2007 10:59:04 AM | Attr = H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 7/9/2007 10:56:08 AM | Attr = H ]
apnbopbd.ini -> %System32%\apnbopbd.ini -> [Ver = | Size = 896958 bytes | Modified Date = 6/11/2007 9:31:14 PM | Attr = HS]
awgvioka.ini -> %System32%\awgvioka.ini -> [Ver = | Size = 903273 bytes | Modified Date = 6/19/2007 10:46:10 PM | Attr = HS]
awwqhkbm.ini -> %System32%\awwqhkbm.ini -> [Ver = | Size = 2608880 bytes | Modified Date = 6/26/2007 11:07:18 AM | Attr = HS]
btuceges.ini -> %System32%\btuceges.ini -> [Ver = | Size = 4004 bytes | Modified Date = 7/6/2007 10:24:10 AM | Attr = HS]
byctvjad.ini -> %System32%\byctvjad.ini -> [Ver = | Size = 1832150 bytes | Modified Date = 6/15/2007 10:10:24 AM | Attr = HS]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 6/15/2007 9:13:38 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 7/8/2007 3:27:24 PM | Attr = ]
cokqgjee.ini -> %System32%\cokqgjee.ini -> [Ver = | Size = 3967346 bytes | Modified Date = 7/3/2007 9:29:26 AM | Attr = HS]
config -> %System32%\config -> [Folder | Modified Date = 7/8/2007 2:47:42 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 6/15/2007 9:11:32 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 7/8/2007 2:51:54 PM | Attr = ]
eclblhoy.ini -> %System32%\eclblhoy.ini -> [Ver = | Size = 2610513 bytes | Modified Date = 6/25/2007 11:04:24 AM | Attr = HS]
epimlscn.ini -> %System32%\epimlscn.ini -> [Ver = | Size = 922340 bytes | Modified Date = 6/14/2007 1:09:44 PM | Attr = HS]
esagrbsj.ini -> %System32%\esagrbsj.ini -> [Ver = | Size = 2825021 bytes | Modified Date = 7/1/2007 1:02:16 AM | Attr = HS]
FxsTmp -> %System32%\FxsTmp -> [Folder | Modified Date = 7/6/2007 12:36:38 PM | Attr = ]
ggfccaun.ini -> %System32%\ggfccaun.ini -> [Ver = | Size = 899002 bytes | Modified Date = 6/18/2007 10:27:00 PM | Attr = HS]
hanujeoc.ini -> %System32%\hanujeoc.ini -> [Ver = | Size = 902645 bytes | Modified Date = 6/20/2007 10:30:04 PM | Attr = HS]
hfeblegh.ini -> %System32%\hfeblegh.ini -> [Ver = | Size = 1836902 bytes | Modified Date = 6/13/2007 12:51:22 PM | Attr = HS]
honmjkuk.ini -> %System32%\honmjkuk.ini -> [Ver = | Size = 2607208 bytes | Modified Date = 6/27/2007 11:12:28 AM | Attr = HS]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Modified Date = 6/14/2007 3:51:50 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 69632 bytes | Modified Date = 6/14/2007 4:53:22 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Modified Date = 6/14/2007 3:51:54 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 139264 bytes | Modified Date = 6/14/2007 4:53:24 PM | Attr = ]
jyuukovc.ini -> %System32%\jyuukovc.ini -> [Ver = | Size = 2605510 bytes | Modified Date = 6/28/2007 1:21:10 PM | Attr = HS]
kadhngey.ini -> %System32%\kadhngey.ini -> [Ver = | Size = 1861349 bytes | Modified Date = 6/16/2007 1:11:22 PM | Attr = HS]
knircdfl.ini -> %System32%\knircdfl.ini -> [Ver = | Size = 2831368 bytes | Modified Date = 6/28/2007 1:58:54 PM | Attr = HS]
kycvaurl.ini -> %System32%\kycvaurl.ini -> [Ver = | Size = 838518 bytes | Modified Date = 6/22/2007 10:59:44 PM | Attr = HS]
mapisvc.inf -> %System32%\mapisvc.inf -> [Ver = | Size = 535 bytes | Modified Date = 6/11/2007 9:49:34 AM | Attr = ]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 143 bytes | Modified Date = 6/11/2007 2:57:20 PM | Attr = ]
meskflyf.ini -> %System32%\meskflyf.ini -> [Ver = | Size = 3584 bytes | Modified Date = 7/4/2007 9:47:18 AM | Attr = HS]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 65130 bytes | Modified Date = 6/11/2007 9:49:58 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 407820 bytes | Modified Date = 6/11/2007 9:49:58 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 480434 bytes | Modified Date = 6/11/2007 9:49:58 AM | Attr = ]
qoorjrbi.ini -> %System32%\qoorjrbi.ini -> [Ver = | Size = 3765 bytes | Modified Date = 7/5/2007 10:18:18 AM | Attr = HS]
Restore -> %System32%\Restore -> [Folder | Modified Date = 7/7/2007 6:32:08 PM | Attr = ]
rosksxkd.ini -> %System32%\rosksxkd.ini -> [Ver = | Size = 4064 bytes | Modified Date = 7/6/2007 10:37:52 AM | Attr = HS]
rqtss.bak2 -> %System32%\rqtss.bak2 -> [Ver = | Size = 1844926 bytes | Modified Date = 7/7/2007 3:00:12 PM | Attr = HS]
rqtss.ini -> %System32%\rqtss.ini -> [Ver = | Size = 1866703 bytes | Modified Date = 7/8/2007 10:51:14 AM | Attr = HS]
seglavgs.ini -> %System32%\seglavgs.ini -> [Ver = | Size = 3812146 bytes | Modified Date = 7/2/2007 8:45:42 AM | Attr = HS]
tuikrbvg.ini -> %System32%\tuikrbvg.ini -> [Ver = | Size = 1861408 bytes | Modified Date = 6/16/2007 1:11:52 PM | Attr = HS]
veiixtnf.ini -> %System32%\veiixtnf.ini -> [Ver = | Size = 1699502 bytes | Modified Date = 6/24/2007 8:11:12 AM | Attr = HS]
vwhpwrca.ini -> %System32%\vwhpwrca.ini -> [Ver = | Size = 1858630 bytes | Modified Date = 6/17/2007 2:15:20 PM | Attr = HS]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13002 bytes | Modified Date = 7/9/2007 10:56:40 AM | Attr = ]
wvejtjfw.ini -> %System32%\wvejtjfw.ini -> [Ver = | Size = 891854 bytes | Modified Date = 6/21/2007 10:54:20 PM | Attr = HS]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 7/8/2007 2:49:30 PM | Attr = ]
njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys -> [Ver = | Size = 8704 bytes | Modified Date = 7/8/2007 2:30:18 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 11:46:10 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\pncrt.dll -> Real Networks, Inc [Ver = 6.0.0.0 | Size = 123392 bytes | Modified Date = 11/25/2003 7:32:02 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 1:41:38 AM | Attr = ]
< End of report >
Thank you.
Magic Folders is 257 days old. MagicFolders site says Spyagent could be a false positive.
Narrator was not found in Services
-
Narrator is not in the “Services” List within Administrative Tools. Could I still go ahead and use HJT to fix the Narrator service ...
Yes, those lines can be fixed.
I became aware of it when I tried uninstalling Magic Folders and Magic Folders uninstallation conflicted with SpyAgent. So I contacted Spytech technical support and in report to my query they emailed the following:
If you do not see the program installed in either of folders , it is likely that the program magic folders, gives false positive & spyagent is not actually there.
SpyAgent Stealth Install Directory: c:/program files/sysconfig
Default non-stealth Install Directory:
c:/program files/spytech software/spytech spyagent
These folders were not in the computer, unless they are masked in some way. Hence I searched MagicFolders FAQs and as per their instruction re-installed mfx.exe and retried without effect. I have sent an email out to their helpdesk, but no reply yet. Also I do not know how to deal with false positives if it is one. But I am really concerned about a keystroke capturing program like SpyAgent being installed on my computer. That could be quite disastrous.
I'm not seeing anything in the logs that looks like either of these programs, so I'm inclined to think neither are running at start up and, possibly, Spyagent isn't there at all. But these commercial keyloggers can be tricky so I'm not 100% sure on this yet.
I would like to draw a distinction between a trojan type keylogger where there is a serious concern that private information is being sent to criminals vs a commercial keylogger that is usually installed by a parent concerned about his child's well being or a suspicious spouse. SpyAgent seems to be in the latter category and, although I would not completely dismiss the risk, there are a few things I noticed in your WinPFind log and a file listed in ComboFix that I would like to address first.
If you haven't already installed OTMoveIt please do so now. Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\rqtss.bak1
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Now download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
A log will be produced which you can post in your next response.
-
OTMoveIt results:
C:\WINDOWS\system32\rqtss.bak1 moved successfully.
Created on 07/10/2007 07:39:24
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:56 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed Utilities\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
E:\Program Files\Anti Virus\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
E:\Program Files\Anti Virus\Avast\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe
E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
E:\Program Files\Utilities\Quicktime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
E:\Program Files\Anti Virus\HijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://officeupdate.microsoft.com/outlook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Utilities\Java Runtime Environment\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Internet\Logitech WebCam\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Internet\Logitech WebCam\ISStart.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\Utilities\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe
O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - E:\Program Files\Utilities\PDFill\\DownloadPDF.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/14.21/uploader2.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab
O16 - DPF: {611627F1-D9A5-4235-958E-618E483BF8E7} (AutoUploader Class) - http://www.splashbulb.com/uploader/lib/uploader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Anti Virus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Anti Virus\Avast\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
--
End of file - 7402 bytes
VundoFix.exe Scan Result:
No infected files were found
Questions on the HijachThis file:
My default home page is www.bbc.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk. But once in a way IE used to jump to the url given in HijackThis log line R1. Is that normal or should these process be fixed?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
Could I stop these processes using HijackThis? I believe most of these run at startup, but I probably access these once a year probably even less.
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe (do not use AOL)
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\Utilities\Quicktime\qttask.exe" –atboottime
O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background
Thanks mauserme. Two days without virus warnings now. Havent had that in months!!
-
My default home page is www.bbc.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk. But once in a way IE used to jump to the url given in HijackThis log line R1. Is that normal or should these process be fixed?
I usually think more in terms of safe/unsafe rather than normal/abnormal since the latter is up to the user to decide. The links in the R1's are both safe and common. No need for worries on these.
Could I stop these processes using HijackThis? I believe most of these run at startup, but I probably access these once a year probably even less.
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141834038\ee\AOLSoftware.exe (do not use AOL)
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\Utilities\Quicktime\qttask.exe" –atboottime
O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background
If you never use AOL I suggest you uninstall it in Add/Remove Programs, then delete any traces you find in Program Files and Application Data in the user accounts. I dislike anything from AOL and mistrust their applications (particularly AIM).
iTunes probably installed with QuickTime without notifying you. It can be uninstalled if you don't use it or you can fix the line in HJT and the effect will be to make it a manual process.
Disabling (fixing the line for) QuickTime may be a temporary measure as it wants to put itself back in the startups any time its used. If you find that as annoying as I do you could try QuickTime Alternative instead
http://fileforum.betanews.com/detail/QuickTime_Alternative_QT7_Lite/1049831315/3
I'm not familiar with Folder Share. I would be inclined to open the program and see if there's a setting in the configuration options to stop it loading at startup first. If not, it's probably safe to fix the line.
And for sure these two lines can be fixed
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
I'm revisiting your WinPFind log as I'm just not comfortable with some of the files I see there. I had hoped for more from VundoFix but we can handle it manually instead. I'll post again later about that.
Two days without virus warnings now. Haven't had that in months!!
8)
-
Back again with the WinPFind fix.
Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Files/Folders - Created Within 30 days]
NY -> mfx_temp -> %SystemDrive%\mfx_temp
[Files/Folders - Modified Within 30 days]
NY -> mfx_temp -> %SystemDrive%\mfx_temp
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan, this time changing Files/Folders Created Within and Files/Folders Modified Within to 90 days.
Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.
Then, upload this file to Virus Total (http://www.virustotal.com/en/indexf.html)
C:\78875.SYM
-
Hi Mauserme,
AOL: Uninstalled completely
QuickTime:
I do not mind, quicktime being on the computer, I was trying to keep it from loading into the system tray during every boot. Since its not used much, it is probably a waste of memory and loading time. Could I disable it from automatic startup?
Foldershare:
It is a MS program that allows you to access your files anywhere. I need access to certain pertinent yet insensitive data on my home computer for work purposes. So I checked out foldershare (https://www.foldershare.com/info/howItWorks.php?). Thats around when googledocs came up and that was just easier, since the individual machines do not have to be synched, and this computer does not have to be on all the time. I thought I had unistalled the program if there was any. A search on the computer revealed just the following. Could this be loading during Startup as well?
C:\Documents and Settings\Family\Local Settings\Application Data\FolderShare
Contains two folders “Settings” & “Logs”
Folder share folder memory size is 826KB
WinPfind3u fix Result:
(Note: I ran it once, but accidentally closed the txt file, so this is the second run)
[Files/Folders - Created Within 30 days]
File C:\mfx_temp not found!
[Files/Folders - Modified Within 30 days]
File C:\mfx_temp not found!
File C:\WINDOWS\imsins.BAK not found!
< End of log >
Created on 07/11/2007 14:06:35
WinPfind3u log will follow in next few post and the last post will be the result of VirusTotal scan
-
WinPFind3 logfile created on: 7/11/2007 2:14:18 PM
WinPFind3U by OldTimer - Version 1.0.39 Folder = E:\Program Files\Anti Virus\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
1022.73 Mb Total Physical Memory | 646.05 Mb Available Physical Memory | 63.17% Memory free
2.40 Gb Paging File | 2.15 Gb Available in Paging File | 89.25% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 15.17 Gb Free Space | 51.80% Space Free
Drive D: | 29.29 Gb Total Space | 4.20 Gb Free Space | 14.33% Space Free
Drive E: | 53.19 Gb Total Space | 13.99 Gb Free Space | 26.31% Space Free
F: Drive not present or media not loaded
Computer Name: HOMEUSER
Current User Name: Mr.C!
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
ashdisp.exe -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr = ]
ashmaisv.exe -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
ashserv.exe -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
ashwebsv.exe -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
aswupdsv.exe -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
devdtct2.exe -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr = ]
guard.exe -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
hotsync.exe -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 520192 bytes | Modified Date = 5/28/2004 11:08:52 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
ituneshelper.exe -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr = ]
jusched.exe -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr = ]
logitray.exe -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr = ]
lvcoms.exe -> %System32%\LVComS.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 135214 bytes | Modified Date = 8/29/2003 2:44:50 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
qttask.exe -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr = ]
saservice.exe -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr = ]
winpfind3u.exe -> E:\Program Files\Anti Virus\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\Avast\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> E:\Program Files\Anti Virus\Avast\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 8:31:10 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 3:56:48 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 12:41:10 AM | Attr = ]
(iPodService) iPodService [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 4:23:58 PM | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 73728 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %System32%\HPZipm12.exe -> HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Modified Date = 3/18/2004 4:55:48 PM | Attr = ]
(SiteAdvisor Service) SiteAdvisor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\SiteAdvisor\6066\SAService.exe -> McAfee, Inc. [Ver = 2.4.0 | Size = 321064 bytes | Modified Date = 6/3/2007 10:49:56 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> E:\Program Files\Anti Virus\Avast\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Modified Date = 2/12/2004 1:38:56 PM | Attr = ]
iTunesHelper -> E:\Program Files\Utilities\iTunes&Quicktime\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 278528 bytes | Modified Date = 6/14/2006 4:24:14 PM | Attr = ]
LogitechVideoRepair -> E:\Program Files\Internet\Logitech WebCam\ISStart.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 188416 bytes | Modified Date = 8/29/2003 3:17:26 PM | Attr = ]
LogitechVideoTray -> E:\Program Files\Internet\Logitech WebCam\LogiTray.exe -> Logitech Inc. [Ver = 8.1.1.1100 | Size = 77824 bytes | Modified Date = 8/29/2003 3:20:02 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> NVIDIA Corporation [Ver = 6.14.10.4469 | Size = 323584 bytes | Modified Date = 6/18/2003 1:31:00 AM | Attr = ]
WinPFind3 logfile continues in the next post
-
WinPFind3 logfile continued...
QuickTime Task -> E:\Program Files\Utilities\Quicktime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 2/16/2007 10:54:04 AM | Attr = ]
SunJavaUpdateSched -> E:\Program Files\Utilities\Java Runtime Environment\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 132760 bytes | Modified Date = 6/14/2007 6:32:40 PM | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3510 | Size = 180269 bytes | Modified Date = 4/25/2006 8:53:20 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
FolderShare -> E:\Program Files\Utilities\FolderShare\FolderShare.exe -> File not found
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Gamma Loader.exe.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 11/4/1999 4:06:48 PM | Attr = ]
%AllUsersStartup%\Device Detector 2.lnk -> %ProgramFiles%\Olympus\DeviceDetector\DevDtct2.exe -> OLYMPUS Corporation. [Ver = 2, 4, 3, 1 | Size = 114688 bytes | Modified Date = 1/16/2004 3:45:08 PM | Attr = ]
%AllUsersStartup%\HotSync Manager.lnk -> %ProgramFiles%\palmOne\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr = ]
%AllUsersStartup%\HP Image Zone Fast Start.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqthb08.exe -> Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 53248 bytes | Modified Date = 5/28/2004 11:06:36 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> E:\Program Files\Anti Virus\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 8:29:58 AM | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> E:\Program Files\Anti Virus\SuperAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
zwebauth.dll -> %System32%\ZWebAuth.dll -> [Ver = | Size = 16973 bytes | Modified Date = 9/18/2001 7:37:34 PM | Attr = ]
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> E:\Program Files\Anti Virus\SuperAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
NavLogon -> Reg Data - Value does not exist -> File not found
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 2 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\AllowLegacyWebView -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\AllowUnhashedWebView -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoResolveSearch -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\\NoResolveTrack -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 36 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> ÿÿÿÿ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
WinPFind3 logfile continues in next post
-
WinPFind3 logfile continued...
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\Shell\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> www.bbc.co.uk ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr = ]
{089FD14D-132B-48FC-8861-0048AE113215} [HKLM] -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll [Reg Data - Value does not exist] -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> E:\Program Files\Utilities\Java Runtime Environment\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 509592 bytes | Modified Date = 6/14/2007 6:32:36 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{0BF43445-2F28-4351-9252-17FE6E806AA0} [HKLM] -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll [McAfee SiteAdvisor] -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Value does not exist [&Google] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{4528BBE0-4E08-11D5-AD55-00010333D0AD} -> Reg Data - Value does not exist [ButtonText: Messenger] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
{FB858B22-55E2-413f-87F5-30ADC5552151} -> E:\Program Files\Utilities\PDFill\DownloadPDF.exe [ButtonText: PDFill PDF Editor] -> PlotSoft LLC [Ver = 1.1 | Size = 172032 bytes | Modified Date = 2/23/2006 9:26:38 PM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{26BD2C10-1C5D-4554-ACE7-5448D9FEC5F2} -> (3Com Gigabit LOM (3C940)) ->
{3757A94B-D174-4396-B478-AF4C6442B82E} -> (1394 Net Adapter) ->
{FBEE8126-A5B5-43FA-9CA2-6548B4BE79E4} -> () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Modified Date = 5/12/2004 3:18:56 PM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
siteadvisor -> %ProgramFiles%\SiteAdvisor\6066\SiteAdv.dll -> McAfee, Inc. [Ver = 2.4.0 | Size = 1099304 bytes | Modified Date = 3/30/2007 11:41:24 AM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -> YInstStarter Class - CodeBase = http://download.yahoo.com/dl/installs/yinst0401.cab ->
{474F00F5-3853-492C-AC3A-476512BBC336} -> UploadListView Class - CodeBase = http://picasaweb.google.com/s/v/14.21/uploader2.cab ->
{4CCA4E6B-9259-11D9-AC6E-444553544200} -> - CodeBase = http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab ->
{611627F1-D9A5-4235-958E-618E483BF8E7} -> AutoUploader Class - CodeBase = http://www.splashbulb.com/uploader/lib/uploader.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37988.6395486111 ->
{BAC01377-73DD-4796-854D-2A8997E3D68A} -> - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab ->
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
[Files/Folders - Created Within 90 days]
78875.sym -> %SystemDrive%\78875.sym -> [Ver = | Size = 2711 bytes | Created Date = 7/8/2007 6:08:40 PM | Attr = ]
ord.htm -> %SystemDrive%\ord.htm -> [Ver = | Size = 418 bytes | Created Date = 7/9/2007 9:54:36 AM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 7/8/2007 1:47:16 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 7/10/2007 6:49:01 AM | Attr = ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Created Date = 5/23/2007 11:36:18 PM | Attr = H ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Created Date = 6/15/2007 8:11:25 AM | Attr = H ]
$NtUninstallKB929969$ -> %SystemRoot%\$NtUninstallKB929969$ -> [Folder | Created Date = 6/8/2007 9:07:59 AM | Attr = H ]
$NtUninstallKB930178$ -> %SystemRoot%\$NtUninstallKB930178$ -> [Folder | Created Date = 4/16/2007 6:33:27 PM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Created Date = 5/8/2007 5:42:23 PM | Attr = H ]
$NtUninstallKB931261$ -> %SystemRoot%\$NtUninstallKB931261$ -> [Folder | Created Date = 4/16/2007 6:33:33 PM | Attr = H ]
$NtUninstallKB931784$ -> %SystemRoot%\$NtUninstallKB931784$ -> [Folder | Created Date = 4/16/2007 6:34:00 PM | Attr = H ]
$NtUninstallKB932168$ -> %SystemRoot%\$NtUninstallKB932168$ -> [Folder | Created Date = 4/16/2007 6:33:16 PM | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Created Date = 6/15/2007 8:09:53 AM | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Created Date = 6/15/2007 8:11:13 AM | Attr = H ]
$NtUninstallKB936357$ -> %SystemRoot%\$NtUninstallKB936357$ -> [Folder | Created Date = 7/11/2007 8:45:32 AM | Attr = H ]
WinPFind3 logfile continues in next post
-
WinPFind3 logfile continued...
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 104960 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 7/8/2007 1:47:31 PM | Attr = ]
fw20.vxd -> %SystemRoot%\fw20.vxd -> [Ver = | Size = 79947 bytes | Created Date = 2/24/2067 3:21:18 PM | Attr = ]
hpoins04.dat -> %SystemRoot%\hpoins04.dat -> [Ver = | Size = 104549 bytes | Created Date = 6/8/2007 5:13:18 PM | Attr = ]
hpomdl04.dat -> %SystemRoot%\hpomdl04.dat -> [Ver = | Size = 17176 bytes | Created Date = 6/8/2007 5:13:18 PM | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Created Date = 6/8/2007 9:21:48 AM | Attr = H ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 6/20/2007 12:10:57 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 6/20/2007 12:10:57 PM | Attr = H ]
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel -> [Folder | Created Date = 6/8/2007 2:50:15 PM | Attr = ]
MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job -> [Ver = | Size = 370 bytes | Created Date = 6/3/2007 8:55:59 PM | Attr = H ]
apnbopbd.ini -> %System32%\apnbopbd.ini -> [Ver = | Size = 896958 bytes | Created Date = 6/4/2007 8:35:02 PM | Attr = HS]
awgvioka.ini -> %System32%\awgvioka.ini -> [Ver = | Size = 903273 bytes | Created Date = 6/18/2007 9:32:17 PM | Attr = HS]
awwqhkbm.ini -> %System32%\awwqhkbm.ini -> [Ver = | Size = 2608880 bytes | Created Date = 6/25/2007 10:06:40 AM | Attr = HS]
btuceges.ini -> %System32%\btuceges.ini -> [Ver = | Size = 4004 bytes | Created Date = 7/5/2007 9:23:40 AM | Attr = HS]
byctvjad.ini -> %System32%\byctvjad.ini -> [Ver = | Size = 1832150 bytes | Created Date = 6/13/2007 12:02:30 PM | Attr = HS]
cokqgjee.ini -> %System32%\cokqgjee.ini -> [Ver = | Size = 3967346 bytes | Created Date = 7/2/2007 7:47:35 AM | Attr = HS]
eclblhoy.ini -> %System32%\eclblhoy.ini -> [Ver = | Size = 2610513 bytes | Created Date = 6/24/2007 7:19:28 AM | Attr = HS]
epimlscn.ini -> %System32%\epimlscn.ini -> [Ver = | Size = 922340 bytes | Created Date = 6/14/2007 12:09:35 PM | Attr = HS]
esagrbsj.ini -> %System32%\esagrbsj.ini -> [Ver = | Size = 2825021 bytes | Created Date = 6/29/2007 12:25:21 PM | Attr = HS]
fxscount.h -> %System32%\fxscount.h -> [Ver = | Size = 1361 bytes | Created Date = 6/11/2007 8:49:11 AM | Attr = ]
fxsperf.ini -> %System32%\fxsperf.ini -> [Ver = | Size = 1793 bytes | Created Date = 6/11/2007 8:49:11 AM | Attr = ]
FxsTmp -> %System32%\FxsTmp -> [Folder | Created Date = 6/11/2007 8:49:47 AM | Attr = ]
ggfccaun.ini -> %System32%\ggfccaun.ini -> [Ver = | Size = 899002 bytes | Created Date = 6/17/2007 1:15:12 PM | Attr = HS]
ghpllnnu.ini -> %System32%\ghpllnnu.ini -> [Ver = | Size = 1063903 bytes | Created Date = 6/2/2007 1:08:07 PM | Attr = HS]
hanujeoc.ini -> %System32%\hanujeoc.ini -> [Ver = | Size = 902645 bytes | Created Date = 6/19/2007 10:18:40 PM | Attr = HS]
hfeblegh.ini -> %System32%\hfeblegh.ini -> [Ver = | Size = 1836902 bytes | Created Date = 6/11/2007 11:03:32 PM | Attr = HS]
honmjkuk.ini -> %System32%\honmjkuk.ini -> [Ver = | Size = 2607208 bytes | Created Date = 6/26/2007 10:11:50 AM | Attr = HS]
hticons.dll -> %System32%\hticons.dll -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Created Date = 6/11/2007 8:49:21 AM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 69632 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 139264 bytes | Created Date = 7/8/2007 5:57:18 PM | Attr = ]
jyuukovc.ini -> %System32%\jyuukovc.ini -> [Ver = | Size = 2605510 bytes | Created Date = 6/27/2007 10:28:04 AM | Attr = HS]
kadhngey.ini -> %System32%\kadhngey.ini -> [Ver = | Size = 1861349 bytes | Created Date = 6/15/2007 12:09:39 PM | Attr = HS]
knircdfl.ini -> %System32%\knircdfl.ini -> [Ver = | Size = 2831368 bytes | Created Date = 6/28/2007 12:29:12 PM | Attr = HS]
kycvaurl.ini -> %System32%\kycvaurl.ini -> [Ver = | Size = 838518 bytes | Created Date = 6/21/2007 9:59:22 PM | Attr = HS]
mapisvc.inf -> %System32%\mapisvc.inf -> [Ver = | Size = 535 bytes | Created Date = 6/11/2007 8:49:32 AM | Attr = ]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 143 bytes | Created Date = 6/7/2007 10:01:08 PM | Attr = ]
meskflyf.ini -> %System32%\meskflyf.ini -> [Ver = | Size = 3584 bytes | Created Date = 7/3/2007 8:31:48 AM | Attr = HS]
qoorjrbi.ini -> %System32%\qoorjrbi.ini -> [Ver = | Size = 3765 bytes | Created Date = 7/4/2007 8:49:17 AM | Attr = HS]
rosksxkd.ini -> %System32%\rosksxkd.ini -> [Ver = | Size = 4064 bytes | Created Date = 7/6/2007 9:37:35 AM | Attr = HS]
rqtss.bak2 -> %System32%\rqtss.bak2 -> [Ver = | Size = 1844926 bytes | Created Date = 6/3/2007 8:24:58 PM | Attr = HS]
rqtss.ini -> %System32%\rqtss.ini -> [Ver = | Size = 1866703 bytes | Created Date = 6/2/2007 1:07:30 PM | Attr = HS]
seglavgs.ini -> %System32%\seglavgs.ini -> [Ver = | Size = 3812146 bytes | Created Date = 7/1/2007 12:04:31 AM | Attr = HS]
sttss.ini -> %System32%\sttss.ini -> [Ver = | Size = 353 bytes | Created Date = 6/2/2007 1:07:30 PM | Attr = HS]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 7/8/2007 1:44:52 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 7/8/2007 1:44:52 PM | Attr = ]
tuikrbvg.ini -> %System32%\tuikrbvg.ini -> [Ver = | Size = 1861408 bytes | Created Date = 6/16/2007 12:11:17 PM | Attr = HS]
veiixtnf.ini -> %System32%\veiixtnf.ini -> [Ver = | Size = 1699502 bytes | Created Date = 6/22/2007 10:04:01 PM | Attr = HS]
vfind.exe -> %System32%\vfind.exe -> [Ver = | Size = 49152 bytes | Created Date = 7/8/2007 1:44:53 PM | Attr = ]
vwhpwrca.ini -> %System32%\vwhpwrca.ini -> [Ver = | Size = 1858630 bytes | Created Date = 6/16/2007 12:19:32 PM | Attr = HS]
wvejtjfw.ini -> %System32%\wvejtjfw.ini -> [Ver = | Size = 891854 bytes | Created Date = 6/20/2007 9:53:33 PM | Attr = HS]
htrn_jis.dll -> %System32%\dllcache\htrn_jis.dll -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 13312 bytes | Created Date = 6/11/2007 8:49:21 AM | Attr = ]
AvgArCln.sys -> %System32%\drivers\AvgArCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 7/7/2007 4:51:23 PM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 7/7/2007 4:30:25 PM | Attr = ]
njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys -> [Ver = | Size = 8704 bytes | Created Date = 7/8/2007 1:30:26 PM | Attr = ]
hosts.20070602-143317.backup -> %System32%\drivers\etc\hosts.20070602-143317.backup -> [Ver = | Size = 734 bytes | Created Date = 6/2/2007 1:33:17 PM | Attr = R ]
[Files/Folders - Modified Within 90 days]
78875.sym -> %SystemDrive%\78875.sym -> [Ver = | Size = 2711 bytes | Modified Date = 7/8/2007 7:08:42 PM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 7/11/2007 10:01:52 AM | Attr = H ]
My Games -> %SystemDrive%\My Games -> [Folder | Modified Date = 6/2/2007 8:16:18 PM | Attr = ]
ord.htm -> %SystemDrive%\ord.htm -> [Ver = | Size = 418 bytes | Modified Date = 7/9/2007 10:54:38 AM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 6/8/2007 6:23:36 PM | Attr = R ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 7/8/2007 2:47:18 PM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 7/7/2007 5:32:44 PM | Attr = HS]
temp -> %SystemDrive%\temp -> [Folder | Modified Date = 6/8/2007 2:26:44 PM | Attr = ]
WinPFind3 logfile continues in next post...
-
WinPFind3 logfile continued...
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 7/10/2007 7:49:02 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 7/11/2007 2:00:08 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 7/11/2007 9:40:20 AM | Attr = H ]
$NtUninstallKB927891$ -> %SystemRoot%\$NtUninstallKB927891$ -> [Folder | Modified Date = 5/24/2007 12:36:20 AM | Attr = H ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Modified Date = 6/15/2007 9:11:28 AM | Attr = H ]
$NtUninstallKB929969$ -> %SystemRoot%\$NtUninstallKB929969$ -> [Folder | Modified Date = 6/8/2007 10:08:02 AM | Attr = H ]
$NtUninstallKB930178$ -> %SystemRoot%\$NtUninstallKB930178$ -> [Folder | Modified Date = 4/16/2007 7:33:28 PM | Attr = H ]
$NtUninstallKB930916$ -> %SystemRoot%\$NtUninstallKB930916$ -> [Folder | Modified Date = 5/8/2007 6:42:26 PM | Attr = H ]
$NtUninstallKB931261$ -> %SystemRoot%\$NtUninstallKB931261$ -> [Folder | Modified Date = 4/16/2007 7:33:34 PM | Attr = H ]
$NtUninstallKB931784$ -> %SystemRoot%\$NtUninstallKB931784$ -> [Folder | Modified Date = 4/16/2007 7:34:02 PM | Attr = H ]
$NtUninstallKB932168$ -> %SystemRoot%\$NtUninstallKB932168$ -> [Folder | Modified Date = 4/16/2007 7:33:18 PM | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Modified Date = 6/15/2007 9:09:56 AM | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Modified Date = 6/15/2007 9:11:16 AM | Attr = H ]
$NtUninstallKB936357$ -> %SystemRoot%\$NtUninstallKB936357$ -> [Folder | Modified Date = 7/11/2007 9:45:34 AM | Attr = H ]
addins -> %SystemRoot%\addins -> [Folder | Modified Date = 6/11/2007 9:49:14 AM | Attr = ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 7/11/2007 10:13:02 AM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 7/11/2007 12:54:10 PM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 104960 bytes | Modified Date = 7/4/2007 7:21:06 PM | Attr = ]
Cursors -> %SystemRoot%\Cursors -> [Folder | Modified Date = 6/11/2007 9:49:28 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 5/8/2007 6:41:12 PM | Attr = ]
Downloaded Installations -> %SystemRoot%\Downloaded Installations -> [Folder | Modified Date = 4/18/2007 6:25:50 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 7/8/2007 2:47:32 PM | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 6/2/2007 4:05:48 PM | Attr = R S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 7/8/2007 6:53:52 PM | Attr = ]
hpoins04.dat -> %SystemRoot%\hpoins04.dat -> [Ver = | Size = 104549 bytes | Modified Date = 6/8/2007 6:28:20 PM | Attr = ]
hpoins04.dat.temp -> %SystemRoot%\hpoins04.dat.temp -> [Ver = | Size = 104100 bytes | Modified Date = 6/8/2007 2:46:30 PM | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Modified Date = 6/8/2007 10:22:38 AM | Attr = H ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 6/15/2007 9:08:40 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 7/11/2007 9:45:50 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 7/11/2007 9:44:58 AM | Attr = HS]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 6/8/2007 10:22:58 AM | Attr = ]
Microsoft.NET -> %SystemRoot%\Microsoft.NET -> [Folder | Modified Date = 7/11/2007 10:13:04 AM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 11029 bytes | Modified Date = 4/25/2007 12:53:50 PM | Attr = ]
msagent -> %SystemRoot%\msagent -> [Folder | Modified Date = 4/16/2007 9:21:06 PM | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 116 bytes | Modified Date = 6/4/2007 4:57:36 PM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Modified Date = 6/17/2007 12:11:58 AM | Attr = ]
pfirewall.log.old -> %SystemRoot%\pfirewall.log.old -> [Ver = | Size = 4026387 bytes | Modified Date = 6/22/2007 11:02:46 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 7/11/2007 1:59:52 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 6/20/2007 1:10:58 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 6/23/2007 6:21:22 PM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 6/8/2007 2:36:30 PM | Attr = ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 6/11/2007 11:09:58 AM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 5/23/2007 8:05:06 PM | Attr = ]
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel -> [Folder | Modified Date = 6/8/2007 4:13:28 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 7/11/2007 9:44:26 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 7/11/2007 12:57:22 PM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 7/11/2007 2:03:06 PM | Attr = ]
twain_32 -> %SystemRoot%\twain_32 -> [Folder | Modified Date = 6/8/2007 6:18:10 PM | Attr = ]
WBEM -> %SystemRoot%\WBEM -> [Folder | Modified Date = 6/8/2007 10:23:06 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 1088 bytes | Modified Date = 7/6/2007 12:36:54 PM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 7/11/2007 9:43:18 AM | Attr = ]
MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job -> [Ver = | Size = 370 bytes | Modified Date = 7/11/2007 12:57:22 PM | Attr = H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 7/11/2007 12:54:18 PM | Attr = H ]
apnbopbd.ini -> %System32%\apnbopbd.ini -> [Ver = | Size = 896958 bytes | Modified Date = 6/11/2007 9:31:14 PM | Attr = HS]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 11:46:10 AM | Attr = ]
AVASTSS.scr -> %System32%\AVASTSS.scr -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 95872 bytes | Modified Date = 4/30/2007 11:35:28 AM | Attr = ]
awgvioka.ini -> %System32%\awgvioka.ini -> [Ver = | Size = 903273 bytes | Modified Date = 6/19/2007 10:46:10 PM | Attr = HS]
awwqhkbm.ini -> %System32%\awwqhkbm.ini -> [Ver = | Size = 2608880 bytes | Modified Date = 6/26/2007 11:07:18 AM | Attr = HS]
btuceges.ini -> %System32%\btuceges.ini -> [Ver = | Size = 4004 bytes | Modified Date = 7/6/2007 10:24:10 AM | Attr = HS]
byctvjad.ini -> %System32%\byctvjad.ini -> [Ver = | Size = 1832150 bytes | Modified Date = 6/15/2007 10:10:24 AM | Attr = HS]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 6/15/2007 9:13:38 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 7/11/2007 9:40:20 AM | Attr = ]
cokqgjee.ini -> %System32%\cokqgjee.ini -> [Ver = | Size = 3967346 bytes | Modified Date = 7/3/2007 9:29:26 AM | Attr = HS]
config -> %System32%\config -> [Folder | Modified Date = 7/8/2007 2:47:42 PM | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2625 bytes | Modified Date = 5/4/2007 12:00:56 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 7/11/2007 9:45:36 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 7/11/2007 9:45:36 AM | Attr = ]
eclblhoy.ini -> %System32%\eclblhoy.ini -> [Ver = | Size = 2610513 bytes | Modified Date = 6/25/2007 11:04:24 AM | Attr = HS]
en-US -> %System32%\en-US -> [Folder | Modified Date = 6/8/2007 2:19:46 PM | Attr = ]
WinPFind3 logfile continues in next page
-
WinPFind3 logfile continued...
epimlscn.ini -> %System32%\epimlscn.ini -> [Ver = | Size = 922340 bytes | Modified Date = 6/14/2007 1:09:44 PM | Attr = HS]
esagrbsj.ini -> %System32%\esagrbsj.ini -> [Ver = | Size = 2825021 bytes | Modified Date = 7/1/2007 1:02:16 AM | Attr = HS]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 361728 bytes | Modified Date = 6/2/2007 7:18:44 PM | Attr = ]
FxsTmp -> %System32%\FxsTmp -> [Folder | Modified Date = 7/6/2007 12:36:38 PM | Attr = ]
ggfccaun.ini -> %System32%\ggfccaun.ini -> [Ver = | Size = 899002 bytes | Modified Date = 6/18/2007 10:27:00 PM | Attr = HS]
ghpllnnu.ini -> %System32%\ghpllnnu.ini -> [Ver = | Size = 1063903 bytes | Modified Date = 6/4/2007 9:25:32 PM | Attr = HS]
hanujeoc.ini -> %System32%\hanujeoc.ini -> [Ver = | Size = 902645 bytes | Modified Date = 6/20/2007 10:30:04 PM | Attr = HS]
hfeblegh.ini -> %System32%\hfeblegh.ini -> [Ver = | Size = 1836902 bytes | Modified Date = 6/13/2007 12:51:22 PM | Attr = HS]
honmjkuk.ini -> %System32%\honmjkuk.ini -> [Ver = | Size = 2607208 bytes | Modified Date = 6/27/2007 11:12:28 AM | Attr = HS]
inetsrv -> %System32%\inetsrv -> [Folder | Modified Date = 6/8/2007 10:09:28 AM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Modified Date = 6/14/2007 3:51:50 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 69632 bytes | Modified Date = 6/14/2007 4:53:22 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 135168 bytes | Modified Date = 6/14/2007 3:51:54 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.5 | Size = 139264 bytes | Modified Date = 6/14/2007 4:53:24 PM | Attr = ]
jyuukovc.ini -> %System32%\jyuukovc.ini -> [Ver = | Size = 2605510 bytes | Modified Date = 6/28/2007 1:21:10 PM | Attr = HS]
kadhngey.ini -> %System32%\kadhngey.ini -> [Ver = | Size = 1861349 bytes | Modified Date = 6/16/2007 1:11:22 PM | Attr = HS]
knircdfl.ini -> %System32%\knircdfl.ini -> [Ver = | Size = 2831368 bytes | Modified Date = 6/28/2007 1:58:54 PM | Attr = HS]
kycvaurl.ini -> %System32%\kycvaurl.ini -> [Ver = | Size = 838518 bytes | Modified Date = 6/22/2007 10:59:44 PM | Attr = HS]
mapisvc.inf -> %System32%\mapisvc.inf -> [Ver = | Size = 535 bytes | Modified Date = 6/11/2007 9:49:34 AM | Attr = ]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 143 bytes | Modified Date = 6/11/2007 2:57:20 PM | Attr = ]
meskflyf.ini -> %System32%\meskflyf.ini -> [Ver = | Size = 3584 bytes | Modified Date = 7/4/2007 9:47:18 AM | Attr = HS]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 65130 bytes | Modified Date = 7/11/2007 9:44:26 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 407820 bytes | Modified Date = 7/11/2007 9:44:26 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 463634 bytes | Modified Date = 7/11/2007 9:44:26 AM | Attr = ]
qoorjrbi.ini -> %System32%\qoorjrbi.ini -> [Ver = | Size = 3765 bytes | Modified Date = 7/5/2007 10:18:18 AM | Attr = HS]
Restore -> %System32%\Restore -> [Folder | Modified Date = 7/7/2007 6:32:08 PM | Attr = ]
rosksxkd.ini -> %System32%\rosksxkd.ini -> [Ver = | Size = 4064 bytes | Modified Date = 7/6/2007 10:37:52 AM | Attr = HS]
rqtss.bak2 -> %System32%\rqtss.bak2 -> [Ver = | Size = 1844926 bytes | Modified Date = 7/7/2007 3:00:12 PM | Attr = HS]
rqtss.ini -> %System32%\rqtss.ini -> [Ver = | Size = 1866703 bytes | Modified Date = 7/8/2007 10:51:14 AM | Attr = HS]
seglavgs.ini -> %System32%\seglavgs.ini -> [Ver = | Size = 3812146 bytes | Modified Date = 7/2/2007 8:45:42 AM | Attr = HS]
sttss.ini -> %System32%\sttss.ini -> [Ver = | Size = 353 bytes | Modified Date = 6/2/2007 2:07:32 PM | Attr = HS]
tuikrbvg.ini -> %System32%\tuikrbvg.ini -> [Ver = | Size = 1861408 bytes | Modified Date = 6/16/2007 1:11:52 PM | Attr = HS]
URTTemp -> %System32%\URTTemp -> [Folder | Modified Date = 6/8/2007 2:35:16 PM | Attr = ]
veiixtnf.ini -> %System32%\veiixtnf.ini -> [Ver = | Size = 1699502 bytes | Modified Date = 6/24/2007 8:11:12 AM | Attr = HS]
vwhpwrca.ini -> %System32%\vwhpwrca.ini -> [Ver = | Size = 1858630 bytes | Modified Date = 6/17/2007 2:15:20 PM | Attr = HS]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13002 bytes | Modified Date = 7/11/2007 1:59:38 PM | Attr = ]
wvejtjfw.ini -> %System32%\wvejtjfw.ini -> [Ver = | Size = 891854 bytes | Modified Date = 6/21/2007 10:54:20 PM | Attr = HS]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 26888 bytes | Modified Date = 4/30/2007 11:37:24 AM | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 85952 bytes | Modified Date = 4/30/2007 11:41:56 AM | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 94552 bytes | Modified Date = 4/30/2007 11:41:42 AM | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 23416 bytes | Modified Date = 4/30/2007 11:39:42 AM | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.997.0 | Size = 43176 bytes | Modified Date = 4/30/2007 11:38:52 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 8:10:42 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 7/8/2007 2:49:30 PM | Attr = ]
njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys -> [Ver = | Size = 8704 bytes | Modified Date = 7/8/2007 2:30:18 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 11:46:10 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\pncrt.dll -> Real Networks, Inc [Ver = 6.0.0.0 | Size = 123392 bytes | Modified Date = 11/25/2003 7:32:02 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 1:41:38 AM | Attr = ]
< End of report >
Next post: Virus Total Result
-
VirusTotal Scan of C:\78875.SYM
File 78875.sym received on 07.11.2007 20:29:52 (CET)
Current status: queued waiting scanning finished NOT FOUND STOPPED
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window untill scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Print results Print
Your file has expired or do not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Versión Last Update Result
AhnLab-V3 2007.7.11.1 20070711 no virus found
AntiVir 7.4.0.39 20070711 no virus found
Authentium 4.93.8 20070710 no virus found
Avast 4.7.997.0 20070711 no virus found
AVG 7.5.0.476 20070711 no virus found
BitDefender 7.2 20070711 no virus found
CAT-QuickHeal 9.00 20070711 no virus found
ClamAV devel-20070416 20070711 no virus found
DrWeb 4.33 20070711 no virus found
eSafe 7.0.15.0 20070710 no virus found
eTrust-Vet 30.8.3779 20070711 no virus found
Ewido 4.0 20070711 no virus found
FileAdvisor 1 20070711 no virus found
Fortinet 2.91.0.0 20070711 no virus found
F-Prot 4.3.2.48 20070710 no virus found
Ikarus T3.1.1.8 20070711 no virus found
Kaspersky 4.0.2.24 20070711 no virus found
McAfee 5072 20070711 no virus found
Microsoft 1.2704 20070711 no virus found
NOD32v2 2393 20070711 no virus found
Norman 5.80.02 20070711 no virus found
Panda 9.0.0.4 20070711 no virus found
Sophos 4.19.0 20070706 no virus found
Sunbelt 2.2.907.0 20070711 no virus found
Symantec 10 20070711 no virus found
TheHacker 6.1.6.144 20070709 no virus found
VBA32 3.12.0.2 20070710 no virus found
VirusBuster 4.3.23:9 20070711 no virus found
Webwasher-Gateway 6.0.1 20070711 no virus found
Aditional information
File size: 2711 bytes
MD5: 7fc32bc9e4b8fe10b86d4ff1788f3e34
SHA1: ea2224b6e2e7a8d7b83ffeedaf1a604c157a6dc3
-
QuickTime:
I do not mind, quicktime being on the computer, I was trying to keep it from loading into the system tray during every boot. Since its not used much, it is probably a waste of memory and loading time. Could I disable it from automatic startup?
Its probably better to use the free version of WinPatrol for this
http://www.winpatrol.com/download.html
I use this program on all my installations to control start ups, monitor changes, etc. Use it carefully - if you disable critical system components your computer could be unbootable.
Foldershare:
It is a MS program that allows you to access your files anywhere. I need access to certain pertinent yet insensitive data on my home computer for work purposes. So I checked out foldershare (https://www.foldershare.com/info/howItWorks.php?). Thats around when googledocs came up and that was just easier, since the individual machines do not have to be synched, and this computer does not have to be on all the time. I thought I had unistalled the program if there was any. A search on the computer revealed just the following. Could this be loading during Startup as well?
C:\Documents and Settings\Family\Local Settings\Application Data\FolderShare
Contains two folders Settings & Logs
Folder share folder memory size is 826KB
It appears to still be loading at startup. Lets try this:
Open HJT again and click Open the Misc Tools Section>Open Uninstall Manager. Click the button to save the contents then post it in your next response.
WinPfind3u fix Result:
(Note: I ran it once, but accidentally closed the txt file, so this is the second run)
[Files/Folders - Created Within 30 days]
File C:\mfx_temp not found!
[Files/Folders - Modified Within 30 days]
File C:\mfx_temp not found!
File C:\WINDOWS\imsins.BAK not found!
< End of log >
Created on 07/11/2007 14:06:35
No problem. We wanted those files to be gone and they are.
I am working with your new WinPFind log and have solicited a second opinion on some of the items. More later on this.
-
Hi Mauserme, Below the the saved list from HJT.
HJT Uninstall List:
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Photoshop 6.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 8.1.0
Adobe SVG Viewer
Advanced WindowsCare 2.51 Personal
AFPL Ghostscript 8.14
AFPL Ghostscript Fonts
Age Of Empire-II The Conquerors
APA PERRLA
avast! Antivirus
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
AVI TO DVD VCD SVCD CONVERTER version 2.01
Camtasia Studio 3
Comprehensive Review for NCLEX-PN, 2e
Create and Print Greeting Cards 1.0
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HP Unload DLL Patch
Intel(R) 537 Modem
iTunes
Java(TM) 6 Update 2
Kaplan NCLEX Question Trainer
Logitech QuickCam
Logitech® Camera Driver
Macromedia Shockwave Player
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Publisher 2003
Microsoft Office Standard Edition 2003
Microsoft Office Visio Standard 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.4)
MSN Messenger 6.2
MSXML 4.0 SP2 (KB927978)
Nero OEM
NVIDIA Windows 2000/XP Display Drivers
overland
palmOne
PDFill PDF Editor 4.1 with Writer and Tools (Unicode)
PDFill PDF Writer
PDFtypewriter with PDF Printer Driver
PFS Report Viewers
PPStream
QuickTime
RealPlayer
Samsung USB Driver (MCCI 4.16)
Saunders Q and A Review
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Shockwave
Spybot - Search & Destroy 1.2
SUPERAntiSpyware Free Edition
TVUPlayer 2.3.2.34
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
VIA VT6410 RAID Driver(Remove)
Voice Editing
Windows Blaster Worm Removal Tool (KB833330)
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
XP Codec Pack
Yahoo! Messenger
Thank you!
-
A quick but in
do not mind, quicktime being on the computer, I was trying to keep it from loading into the system tray during every boot. Since its not used much, it is probably a waste of memory and loading time. Could I disable it from automatic startup?
Locate the file realsched.exe and rename to realsched.old then fix the line in Hijackthis and it will not load
-
Thanks for that essexboy, and for the second opinion.
@Maze
Just a few more files to remove.
Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Files/Folders - Created Within 90 days]
NY -> apnbopbd.ini -> %System32%\apnbopbd.ini
NY -> awgvioka.ini -> %System32%\awgvioka.ini
NY -> awwqhkbm.ini -> %System32%\awwqhkbm.ini
NY -> btuceges.ini -> %System32%\btuceges.ini
NY -> byctvjad.ini -> %System32%\byctvjad.ini
NY -> cokqgjee.ini -> %System32%\cokqgjee.ini
NY -> eclblhoy.ini -> %System32%\eclblhoy.ini
NY -> epimlscn.ini -> %System32%\epimlscn.ini
NY -> esagrbsj.ini -> %System32%\esagrbsj.ini
NY -> ggfccaun.ini -> %System32%\ggfccaun.ini
NY -> ghpllnnu.ini -> %System32%\ghpllnnu.ini
NY -> hanujeoc.ini -> %System32%\hanujeoc.ini
NY -> hfeblegh.ini -> %System32%\hfeblegh.ini
NY -> honmjkuk.ini -> %System32%\honmjkuk.ini
NY -> jyuukovc.ini -> %System32%\jyuukovc.ini
NY -> kadhngey.ini -> %System32%\kadhngey.ini
NY -> knircdfl.ini -> %System32%\knircdfl.ini
NY -> kycvaurl.ini -> %System32%\kycvaurl.ini
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> meskflyf.ini -> %System32%\meskflyf.ini
NY -> qoorjrbi.ini -> %System32%\qoorjrbi.ini
NY -> rosksxkd.ini -> %System32%\rosksxkd.ini
NY -> rqtss.bak2 -> %System32%\rqtss.bak2
NY -> rqtss.ini -> %System32%\rqtss.ini
NY -> seglavgs.ini -> %System32%\seglavgs.ini
NY -> sttss.ini -> %System32%\sttss.ini
NY -> tuikrbvg.ini -> %System32%\tuikrbvg.ini
NY -> veiixtnf.ini -> %System32%\veiixtnf.ini
NY -> vwhpwrca.ini -> %System32%\vwhpwrca.ini
NY -> wvejtjfw.ini -> %System32%\wvejtjfw.ini
NY -> njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys
NY -> hosts.20070602-143317.backup -> %System32%\drivers\etc\hosts.20070602-143317.backup
[Files/Folders - Modified Within 90 days]
NY -> apnbopbd.ini -> %System32%\apnbopbd.ini
NY -> awgvioka.ini -> %System32%\awgvioka.ini
NY -> awwqhkbm.ini -> %System32%\awwqhkbm.ini
NY -> btuceges.ini -> %System32%\btuceges.ini
NY -> byctvjad.ini -> %System32%\byctvjad.ini
NY -> cokqgjee.ini -> %System32%\cokqgjee.ini
NY -> eclblhoy.ini -> %System32%\eclblhoy.ini
NY -> epimlscn.ini -> %System32%\epimlscn.ini
NY -> esagrbsj.ini -> %System32%\esagrbsj.ini
NY -> ggfccaun.ini -> %System32%\ggfccaun.ini
NY -> ghpllnnu.ini -> %System32%\ghpllnnu.ini
NY -> hanujeoc.ini -> %System32%\hanujeoc.ini
NY -> hfeblegh.ini -> %System32%\hfeblegh.ini
NY -> honmjkuk.ini -> %System32%\honmjkuk.ini
NY -> jyuukovc.ini -> %System32%\jyuukovc.ini
NY -> kadhngey.ini -> %System32%\kadhngey.ini
NY -> knircdfl.ini -> %System32%\knircdfl.ini
NY -> kycvaurl.ini -> %System32%\kycvaurl.ini
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> meskflyf.ini -> %System32%\meskflyf.ini
NY -> qoorjrbi.ini -> %System32%\qoorjrbi.ini
NY -> rosksxkd.ini -> %System32%\rosksxkd.ini
NY -> rqtss.bak2 -> %System32%\rqtss.bak2
NY -> rqtss.ini -> %System32%\rqtss.ini
NY -> seglavgs.ini -> %System32%\seglavgs.ini
NY -> sttss.ini -> %System32%\sttss.ini
NY -> tuikrbvg.ini -> %System32%\tuikrbvg.ini
NY -> veiixtnf.ini -> %System32%\veiixtnf.ini
NY -> vwhpwrca.ini -> %System32%\vwhpwrca.ini
NY -> wvejtjfw.ini -> %System32%\wvejtjfw.ini
NY -> njyoxcnhlwus.sys -> %System32%\drivers\njyoxcnhlwus.sys
As before the fix should only take a very short time and a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with any problems you encounter. Some of these files ay not be found - that's OK.
Then you can fix this line in HJT if you want
O4 - HKCU\..\Run: [FolderShare] "E:\Program Files\Utilities\FolderShare\FolderShare.exe" /background
-
Hi Essexboy, thanks for the quick-tip.
Mauserme, ran the WinPFind3u with your fix, the report is pasted below:
[Files/Folders - Created Within 90 days]
C:\WINDOWS\SYSTEM32\apnbopbd.ini moved successfully.
C:\WINDOWS\SYSTEM32\awgvioka.ini moved successfully.
C:\WINDOWS\SYSTEM32\awwqhkbm.ini moved successfully.
C:\WINDOWS\SYSTEM32\btuceges.ini moved successfully.
C:\WINDOWS\SYSTEM32\byctvjad.ini moved successfully.
C:\WINDOWS\SYSTEM32\cokqgjee.ini moved successfully.
C:\WINDOWS\SYSTEM32\eclblhoy.ini moved successfully.
C:\WINDOWS\SYSTEM32\epimlscn.ini moved successfully.
C:\WINDOWS\SYSTEM32\esagrbsj.ini moved successfully.
C:\WINDOWS\SYSTEM32\ggfccaun.ini moved successfully.
C:\WINDOWS\SYSTEM32\ghpllnnu.ini moved successfully.
C:\WINDOWS\SYSTEM32\hanujeoc.ini moved successfully.
C:\WINDOWS\SYSTEM32\hfeblegh.ini moved successfully.
C:\WINDOWS\SYSTEM32\honmjkuk.ini moved successfully.
C:\WINDOWS\SYSTEM32\jyuukovc.ini moved successfully.
C:\WINDOWS\SYSTEM32\kadhngey.ini moved successfully.
C:\WINDOWS\SYSTEM32\knircdfl.ini moved successfully.
C:\WINDOWS\SYSTEM32\kycvaurl.ini moved successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp moved successfully.
C:\WINDOWS\SYSTEM32\meskflyf.ini moved successfully.
C:\WINDOWS\SYSTEM32\qoorjrbi.ini moved successfully.
C:\WINDOWS\SYSTEM32\rosksxkd.ini moved successfully.
C:\WINDOWS\SYSTEM32\rqtss.bak2 moved successfully.
C:\WINDOWS\SYSTEM32\rqtss.ini moved successfully.
C:\WINDOWS\SYSTEM32\seglavgs.ini moved successfully.
C:\WINDOWS\SYSTEM32\sttss.ini moved successfully.
C:\WINDOWS\SYSTEM32\tuikrbvg.ini moved successfully.
C:\WINDOWS\SYSTEM32\veiixtnf.ini moved successfully.
C:\WINDOWS\SYSTEM32\vwhpwrca.ini moved successfully.
C:\WINDOWS\SYSTEM32\wvejtjfw.ini moved successfully.
C:\WINDOWS\SYSTEM32\drivers\njyoxcnhlwus.sys moved successfully.
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20070602-143317.backup moved successfully.
[Files/Folders - Modified Within 90 days]
File C:\WINDOWS\SYSTEM32\apnbopbd.ini not found!
File C:\WINDOWS\SYSTEM32\awgvioka.ini not found!
File C:\WINDOWS\SYSTEM32\awwqhkbm.ini not found!
File C:\WINDOWS\SYSTEM32\btuceges.ini not found!
File C:\WINDOWS\SYSTEM32\byctvjad.ini not found!
File C:\WINDOWS\SYSTEM32\cokqgjee.ini not found!
File C:\WINDOWS\SYSTEM32\eclblhoy.ini not found!
File C:\WINDOWS\SYSTEM32\epimlscn.ini not found!
File C:\WINDOWS\SYSTEM32\esagrbsj.ini not found!
File C:\WINDOWS\SYSTEM32\ggfccaun.ini not found!
File C:\WINDOWS\SYSTEM32\ghpllnnu.ini not found!
File C:\WINDOWS\SYSTEM32\hanujeoc.ini not found!
File C:\WINDOWS\SYSTEM32\hfeblegh.ini not found!
File C:\WINDOWS\SYSTEM32\honmjkuk.ini not found!
File C:\WINDOWS\SYSTEM32\jyuukovc.ini not found!
File C:\WINDOWS\SYSTEM32\kadhngey.ini not found!
File C:\WINDOWS\SYSTEM32\knircdfl.ini not found!
File C:\WINDOWS\SYSTEM32\kycvaurl.ini not found!
File C:\WINDOWS\SYSTEM32\mcrh.tmp not found!
File C:\WINDOWS\SYSTEM32\meskflyf.ini not found!
File C:\WINDOWS\SYSTEM32\qoorjrbi.ini not found!
File C:\WINDOWS\SYSTEM32\rosksxkd.ini not found!
File C:\WINDOWS\SYSTEM32\rqtss.bak2 not found!
File C:\WINDOWS\SYSTEM32\rqtss.ini not found!
File C:\WINDOWS\SYSTEM32\seglavgs.ini not found!
File C:\WINDOWS\SYSTEM32\sttss.ini not found!
File C:\WINDOWS\SYSTEM32\tuikrbvg.ini not found!
File C:\WINDOWS\SYSTEM32\veiixtnf.ini not found!
File C:\WINDOWS\SYSTEM32\vwhpwrca.ini not found!
File C:\WINDOWS\SYSTEM32\wvejtjfw.ini not found!
File C:\WINDOWS\SYSTEM32\drivers\njyoxcnhlwus.sys not found!
< End of log >
Created on 07/13/2007 09:03:31
Also fixed the foldershare with HijackThis.
Thank you again.
-
Assuming your computer is still running well I think we're done with the really nasty stuff.
Magic Folders Uninstallation/Spyagent Error
...
“If you do not see the program installed in either of folders , it is likely that the program magic folders, gives false positive & spyagent is not actually there.
SpyAgent Stealth Install Directory: c:/program files/sysconfig
Default non-stealth Install Directory:
c:/program files/spytech software/spytech spyagent”
What is the status of this now? I didn't see either program in the HJT Uninstall List which is not too surprising for SpyAgent, but I'm wondering if Magic Folders has been successfully removed.
Open Folder Options in the Control Panel and, on the View Tab, make sure
> Show Hidden Files and Folders is cheked
> Hide Extensions for Known File Types is not checked
> Hide Protected Operating System Files is not checked
Now see if you're able to find either of the paths tech support gave you.
-
Hi Mauserme,
The Magic folders is still around. I tried uninstalling without effect. Also, after unchecking the options you specified, a search for the specific Spyagent directories turned out negative. Hopefully this is just a false positive.
What kind of resident antivirus and firewall protection do you use/recommend to avoid such future attacks? What frequency should I run a full scan? Currently I have:
avast antivirus Scanner on full time (got 6 out of 7 running, not sure what happened to the 7th)
Windows Defender
the multiple programs installed during this cleanup process (not sure if any are active residents)
Windows firewall and
McAfee Site advisor
I use Mozilla browser 90% of the time. Ofcourse Windows comes with IE, and I have the latest version, but IE has always been a pain, so I try avoiding it other than for sites that require it. I have been considering switching to Safari, since the reviews have been awesome, but have to look more into the Windows version of Safari and its reliability.
One other thing (not sure if its your area, since its not Virus related), I have been trying to remove my dual boot option. I used to have Win and Linux. Linux was removed and the space repartitioned to XP, yet the dual boot option stays. I read upon it, and many mentioned a possibly manipulation of boot.ini and its risks. Any suggestions?
Thanks for .. to put it literally curing my sick computer. I really appreciate the time and effort you put to walk me through this long process. Really really appreciate it. :)
-
One more quick question:
Upon checking My Computer -> System Properties -> Advanced -> User Profiles Settings I noticed my login profile is 1.10 GB while the other logons are only a few KB to a few MB. Is that normal or is it because I have too many programs loading on startup. Can we pick and choose?
Also same area above but within Startup & Recovery I found the options for Windows XP/Linux. There is a checkmarked option "Time to display list of operating systems" which is set now to 30sec. Maybe change that to 0sec?
Thanks
-
Upon checking My Computer -> System Properties -> Advanced -> User Profiles Settings I noticed my login profile is 1.10 GB while the other logons are only a few KB to a few MB. Is that normal or is it because I have too many programs loading on startup. Can we pick and choose?
I have a lot of installed programs and my profile is far from 1.1 Gb... But it's difficult to know what is causing that. Maybe you should clean your temporary files with CCleaner.
Also same area above but within Startup & Recovery I found the options for Windows XP/Linux. There is a checkmarked option "Time to display list of operating systems" which is set now to 30sec. Maybe change that to 0sec?
I suggest 6-8 seconds... but you can set zero if you have only one operational system in this computer.
-
Let's take care of a little clean up which will also partially answer one of your questions.
Double click OTMoveIt once again and click the CleanUp! button. You may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.
Next, we'll clear your old, possible infected restore points and create a new, clean point:
1. Click Start>All Programs>Accessories > System tools > System Restore
2. In the dialog box that appears Click in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a name you will remember if you need to find this again (like Clean Point)
5. Click CREATE
You now have a clean restore point, to get rid of the bad ones:
1. Click Start>All Programs>Accessories > System tools > Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button
Now, for a firewall, I like Comodo. It has a nice balance between between being user friendly and tight security
http://filehippo.com/download_comodo/
Zone Alarm and PC Tools Firewall are also worth considering. In any event, since the Windows Firewall provides good inbound protection but no outbound, a third party firewall is a must.
I think you're fine with avast! as your resident AV - it's been my choice for some time now. The 6/7 providers running is normal if you don't use Outlook; the 7th provider is waiting for Outlook to start. If you want to try a back up, nonresident AV the free version of Bitdefender and ClamWin work
http://www.bitdefender.com/site/view/Download-Free-Products.html
http://www.clamwin.com/
Neither of these will conflict with avast! since they are nonresident. My scan frequency is usually once/week (or as needed if I suspect a problem) with avast!, and either SuperAntiSpyware of AVG AntiSpyware
http://www.superantispyware.com/
http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0
Both SAS and AVG AS are very good, though the updates process for AVG has been giving me problems for several months.
I also immunize my computer against certain malware with Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html
I would take Tech's suggestion about CCleaner
http://www.ccleaner.com/
When you install it, uncheck the option to install the Yahoo Toolbar. Clean your temporary files but also use the registry cleaner. If there's a stray Spy Agent registry entry preventing removal of Magic Folders, CCleaner may fix it so try uninstalling Magic Folder again after you finish cleaning. Make sure to make a back up when you run the registry cleaner (CCleaner will give you this option)
Trying to figure out out the "best" browser is likely to cause an argument around here. I just use Avant Browser which is an Internet Explorer shell. Firefox is certainly more secure than Avant but this is so dependant on one' surfing habits that I don't have problems. I think this comes down to personal choice but others will disagree.
And you're right about the dual boot quandary - I'm not qualified to help with this but I'm guessing Tech might have more to say about it Good luck with that, and you're welcome for the part I was able to help with. :)
-
Hi,
Dual boot: reduced delay to 5 seconds
System Restore: Activated system restore, created a new clean point & cleared old restores.
Firewall: Installed Comodo. Windows Firewall is currently inactive. Should I activate that too?
Anti-Spyware: Spyblaster installed and updated.
CCleaner: Installed updated and ran without Yahoo toolbar.
Magic Folder: Tried uninstalling after running Ccleaner but situation is unchanged.
Only chink in the armor: Comodo restricted access to a "Generic Host Process for Win32 services". I googled it and there seem to be mixed reviews, so did not allow access to the internet.
Thanks guys!
-
Firewall: Installed Comodo. Windows Firewall is currently inactive. Should I activate that too?
No. Let only Comodo active.
Anti-Spyware: Spyblaster installed and updated.
It's only immunization, not a scanner.
Try AVGas, Spyware Terminator or SuperAntispyware.
Only chink in the armor: Comodo restricted access to a "Generic Host Process for Win32 services". I googled it and there seem to be mixed reviews, so did not allow access to the internet.
Yes... it's difficult to say because some legit programs use it to connect. Some others are malware.
Remove the Comodo entry and wait for the next time it asks connection. Try to post the full Comodo info at that time.
-
Magic Folder: Tried uninstalling after running Ccleaner but situation is unchanged.
How are you trying to uninstall this? I mean, I don't see it in the Uninstall List.
Only chink in the armor: Comodo restricted access to a "Generic Host Process for Win32 services". I googled it and there seem to be mixed reviews, so did not allow access to the internet.
I think its OK to allow it as long as that's running from c:\windows\system32 (if it isn't I need to know that). This is also known as svchost.exe and is responsible for opening lots of services, including things like time synch that need an internet connection.
There is malware that will attempt to look like this process in order to get through the firewall. The name might be spelled SVCH0ST.EXE with a numeric 0 where to alpha O should be, or scvhost.exe with letters transposed, etc. So you do need to look at it carefully to make sure its the legitimate process.
-
Magic Folders:
When I open magic folders, the first menu gives a screen with a button saying "uninstall" even without logging in.
Avast:
Comodo is blocking Avast update on startup
Infected again:
Even after all this, upon running a thorough scan, avast pulled up the following
File name: E:\Program Files\Anti Virus\Avast\DATA\moved\acrwphwv.dll.vir
Malware name: Win32:Virtumonde-BA [Adw]
Malware type: Adware
VPS version: 000757-2, 07/16/2007
Action taken: Moved to chest
In the last few days, majorly I have only visited, new websites, gmail, avast and one music streaming site.
I guess this is an ongoing war.
-
Magic Folders:
When I open magic folders, the first menu gives a screen with a button saying "uninstall" even without logging in.
Can you get past the menu screen, or is it possibly a menu that leads nowhere?
Avast:
Comodo is blocking Avast update on startup
Right click the Comodo icon in the tray and click Open. Open the application monitor and right click
C:\Program Files\Alwil Software\Avast4\Setup\avast.setup
and change it to "allow".
These also need internet access
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (avast! Web Scanner)
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (avast! e-Mail Scanner Service)
[Infected again:
Even after all this, upon running a thorough scan, avast pulled up the following
File name: E:\Program Files\Anti Virus\Avast\DATA\moved\acrwphwv.dll.vir
Malware name: Win32:Virtumonde-BA [Adw]
Malware type: Adware
VPS version: 000757-2, 07/16/2007
Action taken: Moved to chest
In the last few days, majorly I have only visited, new websites, gmail, avast and one music streaming site.
I guess this is an ongoing war.
No, this war seems over.
When avast! detects malware it gives you Delete/Move/Move to Chest/Ignore options (or similar - not sure of the exact wording). The location of that file, in the "moved" folder, means you clicked the Move option instead of Move to Chest at some point when you were infected. The double extension ending in .vir also indicates avast! handled it.
When you ran the thourough scan avast! found the file outside the chest and put it in the chest, this being the safest of the options.
-
Firewall:
Only Comodo is active. Windows Firewall turned off.
Magic Folders:
The first screen gives three options
(1) "Purchase"
(2) "Login"
(3) "Uninstall"
Upon clicking the uninstall, the error message pops up. Thats about it. I guess they really want people to purchase their product.
I used this program about 10 years back, and it used to work fine. Recently I started working a log from home. It is a good program if you do a lot of work from home and have files that should not be accidentally deleted or if you do not want the other users to see your files. Basically the memory area will not come up in any search. One of the reasons I wasn't going to purchase is because I was concerned, if it hides files so well, virus programs could probably hide within that memory space and may not be scanned.
Antivirus:
SuperAntiSpyware is running.
AVG AntiSpyware is also active.
Avast has full access through Comodo. Do the files in chest ever need to be cleared? Can the infected files be automatically moved to chest? I checked within settings->Confirmations. Did not see the option.
Thanks both of you
Maze :-)
-
When you open Magic Folders is it via desktop icon, hot key, or something else?
Lets give this a try - Symantec has an online scan and, although I'm no fan of Symantec AV, it does seem to sometimes spot commercial key loggers. Here's a link
http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&plfid=23&pkj=YRHIEXPHXXKXLUMCIQR
Use the Virus Detection option, not the Security Scan.
-
Hi Mauserme,
Magic Folders: I open it from the Start Menu.
I ran into an even bigger problem. Since today morning, the computer will not startup. I opened the CPU up, cleaned out the dust build up on the fans (usually that works), but no luck today. I am going to wait and see till today evening, else tomorrow I may have to take it out to Geek Squad or some store. There are LEDs lighted up inside, so obviously power is coming in, its possible the power-switch could be shorted. Hopefully its that simple.
Will perform the Symantec scan as soon as I can get this up and running. Right now I am accessing from my laptop, but today morning this kept rebooting, after a blue screen with numbers and a mention of a virus. I logged in with the last saved good configuration. Ran a thorough avast scan, found no anomalies except an msi.dll cab file (MS installer file as per blogs) which could not be scanned. Looks like the computers have got something against me ;D
I was going to retrace the paths we took with the other computer in this one too. So am in the process of downloading some of the spyware/adware scanners you recommended during the initial phases of our conversation.
Pardon me for prolonging this. I know its already been too long.
Maze
-
Computer still unresponsive.
Just wanted to update you on one thing: I tried uninstalling Magic folders on my laptop and it uninstalled without glitches. I possibly have an uninstall file with errors.
Thank you.
-
Hi Mauserme,
Magic Folders: I open it from the Start Menu.
I ran into an even bigger problem. Since today morning, the computer will not startup. I opened the CPU up, cleaned out the dust build up on the fans (usually that works), but no luck today. I am going to wait and see till today evening, else tomorrow I may have to take it out to Geek Squad or some store. There are LEDs lighted up inside, so obviously power is coming in, its possible the power-switch could be shorted. Hopefully its that simple.
Maybe the power supply, but that's a guess.
Anyway, it gives us some time with the laptop. Lets start with a ComboFix log, followed by HJT.
-
Desktop is back up and running. Yeah, checked the power supply. Your suggestion gave me an idea to go for simplest solution. Changed the power cord. It worked.
Symantec did not run. Required IE. (Made sure ActiveX and Scripting were enabled)
Next post: later today with Laptop ComboFix & HJT logs
-
[Next post: later today with Laptop ComboFix & HJT logs
I'm ready when you are :)
-
Hi Mauserme,
Sorry for the delay. I was doing some homework, to be more specific the initial antivirus scans that we performed for the other computer, so that I could save you some time by looking at a cleaner Combofix and HijackThis log. I have listed the process performed in the last 24 hours in order below.
1. Uninstalled Old Java and installed latest version from filehippo
2. Downloaded and installed/updated the following
- Windows Defender
- Ad-Aware 2007
- Spyware Terminator
- AVG Anti-Spyware
- Avast (update only)
- Spybot Search & Destroy (update only)
- SuperAntiSpyware
3. Disabled system restore
4. Turned off internet access
5. Restarted in safe mode
6. Ran all the above
7. Restarted in normal mode with internet off
8. Immunized with Spywareblaster & Spybot search & destroy
9. Turned internet on
10. Downloaded and installed Comodo Firewall
11. Uninstalled Norton Security Center
12. Could not remove 0.13MB of Norton Antivirus 2005 (that has to be removed before uninstalling “Norton Live Update 2.5)
13. Ran Ccleaner – cleared temporary files and registry (after backup)
14. Enabled thorough inspection system inspection for insecure applications with Secunia Software Inspector. The following were flagged
- Quicktime (uninstalled)
- Adobe Flashplayer 7.x, 8.x, 9.x (couldn’t find an option to uninstall old ones) before installing new version)
- Macromedia Flashplayer 7.x & 8.x (couldn’t find an option to uninstall old ones) before installing new version)
- Mozilla Firefox (update downloaded and installed)
15. Ran ComboFix (log pasted in the next post)
16. Ran HijackThis (log pasted in the post after ComboFix log)
-
"Maze" - 2007-07-19 16:04:30 - ComboFix Log 07-07-17.8 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 )))))))))))))))))))))))))))))))
2007-07-19 16:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 14:19 <DIR> d-------- C:\DOCUME~1\Gladys\APPLIC~1\Comodo
2007-07-19 14:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-18 23:44 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-18 17:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-18 17:34 <DIR> d-------- C:\DOCUME~1\Gladys\APPLIC~1\SUPERAntiSpyware.com
2007-07-18 17:23 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-18 17:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-18 17:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-18 17:03 138,368 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-07-18 16:54 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-07-18 16:54 <DIR> d-------- C:\DOCUME~1\Gladys\APPLIC~1\Spyware Terminator
2007-07-18 16:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-07-17 22:42 52,108 --a------ C:\WINDOWS\system32\drivers\XMS1563K.SYS
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-19 19:01:26 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-19 19:00:53 -------- d-----w C:\Program Files\QuickTime
2007-07-19 18:26:25 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-19 12:13:37 -------- d-----w C:\Program Files\DivX
2007-07-19 03:37:23 -------- d-----w C:\Program Files\Installed
2007-07-18 14:57:25 -------- d-----w C:\Program Files\Microsoft Money 2005
2007-06-18 21:23:01 -------- d-----w C:\DOCUME~1\Gladys\APPLIC~1\Talkback
2007-06-13 14:49:06 -------- d-----w C:\Program Files\Internet
2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 02:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-07-14 22:16]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-13 21:34]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"COMODO Firewall Pro"="C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe" [2007-07-19 14:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
Contents of the 'Scheduled Tasks' folder
2007-07-19 19:24:48 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-19 17:26:22 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 16:07:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\MFX.sys
scan completed successfully
hidden files: 1
**************************************************************************
Completion time: 2007-07-19 16:10:11
--- E O F ---
Next post: HijackThis Log
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:22 PM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
C:\Program Files\Installed\Anti Virus\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
C:\Program Files\Installed\Anti Virus\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Installed\Anti Virus\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\Installed\PDFill\\DownloadPDF.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 6420 bytes
Thank you :-)
-
My goodness - aren't you ambitious :o
Other than a remnant or two of Magic Folders and some stray Symantec (Norton) entries I don't see anything of note in these logs. Are you experiencing any symptoms of infection?
Here are a few thoughts:
3. Disabled system restore
If you ever need to clean your restore points again I prefer the following method as it never leaves you without at least one restore point:
1. Click Start>All Programs>Accessories > System tools > System Restore
2. In the dialog box that appears Click in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a name you will remember if you need to find this again (like Clean Point)
5. Click CREATE
You now have a clean restore point, to get rid of the bad ones:
1. Click Start>All Programs>Accessories > System tools > Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button
8. Immunized with Spywareblaster & Spybot search & destroy
Again, just for future reference, I think its safer to immunize after you know the computer is clean. Save this step if you suspect there is any infection.
12. Could not remove 0.13MB of Norton Antivirus 2005 (that has to be removed before uninstalling “Norton Live Update 2.5)
There is a removal tool you should download and run
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
Then look for and delete any remaining traces of Norton/Symantec from your hard drive. After running the tool you can post anther HJT log and we'll remove any lines that remain.
catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 16:07:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\MFX.sys
scan completed successfully
hidden files: 1
This file is a remnant of Magic Folders that is still on your computer (the rootkit componant that hides the rest). There is another, C:\WINDOWS\system32\drivers\XMS1563K.SYS, that may or may not still be there.
Download OTMoveit to this computer and paste these paths in
C:\WINDOWS\system32\drivers\XMS1563K.SYS
C:\WINDOWS\system32\drivers\MFX.sys
C:\WINDOWS\magic.exe
c:\syz_dat
c:\x__x
Click the MoveIt button and paste the results in your next response.
In that mfx.sys is detected by ComboFix I have to say Magic Folders is not installed on your desk top. We ran multiple ComboFix logs with no trace of that file. Maybe you have a menu scree with nothing behind it.
-
OTMoveIt Results:
C:\WINDOWS\system32\drivers\XMS1563K.SYS moved successfully.
File/Folder C:\WINDOWS\system32\drivers\MFX.sys not found.
File/Folder C:\WINDOWS\magic.exe not found.
File/Folder c:\syz_dat not found.
File/Folder c:\x__x not found.
Created on 07/20/2007 01:08:07
Symantec (Norton) Removed
System Restore: New Clean Point created
Thanks Mauserme.
-
If you set your folder options to "Show Hidden Files and Foldes" and uncheck "Hide protected Operaing System Files", can you see C:\WINDOWS\system32\drivers\MFX.sys by navigating to the folder?
-
Hi Mauserme,
mfx.sys not in C:\WINDOWS\system32\drivers\MFX.sys
The closest thing I found was mf.sys but the description says "multifunction enumerator" by Microsoft Corportation.
One other thing:
I guess loading all the antivirus programs + the other stuff I have already, has made the laptop really really slow. It takes over 10min to load up and even Word takes a whole min to load. Should we stop some non-essential processes?
Thanks again,
Maze
-
The closest thing I found was mf.sys but the description says "multifunction enumerator" by Microsoft Corportation.
Let's leave that file alone.
I guess loading all the antivirus programs + the other stuff I have already, has made the laptop really really slow. It takes over 10min to load up and even Word takes a whole min to load. Should we stop some non-essential processes?
One resident antivirus, one resident antispyware, one firewall and Winpatrol is enough (plus any nonresident scanners you might want to use). Windows Defender + AVG AntiSpyware + Spyware Terminator all resident is a bit much. AVG AS will become nonresident when the trial period ends (unless you purchase it), and Defender is, well, not my first choice in protection. So, unless you really like Defender, either keep Spyware Terminator loading at start up or purchase AVG AS, and disable the others in their respective GUIs.
It would also be good to run HJT again and fix any Symantec lines that might still be present - I'm sure you know how to do this by now.
I will be away from the forum for a couple days and will check back after the weekend :)
-
Hey Maze, I'm back.
Is it booting any better?
-
Hi Mauserme,
Hope you had a nice weekend. Sorry for the late reply, I had a small accident over the weekend, so kinda have been in a lot of pain recently. So just fired up the laptop after a few days.
Status quo:
1) Booting is just as before since I have not changed anything. How do I check what is currently loading at start up?
2) Did not find Symantec in HJT log
3) I am posting my current HJT log. Please tell me if you see any anomalies. I am still a 3-week old novice at this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:23 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Installed\Anti Virus\ashServ.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
C:\Program Files\Installed\Anti Virus\ashWebSv.exe
C:\Program Files\Internet\Firefox Browser\firefox.exe
C:\Program Files\Installed\Anti Virus\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\Installed\PDFill\\DownloadPDF.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 5842 bytes
Thank you.
-
It sounds like my weekend was a lot better than yours. Hope you're feeling better soon.
I don't see any more remnants of Symantec in your most recent HJT log so SymNRT did it's job. I just notice, though, that you also have AdAware loading at startup too. This in one I would definitely disable and use as an on-demand scanner only.
Get the anti-spyware/adware startups down to a single program and let me know how the computer boots.
-
Hi Mauserme,
I disabled "Realtime protection" in all except
Avast
Spyware Terminator &
Comodo firewall
Questions:
C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe:
is still loading. Adaware.exe is not. Realtime protection is turned off. I ran the aawservice.exe manually. A command prompt window came up and disappeared.
C:\Program Files\Installed\Anti Virus\Windows Defender\MsMpEng.exe:
Windows defender real time is turned off too, but this file is in the HJT log
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe:
Is this ok?
The rest I am assuming are registers, not sure how to interpret them. (noticed adaware in there too). Should I use HJT to stop these, or should I uninstall or have I missed an option in settings?
Posted is the most recent HJT log after making the updates you recommended followed by a restart.
Thanks a lot again.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:32 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Installed\Anti Virus\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Installed\Anti Virus\ashServ.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet\Firefox Browser\firefox.exe
C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
C:\Program Files\Installed\Anti Virus\ashWebSv.exe
C:\Program Files\Installed\Anti Virus\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Installed\Anti Virus\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\Installed\PDFill\\DownloadPDF.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Installed\Anti Virus\SuperAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Installed\Anti Virus\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Installed\Anti Virus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Installed\Anti Virus\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Installed\Anti Virus\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 5716 bytes
-
Often when you have security software installed you'll find some running processes even though you think of the program as being non-resident. Lavasoft's explanation is that the scan engine for the free version of AdAware 2007 is the same as the the paid version with some functions disabled. But it still loads when you start the computer just like the paid version.
I haven't tried AdAware 2007 because there have been so many complaints about it. The old version, AdAware SE, doesn't seem to run any processes unless I start it. You could try disbaling aawservice.exe at startup with WinPatrol - I think this should work.
If you google MsMpEng.exe you'll find many users complain of long boot times in some cases. Microsoft says this is because Defender does a "min-scan" at startup and this can take appreciable time on some computers.
I just tried disabling the service on my Vista box (the only one I have with Windows Defender installed) and noticed only a slight improvement in boot time. If you want to try this open the Adminstative Tools in the Control Panel and double click Services. Scroll down to Windows Defender, double click it, and set the Start Up Type to Disabled. Then click OK.
jusched.exe is the Java updater. If you monitor a forum like this one where you will be aware of Java updates this can be disbaled by turning off automatic updates in Java. Open Java in the Control Panel, click the Update tab, and uncheck the box for Automatic Updates.
If you don't have an alternate means of knowing about updates leave this running. It doesn't use too many resources compared to the risk of never updating.
You also still have C:\Program Files\Installed\Anti Virus\AVG Anti-Spyware 7.5\guard.exe which I usually disable with WinPatrol.
And although this won't help your boot times you could fix these lines in HJT
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
-
Hi Mauserme,
- Uninstalled Adaware2007 & AVG AntiSpyware
- Windows Defender at Startup disabled
- Spyware Terminator, Avast & Comodo Firewall running
- Java left as it is
- Fixed your recommendations with HJT
- Startup time for laptop has considerable decreased (down 5-7min from 10-13 min).
Thank you so much for being patient and walking me through fixing both my computers for the last almost a month I believe. I never expected this kind of help when I posted. Hopefully I can learn enough to someday help someone else as you do. Thank you!!
-
- Startup time for laptop has considerable decreased (down 5-7min from 10-13 min).
That still seems excessive to me.
After your computer finishes booting open the task manager (contol/alt/delete) before opening any other programs. Click the Processes tab. How many running processes are shown at the bottom left corner of that wndow?
... for the last almost a month I believe.
Has it been that long ;D
-
Hi Mauserme,
The following processes are currently running after startup.
Only manually started program: firefox.exe
- firefox.exe
- taskmgr.exe
- alg.exe
- ashWebSv.exe
- ashMaiSv.exe
- wmpnetwk.exe
- svchost.exe (SYSTEM - 1304K)
- explorer.exe
- sp_rsser.exe (spyware terminator research tool, part of crawler, uses 5MB RAM, could we take this off?)
- ashServ.exe
- aswUpdSv.exe
- svchost.exe (SYSTEM - 260K)
- cmdagent.exe
- svchost.exe (Local Servie - 1648K)
- wmpnscfg.exe (I do not share my music files. Uses 440K, could we take this off?)
- ctfmon.exe
- svchost.exe (Network Service - 740K)
- Spywaretorshield.exe
- svchost.exe (System - 5132K)
- svchost.exe (Network Service - 836K)
- svchost.exe (System - 728K)
- lsass.exe (1236K)
- services.exe
- winlogon.exe
- csrss.exe
- smss.exe (I found another SMSS.exe [all caps] in c:\I386\SYSTEM32 [again all caps]
- jusched.exe
- cpf.exe (Comodo firewall)
- spoolsv.exe
- System
- System Idle Process
Page File Usage is consistently 338-339MB
CPU Usage varies from 0% - 8%, but mostly at 5%
-
- sp_rsser.exe (spyware terminator research tool, part of crawler, uses 5MB RAM, could we take this off?)
Sure - just disable the Spyware Terminator realtime shield and it should end.
- wmpnscfg.exe (I do not share my music files. Uses 440K, could we take this off?)
I don't think there's and easy way to make this stop. It seems to require editing the registry and I'm not sure its worth the trouble.
- Spywaretorshield.exe
Should this read Spywareterminatorshield.exe? If not we need to look deeper.
- smss.exe (I found another SMSS.exe [all caps] in c:\I386\SYSTEM32 [again all caps]
The copy in c:\I386\SYSTEM32 is OK as long as its not running from that location. That folder contains copies of some important files.
The list of running processes is actually impressively short. How much RAM do you have?
-
Hi Mauserme,
Long time no chat :-)
Well, sorry for not replying to your last post earlier - got busy with some work. Just to update you:
sp_rsser.exe: I couldnt find a way to disable Spyware Terminator realtime (did not see the option). But again, if there is such an option, is that a wise thing to do? Wouldn't the laptop be vulnerable to spywares?
Spywareterminatorshield.exe: You were right about the spelling. I misspelled it.
Hope everything is going great on your end. Thanks you...
-
Hi Maze. Feeling any better?
There is an option in the Spyware Terminator interface to disable real time protection. As to the wisdom of doing this? If your comfortable with the way your computer boots leave it active; otherwise disable it. There's always a give and take between performance and security and I can't really determine what's best for you. It does seem like avast! is geting stronger every day on trojan detections but, on the other hand, I still have BoClean runnng in the background.
Is increasing your RAM an option? It could help.
-
Hi Mauserme,
Feeling a little better, but looks like I may have torn a tendon, so it is going to take a while to heal.
For safety considerations, I would rather leave the spywareterminator realtime shield on, since I would rather not go through a repeat of what I had. As you suggested, I will probably look into upgrading, and in the meantime I will just grab me a cup of tea while the laptop boots up :-)
I noticed avast update does not seem to say "avast has been updated" everytime I boot up, like it used to. I think I may have removed it from system tray using one of the programs we previously used to clean up, but it would still run in the background and update by itself right? or should I manually update it now? Task Manager shows that ashwebsv.exe, ashmaisv.exe and ashserv.exe are running.
How is BoClean according to your experience? Google found the following review:
http://www.anti-trojan-software-reviews.com/review-boclean.htm
-
Feeling a little better, but looks like I may have torn a tendon, so it is going to take a while to heal.
Ouch! (but it could be worse).
Hi Mauserme,
For safety considerations, I would rather leave the spywareterminator realtime shield on, since I would rather not go through a repeat of what I had. As you suggested, I will probably look into upgrading, and in the meantime I will just grab me a cup of tea while the laptop boots up :-)
Sounds good to me.
Hi Mauserme,
I noticed avast update does not seem to say "avast has been updated" everytime I boot up, like it used to. I think I may have removed it from system tray using one of the programs we previously used to clean up, but it would still run in the background and update by itself right? or should I manually update it now? Task Manager shows that ashwebsv.exe, ashmaisv.exe and ashserv.exe are running.
If you have the a-icon in your system tray right click it, then left click Program Settings. In the Update(Basic) section make sure updates are set to automatic, and under Updates(Connections) make sure the proper choice is checked.
How is BoClean according to your experience? Google found the following review:
http://www.anti-trojan-software-reviews.com/review-boclean.htm
I don't know - I've never actually been aware of it ever cleaning anything in real time. Nor AVG AntiSpyware nor Spyware Terminator when I tried those as resident protection. But, if nothing else, its a great placebo since it gives me the same piece of mind as the others without using so many resources ;D
Avast! seems better everyday with its Trojan detections so I tend to rely less on other resident programs now. And I've actually seen the avast! web shield stop a few bad files. But you know, if a little protection is good a lot must be better...
-
Hi Mauserme,
Looks like we have done most of what we can. Dont understand what kind of kick these virus creators get out of it. Its not like anyone is applauding or paying them for this. I still get tracking cookies, unfortunately avast does not catch it, but a spywareterminator scan does. It keeps coming back, but I guess I just have to keep running a thorough scan with spywareterminator every week. Thanks for all the time and effort again. Keep helping other novices like me ;)
-
I still get tracking cookies, unfortunately avast does not catch it
avast does not monitor cookies... you need, as you've discovered, an antispyware tool.
-
Looks like we have done most of what we can.
I think you're right ...
Dont understand what kind of kick these virus creators get out of it. Its not like anyone is applauding or paying them for this.
It actually is mostly about money these days - stealling information that can be sold like game keys or used to steal funds like credit card info.
I still get tracking cookies
You're always going to get some cookies if you go online. Make sure you reject third party cookies when you use Internet Explorer (Tool>Internet Options>Privacy>Advanced>check Override Automatic Cookie Handling>under Third Party Cookies check Block). And I usually use CleanUp after every browsing session to clear cookies and temporary files
http://www.stevengould.org/index.php
ATF Cleaner, which you downloaded early in this thread, would also work as would CCleaner
http://www.ccleaner.com/
If you try CCleaner uncheck the Yahoo Tool Bar option during the installation.
Oh, and , glad I could help. :)