Avast WEBforum
Other => Viruses and worms => Topic started by: tryan21 on October 17, 2007, 12:31:58 AM
-
Here I am once again! ::) My brother came to me and said "I think I downloaded a virus or something". GRRR >:( So I get on and sure enough it seems to be the same kind of problems I was having before (popups, running slow, & Avast warnings). I tried fixing it myself off of the post before, but I don't think it's working :P
*NOTE* I am keeping Java up to date so that's not the problem! ;)
Logfile of HijackThis v1.99.1
Scan saved at 3:30:16 PM, on 10/16/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\HijackThis\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
-
Hi
The last time, you were asked to change the name of hijackthis.exe to hijacktryan.exe I believe they suspected vundo. Could you do this again, as vundo is capable of hiding from highjackthis.exe?
-
Here I am once again!
You been missing us ! :)
Can you post a sample of the warnings from the avast! log? What sort of popups are you getting - what do they look like or what are they advertising? Do they occur at all times or only when you're online?
This line is a little "iffy"
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
I decided to leave it alone last time and if you've been trouble free until recently we can still leave it. But if you've had popups for a while now its time to get rid of it.
-
Can you post a sample of the warnings from the avast! log? What sort of popups are you getting - what do they look like or what are they advertising? Do they occur at all times or only when you're online?
This line is a little "iffy"
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
I decided to leave it alone last time and if you've been trouble free until recently we can still leave it. But if you've had popups for a while now its time to get rid of it.
I'm getting multiple Avast! warnings saying Trojan was found. It all started when my brother was downloading something. He got the Avast! warning saying to abort connection because a virus was detected or something of the sort. He didn't because he thought it wasn't really a virus... not really sure why he thought that. Then I get online and I'm getting WinAntiVirus ads and then some dating and porn type pop-ups. I saw a unfamiliar program called WinAble so I tried to get rid of it. I got rid of it but the pop-ups and strange activity were still there.
Below is the renamed hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 5:49:58 PM, on 10/16/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HijackThis\hijacktryan.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
-
Mauserme is looking for detailed examples (at least that is what I think), e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.
Then I get online and I'm getting WinAntiVirus ads and then some dating and porn type pop-ups.
The winantivirus is scum/scam/rogue-ware.
Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php (http://www.malwarebytes.org/rogueremover.php).
Your HJT is an old version, 2.0.0.2 is the latest, FileHippo Download - HiJackThis (http://filehippo.com/download_hijackthis/).
You still don't appear to have an active firewall, you really are fighting an uphill battle trying to keep your system clean if you have no outbound protection. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
Two unknowns, do you recognise them, e.g. did you install them ?
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab
-
I have Windows firewall, is that not good enough? I had a third party firewall, but it wouldn't let me do anything without popping up warnings and I didn't have the slightest clue as to what was ok and what wasn't.
Two unknowns, do you recognise them, e.g. did you install them ?
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab
The second one (http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab) I installed, but I don't know about the first one, it's not familiar to me.
HERE IS EVERYTHING THAT WAS UNDER THE WARNING SECTION:
10/8/2007 10:33:03 AM Tara & Paul 1488 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: F:\DCIM\100SSCAM\S2010001.JPG (F:\DCIM\100SSCAM\S2010001.JPG) returning error, 0000001E.
10/12/2007 5:26:02 PM SYSTEM 1508 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
10/12/2007 5:26:04 PM SYSTEM 1508 An error has occured while attempting to update. Please check the logs.
10/13/2007 8:57:27 PM SYSTEM 1384 Sign of "Win32:Dialer-gen. [trj]" has been found in "http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.exe" file.
10/13/2007 8:57:55 PM SYSTEM 1384 Sign of "Win32:Dialer-gen. [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\BERLDXVF\WebfettiInitialSetup1.0.0.15-3[1].exe" file.
10/13/2007 8:58:22 PM SYSTEM 1384 Sign of "Win32:Dialer-gen. [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\BERLDXVF\WebfettiInitialSetup1.0.0.15-3[1].exe" file.
10/13/2007 8:59:34 PM SYSTEM 1384 Sign of "Win32:Dialer-gen. [trj]" has been found in "http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.exe" file.
10/13/2007 8:59:37 PM SYSTEM 1384 Sign of "Win32:Dialer-gen. [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\BERLDXVF\CursorManiaFWBInitialSetup1.0.0.15-3[1].exe" file.
10/13/2007 8:59:45 PM SYSTEM 1384 Sign of "Win32:Dialer-gen. [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\BERLDXVF\CursorManiaFWBInitialSetup1.0.0.15-3[1].exe" file.
10/13/2007 9:01:59 PM SYSTEM 1384 Sign of "Win32:Dialer-gen. [trj]" has been found in "http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.exe" file.
10/13/2007 9:02:07 PM SYSTEM 1384 Sign of "Win32:Dialer-gen. [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\HBZ53D30\WebfettiInitialSetup1.0.0.15-3[1].exe" file.
10/13/2007 9:04:00 PM SYSTEM 1384 Sign of "Win32:Spyware-gen. [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\MWSSRCSP.EXE" file.
10/13/2007 9:04:23 PM SYSTEM 1384 Sign of "Win32:Spyware-gen. [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\MWSSRCSP.EXE" file.
10/13/2007 9:04:50 PM SYSTEM 1384 Sign of "Win32:Spyware-gen. [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\MWSSRCSP.EXE" file.
10/13/2007 9:06:01 PM SYSTEM 1384 Sign of "Win32:Spyware-gen. [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\MWSSRCSP.EXE" file.
10/13/2007 9:20:21 PM SYSTEM 1384 Sign of "Win32:Trojano-2873 [trj]" has been found in "C:\WINDOWS\system32\comms2\dnwldr132.exe" file.
10/13/2007 9:20:51 PM SYSTEM 1384 Sign of "Win32:Adloader-KH [trj]" has been found in "C:\Program Files\TTC.dll" file.
10/13/2007 9:22:56 PM SYSTEM 1384 Sign of "Win32:Winfixer-F [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\EJWRNK9W\wintavsnet[1].exe" file.
10/13/2007 9:23:02 PM SYSTEM 1384 Sign of "Win32:Winfixer-F [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\wintavsnet.exe" file.
10/14/2007 9:31:30 AM Tara & Paul 1576 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\0PGLYZQ7\lkjh[1]" file.
10/14/2007 6:49:40 PM SYSTEM 1532 Sign of "Win32:Downloader-KK [trj]" has been found in "http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2007FreeInstall.cab\UWA7P_0001_N99M2908NetInstaller.exe" file.
10/14/2007 6:51:11 PM SYSTEM 1532 Sign of "Win32:Downloader-KK [trj]" has been found in "http://download.cdn.winsoftware.com/files/installers/WinAntiVirusPro2007FreeInstall.exe" file.
10/14/2007 6:51:25 PM SYSTEM 1532 Sign of "Win32:Spyware-gen. [trj]" has been found in "http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab\USDR6_0001_D19M2108NetInstaller.exe" file.
10/15/2007 9:34:45 AM Tara & Paul 1092 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP0E05C9DA." file.
10/15/2007 9:40:13 AM Tara & Paul 1092 Sign of "Win32:Tiny-JC [trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP0FC1586B." file.
10/15/2007 9:40:20 AM Tara & Paul 1092 Sign of "Win32:Vundo-gen47 [Adw]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP4DED9C87.dll" file.
10/15/2007 9:40:22 AM Tara & Paul 1092 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP596FE1DD." file.
10/15/2007 9:40:26 AM Tara & Paul 1092 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APF074E6F8." file.
10/15/2007 10:02:55 AM Tara & Paul 1588 Sign of "Win32:Agent-LAP [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\0PGLYZQ7\valera[1]" file.
10/15/2007 10:04:30 AM Tara & Paul 1588 Sign of "Win32:Agent-LAP [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\txnkxnfj.exe" file.
10/15/2007 10:04:40 AM Tara & Paul 1588 Sign of "Win32:Agent-LAP [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\txnkxnfj.exe" file.
10/15/2007 10:35:57 AM Tara & Paul 1524 Sign of "Win32:Agent-LAP [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\skfblqlk.exe" file.
10/15/2007 10:38:39 AM Tara & Paul 1524 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\T5QO8S0R\lkjh[1]" file.
10/15/2007 11:10:13 AM Tara & Paul 1532 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\FYZ9STLM\lkjh[1]" file.
10/15/2007 6:33:07 PM SYSTEM 1592 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\SM5K8W5J\lkjh[1]" file.
10/15/2007 7:52:04 PM SYSTEM 1592 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\ynchftjq.exe" file.
10/15/2007 9:20:52 PM SYSTEM 1592 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\ynchftjq.exe" file.
10/15/2007 9:20:54 PM SYSTEM 1592 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\WINDOWS\system32\ynchftjq.exe" file.
10/15/2007 9:28:13 PM SYSTEM 1592 Sign of "Win32:Agent-LAP [trj]" has been found in "C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\FYZ9STLM\valera[1]" file.
10/15/2007 9:29:56 PM SYSTEM 1592 Sign of "Win32:Agent-LAP [trj]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\lxilikat.exe" file.
10/16/2007 3:38:50 PM Tara & Paul 320 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP0E05C9DA." file.
10/16/2007 3:39:04 PM Tara & Paul 320 Sign of "Win32:Tiny-JC [trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP0FC1586B." file.
10/16/2007 3:39:24 PM Tara & Paul 320 Sign of "Win32:Vundo-gen47 [Adw]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP4DED9C87.dll" file.
10/16/2007 3:39:24 PM Tara & Paul 320 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP596FE1DD." file.
10/16/2007 3:39:24 PM Tara & Paul 320 Sign of "Win32:Tiny-IF [trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APF074E6F8." file.
10/16/2007 4:39:16 PM Tara & Paul 320 Sign of "Win32:Vundo-gen47 [Adw]" has been found in "C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025826.dll" file.
-
Download Smitfraudfix from Here (http://siri.geekstogo.com/SmitfraudFix.exe) or Here (http://siri.urz.free.fr/Fix/SmitfraudFix.exe). Double-click smitfraudfix.exe, Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually).
Double-click smitfraudfix.exe, Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. A reboot may be needed to finish the cleaning process.
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Next download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and the SmitFraudFix log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
-
I have Windows firewall, is that not good enough? I had a third party firewall, but it wouldn't let me do anything without popping up warnings and I didn't have the slightest clue as to what was ok and what wasn't.
Well, It's better than nothing. The only problem with windows firewall, is no outbound protection. Anything on your computer can gain internet access unchallenged. Downloaders can open backdoors and bring their buddies on in for visit. :o
-
@ tryan21
Windows XP's firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn't provide outbound protection.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Re the O16 DPF entries, as mauserme gives the good technical advice that the first one is a bit iffy ;D and you didn't install it I would also say to fix it. The second if you know its purpose and installed it no problem.
-
Mauserme I'm not sure if you wanted the smitfraudfix report, but here it is:
SmitFraudFix v2.240
Scan done at 9:48:37.28, Wed 10/17/2007
Run from
C:\Documents and Settings\Tara & Paul\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TARA
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Motorola SURFboard SB5100 USB Cable Modem #2 - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.12
DNS Server Search Order: 68.105.29.12
DNS Server Search Order: 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2AD54E64-CF6F-4D17-876E-5B9A5215E2BD}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2AD54E64-CF6F-4D17-876E-5B9A5215E2BD}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2AD54E64-CF6F-4D17-876E-5B9A5215E2BD}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
-
Thanks - I did want to see the log.
There's no need to continue with steps 2 and 3 with SmitFraudFix but do run ComboFix.
-
Although the popups haven't happened lately, when I did an Avast! and BitDefender scan it said I was still infected. So, I'm not sure whats really going on... maybe BitDefender removed all infections?
Below is ComboFix log:
ComboFix 07-10-17.8 - Tara & Paul 2007-10-17 10:10:25.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.48 [GMT -7:00]
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Tara & Paul\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.
2007-10-17 09:48 2,244 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-17 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 <DIR> d-------- C:\VundoFix Backups
2007-10-16 09:51 <DIR> C:\Documents and Settings\Tara 2007-10-16 09:51 <DIR> Paul\Application Data\Help
2007-10-16 09:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 09:23 <DIR> d-------- C:\WINDOWS\pss
2007-10-13 21:20 <DIR> d-------- C:\WINDOWS\system32\que1
2007-10-13 21:20 <DIR> d-------- C:\WINDOWS\system32\comms2
2007-10-07 09:31 <DIR> C:\Documents and Settings\Tara 2007-10-07 09:31 <DIR> Paul\Application Data\AccurateRip
2007-10-07 09:31 4,229,496 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-07 09:30 <DIR> d-------- C:\Program Files\Illustrate
2007-10-04 15:00 <DIR> d-------- C:\Program Files\Java
2007-10-04 14:57 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-03 10:56 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-09-27 08:00 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 <DIR> C:\Documents and Settings\Tara 2007-09-24 13:18 <DIR> Paul\Application Data\Yahoo!
2007-09-24 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-21 09:17 28,680 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 09:15 33,288 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 09:15 25,096 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 14:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-09-20 10:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-19 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-19 19:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-19 19:14 <DIR> C:\Documents and Settings\Tara 2007-09-19 19:14 <DIR> Paul\Application Data\SUPERAntiSpyware.com
2007-09-19 19:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-19 09:52 <DIR> d-------- C:\Program Files\RogueRemover FREE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-10-03 17:56 --------- d-----w C:\Program Files\Coupons
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-19 03:11 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Ahead
2007-08-19 03:09 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-08-18 17:58 --------- d-----w C:\Program Files\Common Files\Ahead
2007-08-18 17:34 --------- d-----w C:\Program Files\Nero
2007-08-18 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-08-18 17:10 --------- d-----w C:\Program Files\CyberLink
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
- 2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-17 17:10:18 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-17 17:03:07 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2007-09-07 18:42]
"EPSON Stylus CX5800F Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe" [2005-05-09 22:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-09-07 18:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"="C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 16:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Aim6"="" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 10:13:32
Windows 5.1.2600 Service Pack 2, v.2096 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe?0????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-17 10:14:57
C:\ComboFix2.txt ... 2007-10-16 09:37
.
--- E O F ---
-
Although the popups haven't happened lately, when I did an Avast! and BitDefender scan it said I was still infected. So, I'm not sure whats really going on... maybe BitDefender removed all infections?
What where the files and what where they detected as?
-
Here is a warning I just got from Avast!
10/17/2007 2:19:43 PM Tara & Paul 1484 Sign of "Win32:Vibpack [Wrm]" has been found in "C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\tmp00001662\tmp00005d0d" file.
Here is the bitdefender report...
BitDefender Online Scanner
Scan report generated at: Wed, Oct 17, 2007 - 15:11:41
Scan path: A:\;C:\;D:\;G:\;
Statistics
Time
00:55:08
Files
96001
Folders
2972
Boot Sectors
2
Archives
1591
Packed Files
5330
Results
Identified Viruses
1
Infected Files
1
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
1
Engines Info
Virus Definitions
827053
Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins
14
Archive plugins
38
Unpack plugins
7
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025818.exe=>(NSIS o)=>zlib_nsis0003
Detected with: Adware.TTC.B
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025818.exe=>(NSIS o)=>zlib_nsis0003
Disinfection failed
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025818.exe=>(NSIS o)=>zlib_nsis0003
Deleted
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025818.exe=>(NSIS o)
Update failed
-
I suggest:
Disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887) or Windows XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again.
Clean your temporary files. You can use CleanUp (http://www.stevengould.org/downloads/cleanup/) or the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features for that.
Run avast and other antispywares scannings.
-
I think you've handled the initial problem(s) pretty well on your own Tara. You have a clean HJT log except for the "iffy" line I mentioned earlier. Since you don't know it we'll take care of it.
SmitFraudFix found nothing so possibly you ran Rogue Remover, SuperAntiSpyware or something else that got rid of it (I see recently installed ESET drivers in your ComboFix log).
And there are just a couple files in the ComboFix log I'll ask you to check at Virus Total (http://www.virustotal.com/en/indexf.html) and post the results (I think you've done this before)
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\SpoonUninstall.exe
In regard to the worm, it seems like it might be related to P2P but I don't see any P2P applications in your log. Does your brother download?
-
File tmp.reg received on 10.18.2007 21:57:36 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 61 and 87 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 -
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.17 -
AVG 7.5.0.488 2007.10.18 -
BitDefender 7.2 2007.10.18 -
CAT-QuickHeal 9.00 2007.10.18 -
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.18 -
Fortinet 3.11.0.0 2007.10.18 -
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.18 -
Ikarus T3.1.1.12 2007.10.18 -
Kaspersky 7.0.0.125 2007.10.18 -
McAfee 5144 2007.10.18 -
Microsoft 1.2908 2007.10.18 -
NOD32v2 2601 2007.10.18 -
Norman 5.80.02 2007.10.18 -
Panda 9.0.0.4 2007.10.18 -
Prevx1 V2 2007.10.18 -
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 -
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.18 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.17 -
VirusBuster 4.3.26:9 2007.10.18 -
Webwasher-Gateway 6.6.1 2007.10.18 -
Additional information
File size: 2244 bytes
MD5: 64c818e4fa8a71677d3fea717ae51cbf
SHA1: 8a8008a1d2a138eb5897cfaa4b507bc9a34bf686
packers: Unicode
packers: Unicode
-
I Disabled System Restore like Tech suggested, but the pop ups just started again.
File SpoonUninstall.exe received on 10.18.2007 22:58:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/32 (3.13%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 -
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.18 -
AVG 7.5.0.488 2007.10.18 -
BitDefender 7.2 2007.10.18 -
CAT-QuickHeal 9.00 2007.10.18 -
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.18 -
Fortinet 3.11.0.0 2007.10.18 -
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.18 -
Ikarus T3.1.1.12 2007.10.18 -
Kaspersky 7.0.0.125 2007.10.18 -
McAfee 5144 2007.10.18 -
Microsoft 1.2908 2007.10.18 -
NOD32v2 2601 2007.10.18 -
Norman 5.80.02 2007.10.18 -
Panda 9.0.0.4 2007.10.18 -
Prevx1 V2 2007.10.18 Heuristic: Suspicious Hijacker
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 -
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.18 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.17 -
VirusBuster 4.3.26:9 2007.10.18 -
Webwasher-Gateway 6.6.1 2007.10.18 -
Additional information
File size: 4229496 bytes
MD5: 229968985617a21fdf492ad31f9013b8
SHA1: 57e6abbc0784af4d4f147a721af8e40572552702
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=BB2191B578ADB5DD8920401F9B924F0070EB4A30
-
author=tryan21 link=topic=30982.msg257244#msg257244 date=1192742379]
... the pop ups just started again
Is it still WinAntiVirus, dating and such or something new now? If you go to sites you don't normally visit do the ads seem to go along with the subject of the new sites? Try some gardening or vehicle repair sites (or anything) to see if the ads change topic.
-
If you don't mind I would like to try a new program (new for me - its been in use in France for almost a year) that targets a rootkit adware with symptoms similar to yours.
Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip
Extract its contents to the desktop.
Double click on navilog1.exe to install it on your computer.
When the installation is complete, the tool will start automatically.
If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
Press E for English from the language Menu.
Type 1 in the next Menu to select Search and press Enter.
Wait for the Scan to finish (It may take a reasonable amount of time)
Press any key as requested .
A new document will be produced: fixnavi.txt.
Please copy/paste the contents of this report in your next reply.
The report is also saved in the root of the directory, "%SystemDrive% ixnavi.txt". (usually C: ixnavi.txt)
Please don't use any options other than #1 or Q(uit) for now.
Follow this with a WinPFind3U log:
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the log back here, all the way to the < End of Report > marker (it will tke several posts).
-
In regard to the worm, it seems like it might be related to P2P but I don't see any P2P applications in your log. Does your brother download?
I don't have any P2P applications, I don't use any of that. My brother said he was downloading something to edit his MySpace page, not real sure what exactly.
Is it still WinAntiVirus, dating and such or something new now? If you go to sites you don't normally visit do the ads seem to go along with the subject of the new sites? Try some gardening or vehicle repair sites (or anything) to see if the ads change topic.
Yeah, it's pretty much the same thing. It doesn't change with different sites.
I'm going to try the Navilog1 and WinPFind3U now. I'll post back soon.
-
Search Navipromo version 3.3.0 began on Thu 10/18/2007 at 20:43:18.68
!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 17.10.2007 at 20h00 by IL-MAFIOSO
Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 6.0.2900.2096
Done in normal mode
*** Searching for installed Software ***
*** Search folders in C:\WINDOWS ***
*** Search folders in C:\Program Files ***
*** Search folders in C:\Documents and Settings\All Users\Application Data ***
*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***
*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net
!! Not same hidden file(s)/process(es) found !!
!! Scan results from Catchme not processed by Navilog1 !!
*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!
* Scan in C:\WINDOWS\system32 *
* Scan in C:\DOCUME~1\TARA *
gnc.exe missing, Scan not done in C:\DOCUME~1\TARA !
*** Search files ***
*** Search specific Registry keys ***
*** Complementary Search ***
(Search specific files)
1)Search known files:
C:\WINDOWS\system32\cefhk.ini2 found ! Possible Vundo infection, not cleaned with this tool !
C:\WINDOWS\system32\cefhk.bak1 found ! Possible Vundo infection, not cleaned with this tool !
C:\WINDOWS\system32\cefhk.bak2 found ! Possible Vundo infection, not cleaned with this tool !
2)Heuristic Search :
3)Certificates Search :
Egroup certificate not found !
*** Search completed on Thu 10/18/2007 at 20:45:01.87 ***
-
Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\cefhk.ini2
C:\WINDOWS\system32\cefhk.bak1
C:\WINDOWS\system32\cefhk.bak2
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
EDIT: Before running HJT again rename the executable to hjtara.exe
Please also run ComboFix again and give me a fresh log.
-
Ok I will do all that in a minute. I just wanted to give you an update. I got on my computer this morning and it's going crazy with pop-ups. I get about 20 with in 1 minute. I also keep getting these wierd alerts; it's a yellow triangle in the bottom right corner of my computer and a ballon will pop out of it saying Security Alert:Spyware found or System Alert:trojan-spy:win32@mx. Also WinPFind3U won't run. I keep getting an "encountered an error can't continue" message. I'll post back soon.
-
I also keep getting these wierd alerts; it's a yellow triangle in the bottom right corner of my computer and a ballon will pop out of it saying Security Alert:Spyware found or System Alert:trojan-spy:win32@mx.
Don't use (click) these alerts! They could give you much more trouble.
Install and run safe antispyware tools like AVGas, SpywareTerminator, Spybot.
You should also run a boot time scanning with avast.
-
I also keep getting these wierd alerts; it's a yellow triangle in the bottom right corner of my computer and a ballon will pop out of it saying Security Alert:Spyware found or System Alert:trojan-spy:win32@mx.
Don't use (click) these alerts! They could give you much more trouble.
Install and run safe antispyware tools like AVGas, SpywareTerminator, Spybot.
You should also run a boot time scanning with avast.
For sure don't click them ...
This sounds like another SmitFraud variant. Now that we've found Vundo I hope to make better progress with this as Vundo is probably downloading the rest. Go ahead with HJTara.exe and ComboFix and we see what they show (if you have any trouble running ComboFix rename it and try again).
EDIT: Just to clarify, move the 3 files listed above with OTMoveIt first, then the logs.
-
C:\WINDOWS\system32\cefhk.ini2 moved successfully.
C:\WINDOWS\system32\cefhk.bak1 moved successfully.
C:\WINDOWS\system32\cefhk.bak2 moved successfully.
Created on 10/19/2007 10:39:35
-
ComboFix 07-10-17.8 - Tara & Paul 2007-10-19 10:47:27.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.31 [GMT -7:00]
Running from: C:\Documents and Settings\Tara & Paul\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cefhk.ini
C:\WINDOWS\system32\cefhk.ini
C:\WINDOWS\system32\cefhk.ini2
C:\WINDOWS\system32\cefhk.ini2
C:\WINDOWS\system32\cefhk.tmp
C:\WINDOWS\system32\cefhk.tmp
C:\WINDOWS\system32\khfec.dll
C:\WINDOWS\system32\khfec.dll
C:\WINDOWS\system32\kyinieiy.dll
C:\WINDOWS\system32\nuasmuqv.dll
C:\WINDOWS\system32\yieiniyk.ini
.
((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.
2007-10-18 20:41 <DIR> d-------- C:\Program Files\Navilog1
2007-10-17 19:02 8,192 --a------ C:\sysudiq.exe
2007-10-17 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 <DIR> d-------- C:\VundoFix Backups
2007-10-16 09:51 <DIR> C:\Documents and Settings\Tara 2007-10-16 09:51 <DIR> Paul\Application Data\Help
2007-10-07 09:31 <DIR> C:\Documents and Settings\Tara 2007-10-07 09:31 <DIR> Paul\Application Data\AccurateRip
2007-10-07 09:30 <DIR> d-------- C:\Program Files\Illustrate
2007-10-04 15:00 <DIR> d-------- C:\Program Files\Java
2007-10-04 14:57 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-27 08:00 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 <DIR> C:\Documents and Settings\Tara 2007-09-24 13:18 <DIR> Paul\Application Data\Yahoo!
2007-09-24 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-20 14:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-09-19 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-19 19:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-19 19:14 <DIR> C:\Documents and Settings\Tara 2007-09-19 19:14 <DIR> Paul\Application Data\SUPERAntiSpyware.com
2007-09-19 19:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-19 09:52 <DIR> d-------- C:\Program Files\RogueRemover FREE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 15:13 340,032 ----a-w C:\WINDOWS\system32\rmqgcave.dll
2007-10-19 15:13 340,032 ----a-w C:\WINDOWS\system32\pttryjxd.dll
2007-10-18 02:02 55,808 ----a-w C:\WINDOWS\system32\sysdl133.exe
2007-10-18 02:02 33,792 ----a-w C:\WINDOWS\system32\vtuuvsr.dll
2007-10-18 02:02 167,945 ----a-w C:\WINDOWS\system32\sysdl132.exe
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-10-07 16:30 4,229,496 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-03 17:56 --------- d-----w C:\Program Files\Coupons
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-21 16:17 28,680 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 16:15 33,288 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 16:15 25,096 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-19 03:11 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Ahead
2007-08-19 03:09 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
-
.
((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
- 2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-19 17:46:53 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-19 17:56:20 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_604.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-17 19:02 33792 --a------ C:\WINDOWS\system32\vtuuvsr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-19 08:13 340032 --a------ C:\WINDOWS\system32\pttryjxd.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pttryjxd.dll [2007-10-19 08:13 340032]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2007-09-07 18:42]
"EPSON Stylus CX5800F Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe" [2005-05-09 22:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-09-07 18:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"="C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 16:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Aim6"="" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\vtuuvsr.dll [2007-10-17 19:02 33792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pttryjxd]
pttryjxd.dll 2007-10-19 08:13 340032 C:\WINDOWS\system32\pttryjxd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll 2007-10-17 19:02 33792 C:\WINDOWS\system32\vtuuvsr.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfec.dll
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 10:57:58
Windows 5.1.2600 Service Pack 2, v.2096 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe?0????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-19 11:04:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-17 10:15
C:\ComboFix3.txt ... 2007-10-16 09:37
.
--- E O F ---
-
Logfile of HijackThis v1.99.1
Scan saved at 11:07:22 AM, on 10/19/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\hijacktryan.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pttryjxd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pttryjxd.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pttryjxd - C:\WINDOWS\SYSTEM32\pttryjxd.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
-
I'll review your logs in depth a little later. For now I would like you to open OTMoveIt and kill this file as you did with the others
C:\sysudiq.exe
If you are now able to run WinpFid3U please run it and post its log.
-
Here's the "post-review" fix:
Open HJT and click to Do a System Scan Only. When complete place a check mark next to these lines
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pttryjxd.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pttryjxd.dll
O20 - Winlogon Notify: pttryjxd - C:\WINDOWS\SYSTEM32\pttryjxd.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
Close all other windows including your browser, and click Fix Checked. Close HJT.
Open OTMoveIt and paste the followign paths into the field to be moved
C:\sysudiq.exe
C:\WINDOWS\system32\rmqgcave.dll
C:\WINDOWS\system32\pttryjxd.dll
C:\WINDOWS\system32\sysdl133.exe
C:\WINDOWS\system32\vtuuvsr.dll
C:\WINDOWS\system32\sysdl132.exe
C:\WINDOWS\system32\khfec.dll
C:\Program Files\Coupons
Click the red Move It button and post the results in your next response.
Along with the OTMoveIt results please post fresh HJT (renamed) and ComboFix logs as well as a WinPFind log if it will run.
-
Sorry it took so long. My computer wouldn't start up, well the Windows wouldn't load. It was giving me a message saying operation failed or something of the sort. After freaking out for a day I realized I had to go to last known good configuration. Also, I can't click on IE on my desktop. Everything will freeze then my screen goes blank, but my computer doesn't turn off, just the screen goes blank.
WinPFind3 logfile created on: 10/20/2007 8:18:46 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Tara & Paul\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2, v.2096 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2096)
191.48 Mb Total Physical Memory | 24.14 Mb Available Physical Memory | 12.61% Memory free
466.86 Mb Paging File | 270.94 Mb Available in Paging File | 58.03% Paging File free
Paging file location(s): C:\pagefile.sys 288 576;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.64 Gb Total Space | 12.80 Gb Free Space | 46.33% Space Free
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: LAPTOP
Current User Name: Tara & Paul
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr = ]
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
nmbgmonitor.exe -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
nmindexingservice.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]
nmindexstoresvr.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexStoreSvr.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 905216 bytes | Modified Date = 12/23/2006 6:04:42 PM | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
watchdog.exe -> %ProgramFiles%\mobile PhoneTools\WatchDog.exe -> [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2096.503.0 | Size = 224768 bytes | Modified Date = 3/11/2004 6:18:58 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.2.824.5515.beta | Size = 138680 bytes | Modified Date = 8/13/2007 2:14:18 PM | Attr = ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 7, 3, 1 | Size = 774144 bytes | Modified Date = 1/5/2007 1:41:10 PM | Attr = ]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]
-
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 3:06:32 AM | Attr = ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
EPSON Stylus CX5800F Series -> %System32%\spool\drivers\w32x86\3\E_FATIALA.EXE -> SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 98304 bytes | Modified Date = 5/9/2005 10:00:00 PM | Attr = ]
NeroFilterCheck -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe -> Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 9/7/2007 6:42:24 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr = ]
WatchDog -> %ProgramFiles%\mobile PhoneTools\WatchDog.exe -> [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Aim6 -> -> File not found
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
P2kAutostart -> %UserDocuments%\P2kCommanderV330\P2kAutostart.exe -> File not found
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} [HKLM] -> %System32%\vtuuvsr.dll [] -> [Ver = | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
vtuuvsr -> %System32%\vtuuvsr.dll -> [Ver = | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
-
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> about:blank ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 10/31/2006 1:33:52 PM | Attr = ]
{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} [HKLM] -> %System32%\vtuuvsr.dll [Reg Data - Value does not exist] -> [Ver = | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 1, 615, 5858 | Size = 654832 bytes | Modified Date = 8/13/2007 2:15:10 PM | Attr = ]
{F4693D97-15DF-463C-B7B5-A237402E0AED} [HKLM] -> %System32%\opnkh.dll [Reg Data - Value does not exist] -> [Ver = | Size = 303200 bytes | Modified Date = 10/20/2007 6:28:42 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> Reg Data - Value does not exist [ButtonText: Yahoo! Services] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> -> File not found
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{193C772A-87BE-4B19-A7BB-445B226FE9A1} -> ewidoOnlineScan Control - CodeBase = http://downloads.ewido.net/ewidoOnlineScan.cab ->
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab ->
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> Installation Support - CodeBase = C:\Program Files\Yahoo!\Common\Yinsthelper.dll ->
{406B5949-7190-4245-91A9-30A17DE16AD0} -> Snapfish Activia - CodeBase = http://photos.walmart.com/WalmartActivia.cab ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336 ->
{644E432F-49D3-41A1-8DD5-E099162EEEC5} -> Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
{F137B9BA-89EA-4B04-9C67-2074A9DF61FD} -> Photo Upload Plugin Class - CodeBase = http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab? ->
-
[Files/Folders - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 200855552 bytes | Created Date = 1/1/1601 7:00:00 AM | Attr = HS]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 10/16/2007 9:18:27 AM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 10/16/2007 2:32:40 PM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 10/19/2007 10:39:34 AM | Attr = ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 135168 bytes | Created Date = 10/16/2007 9:15:59 AM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 10/16/2007 9:16:00 AM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Created Date = 10/15/2007 9:23:21 AM | Attr = ]
Thumbs.db -> %SystemRoot%\Thumbs.db -> [Ver = | Size = 7680 bytes | Created Date = 10/8/2007 11:54:27 AM | Attr = HS]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
uccspecc.sys -> %SystemRoot%\uccspecc.sys -> [Ver = | Size = 31 bytes | Created Date = 10/3/2007 10:56:00 AM | Attr = H ]
aylcodgp.ini -> %System32%\aylcodgp.ini -> [Ver = | Size = 693721 bytes | Created Date = 10/15/2007 11:16:02 AM | Attr = HS]
comms2 -> %System32%\comms2 -> [Folder | Created Date = 10/13/2007 9:20:19 PM | Attr = ]
cpnprt2.cid -> %System32%\cpnprt2.cid -> Coupons, Inc. [Ver = 1, 0, 5, 0 | Size = 161112 bytes | Created Date = 10/3/2007 10:56:11 AM | Attr = RH ]
extdfugh.ini -> %System32%\extdfugh.ini -> [Ver = | Size = 693601 bytes | Created Date = 10/15/2007 10:41:28 AM | Attr = HS]
hknpo.bak1 -> %System32%\hknpo.bak1 -> [Ver = | Size = 6513 bytes | Created Date = 10/20/2007 6:29:08 PM | Attr = HS]
hknpo.ini -> %System32%\hknpo.ini -> [Ver = | Size = 529 bytes | Created Date = 10/20/2007 6:28:44 PM | Attr = HS]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 143 bytes | Created Date = 10/14/2007 9:02:03 AM | Attr = ]
opnkh.dll -> %System32%\opnkh.dll -> [Ver = | Size = 303200 bytes | Created Date = 10/20/2007 6:28:35 PM | Attr = ]
pmkli.dll -> %System32%\pmkli.dll -> [Ver = | Size = 312416 bytes | Created Date = 10/19/2007 1:51:43 PM | Attr = ]
pttryjxd.dllbox -> %System32%\pttryjxd.dllbox -> [Ver = | Size = 17006 bytes | Created Date = 10/19/2007 8:14:03 AM | Attr = HS]
que1 -> %System32%\que1 -> [Folder | Created Date = 10/13/2007 9:20:47 PM | Attr = ]
SpoonUninstall.exe -> %System32%\SpoonUninstall.exe -> [Ver = | Size = 4229496 bytes | Created Date = 10/7/2007 9:31:10 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %System32%\SpoonUninstall.exe:Zone.Identifier ->
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2244 bytes | Created Date = 10/17/2007 9:48:44 AM | Attr = ]
vosuuyod.ini -> %System32%\vosuuyod.ini -> [Ver = | Size = 693481 bytes | Created Date = 10/15/2007 10:05:52 AM | Attr = HS]
vtuuvsr.dll -> %System32%\vtuuvsr.dll -> [Ver = | Size = 33792 bytes | Created Date = 10/17/2007 7:02:17 PM | Attr = ]
eamon.sys -> %System32%\drivers\eamon.sys -> Eset [Ver = 3,0,0,0 D built by: WinDDK | Size = 33288 bytes | Created Date = 9/21/2007 9:15:26 AM | Attr = ]
easdrv.sys -> %System32%\drivers\easdrv.sys -> Eset [Ver = 3, 0, 414 RC1 | Size = 25096 bytes | Created Date = 9/21/2007 9:15:52 AM | Attr = ]
epfwtdir.sys -> %System32%\drivers\epfwtdir.sys -> [Ver = | Size = 28680 bytes | Created Date = 9/21/2007 9:17:14 AM | Attr = ]
[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 194 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = HS]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 10/18/2007 8:44:54 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 200855552 bytes | Modified Date = 10/20/2007 8:09:32 PM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 10/19/2007 9:16:26 AM | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 10/19/2007 11:04:42 AM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr = HS]
Temp -> %SystemDrive%\Temp -> [Folder | Modified Date = 10/14/2007 9:00:08 AM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 10/16/2007 2:32:42 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 10/19/2007 10:50:52 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 10/19/2007 10:39:36 AM | Attr = ]
-
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Modified Date = 10/17/2007 2:15:54 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 10/20/2007 8:09:34 PM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 135168 bytes | Modified Date = 9/28/2007 9:06:10 AM | Attr = ]
CSC -> %SystemRoot%\CSC -> [Folder | Modified Date = 10/20/2007 6:54:54 PM | Attr = HS]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 10/4/2007 3:03:12 PM | Attr = S]
EPISME00.SWB -> %SystemRoot%\EPISME00.SWB -> [Ver = | Size = 9662 bytes | Modified Date = 10/16/2007 9:49:56 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 9/22/2007 8:46:58 AM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 10/16/2007 9:51:28 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 10/15/2007 9:19:54 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 10/4/2007 3:03:02 PM | Attr = HS]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 10/20/2007 7:42:32 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 10/15/2007 9:25:28 AM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 10/13/2007 9:14:48 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 10/20/2007 8:19:12 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 10/19/2007 10:51:36 AM | Attr = S]
TEMP -> %SystemRoot%\TEMP -> [Folder | Modified Date = 10/20/2007 8:17:28 PM | Attr = ]
Thumbs.db -> %SystemRoot%\Thumbs.db -> [Ver = | Size = 7680 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr = HS]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
uccspecc.sys -> %SystemRoot%\uccspecc.sys -> [Ver = | Size = 31 bytes | Modified Date = 10/3/2007 10:56:02 AM | Attr = H ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 573 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = ]
WindowsShellOld.Manifest.1 -> %SystemRoot%\WindowsShellOld.Manifest.1 -> [Ver = | Size = 82 bytes | Modified Date = 10/3/2007 10:56:02 AM | Attr = H ]
Norton Security Scan.job -> %SystemRoot%\tasks\Norton Security Scan.job -> [Ver = | Size = 420 bytes | Modified Date = 10/12/2007 4:44:22 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 10/20/2007 8:10:30 PM | Attr = H ]
aylcodgp.ini -> %System32%\aylcodgp.ini -> [Ver = | Size = 693721 bytes | Modified Date = 10/15/2007 4:28:14 PM | Attr = HS]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 10/20/2007 8:14:56 PM | Attr = ]
comms2 -> %System32%\comms2 -> [Folder | Modified Date = 10/13/2007 9:20:48 PM | Attr = ]
cpnprt2.cid -> %System32%\cpnprt2.cid -> Coupons, Inc. [Ver = 1, 0, 5, 0 | Size = 161112 bytes | Modified Date = 10/3/2007 10:56:14 AM | Attr = RH ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 10/20/2007 8:05:30 PM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 10/19/2007 10:56:34 AM | Attr = ]
extdfugh.ini -> %System32%\extdfugh.ini -> [Ver = | Size = 693601 bytes | Modified Date = 10/15/2007 11:06:10 AM | Attr = HS]
hknpo.bak1 -> %System32%\hknpo.bak1 -> [Ver = | Size = 6513 bytes | Modified Date = 10/20/2007 6:29:10 PM | Attr = HS]
hknpo.ini -> %System32%\hknpo.ini -> [Ver = | Size = 529 bytes | Modified Date = 10/20/2007 8:19:12 PM | Attr = HS]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:28 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:30 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr = ]
mcrh.tmp -> %System32%\mcrh.tmp -> [Ver = | Size = 143 bytes | Modified Date = 10/14/2007 9:02:04 AM | Attr = ]
opnkh.dll -> %System32%\opnkh.dll -> [Ver = | Size = 303200 bytes | Modified Date = 10/20/2007 6:28:42 PM | Attr = ]
pmkli.dll -> %System32%\pmkli.dll -> [Ver = | Size = 312416 bytes | Modified Date = 10/19/2007 1:51:50 PM | Attr = ]
pttryjxd.dllbox -> %System32%\pttryjxd.dllbox -> [Ver = | Size = 17006 bytes | Modified Date = 10/19/2007 12:44:18 PM | Attr = HS]
que1 -> %System32%\que1 -> [Folder | Modified Date = 10/16/2007 12:58:02 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr = ]
SpoonUninstall.exe -> %System32%\SpoonUninstall.exe -> [Ver = | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %System32%\SpoonUninstall.exe:Zone.Identifier ->
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2244 bytes | Modified Date = 10/17/2007 9:59:16 AM | Attr = ]
vosuuyod.ini -> %System32%\vosuuyod.ini -> [Ver = | Size = 693481 bytes | Modified Date = 10/15/2007 10:37:28 AM | Attr = HS]
vtuuvsr.dll -> %System32%\vtuuvsr.dll -> [Ver = | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 10/20/2007 4:11:30 PM | Attr = ]
eamon.sys -> %System32%\drivers\eamon.sys -> Eset [Ver = 3,0,0,0 D built by: WinDDK | Size = 33288 bytes | Modified Date = 9/21/2007 9:15:26 AM | Attr = ]
easdrv.sys -> %System32%\drivers\easdrv.sys -> Eset [Ver = 3, 0, 414 RC1 | Size = 25096 bytes | Modified Date = 9/21/2007 9:15:52 AM | Attr = ]
epfwtdir.sys -> %System32%\drivers\epfwtdir.sys -> [Ver = | Size = 28680 bytes | Modified Date = 9/21/2007 9:17:14 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 10/19/2007 10:56:30 AM | Attr = ]
[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 3:09:50 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %System32%\SpoonUninstall.exe:Zone.Identifier ->
USERTRUST , -> %System32%\SpoonUninstall.exe -> [Ver = | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
< End of report >
-
ComboFix 07-10-17.8 - Tara & Paul 2007-10-21 8:42:49.7 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Tara & Paul\Desktop\TryanFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\hknpo.bak1
C:\WINDOWS\system32\hknpo.bak1
C:\WINDOWS\system32\hknpo.ini
C:\WINDOWS\system32\hknpo.ini
C:\WINDOWS\system32\opnkh.dll
C:\WINDOWS\system32\pmkli.dll
.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.
2007-10-18 20:41 <DIR> d-------- C:\Program Files\Navilog1
2007-10-17 19:02 33,792 --a------ C:\WINDOWS\system32\vtuuvsr.dll
2007-10-17 09:48 2,244 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-17 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 <DIR> d-------- C:\VundoFix Backups
2007-10-16 09:51 <DIR> C:\Documents and Settings\Tara 2007-10-16 09:51 <DIR> Paul\Application Data\Help
2007-10-16 09:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 09:23 <DIR> d-------- C:\WINDOWS\pss
2007-10-13 21:20 <DIR> d-------- C:\WINDOWS\system32\que1
2007-10-13 21:20 <DIR> d-------- C:\WINDOWS\system32\comms2
2007-10-07 09:31 <DIR> C:\Documents and Settings\Tara 2007-10-07 09:31 <DIR> Paul\Application Data\AccurateRip
2007-10-07 09:31 4,229,496 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-07 09:30 <DIR> d-------- C:\Program Files\Illustrate
2007-10-04 15:00 <DIR> d-------- C:\Program Files\Java
2007-10-04 14:57 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-03 10:56 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-09-27 08:00 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 <DIR> C:\Documents and Settings\Tara 2007-09-24 13:18 <DIR> Paul\Application Data\Yahoo!
2007-09-24 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-21 09:17 28,680 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 09:15 33,288 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 09:15 25,096 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 02:49 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-17 02:26 --------- d-----w C:\Program Files\RogueRemover FREE
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-20 21:33 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-09-20 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-20 02:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 17:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
- 2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-21 15:42:14 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-21 15:50:41 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-17 19:02 33792 --a------ C:\WINDOWS\system32\vtuuvsr.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2007-09-07 18:42]
"EPSON Stylus CX5800F Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe" [2005-05-09 22:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-09-07 18:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"P2kAutostart"="C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 16:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Aim6"="" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\vtuuvsr.dll [2007-10-17 19:02 33792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll 2007-10-17 19:02 33792 C:\WINDOWS\system32\vtuuvsr.dll
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 08:52:35
Windows 5.1.2600 Service Pack 2, v.2096 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-21 8:59:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-19 11:04
C:\ComboFix3.txt ... 2007-10-17 10:15
.
--- E O F ---
-
Logfile of HijackThis v1.99.1
Scan saved at 9:03:09 AM, on 10/21/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\hijacktryan.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9F017283-6106-4282-BADC-1E3B7B7D3A61} - C:\WINDOWS\system32\tuvus.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
-
I have to be honest with you. The system problems you describe are not a good sign and you have to face the possility that this will lead to a reformat. I'm not giving up yet but you should back up any important data, pictures, etc to play it safe. It would be wise to do this before proceeding any farther.
Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Files/Folders - Created Within 30 days]
NY -> uccspecc.sys -> %SystemRoot%\uccspecc.sys
NY -> aylcodgp.ini -> %System32%\aylcodgp.ini
NY -> cpnprt2.cid -> %System32%\cpnprt2.cid
NY -> extdfugh.ini -> %System32%\extdfugh.ini
NY -> hknpo.bak1 -> %System32%\hknpo.bak1
NY -> hknpo.ini -> %System32%\hknpo.ini
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> opnkh.dll -> %System32%\opnkh.dll
NY -> pmkli.dll -> %System32%\pmkli.dll
NY -> pttryjxd.dllbox -> %System32%\pttryjxd.dllbox
NY -> tmp.reg -> %System32%\tmp.reg
NY -> vosuuyod.ini -> %System32%\vosuuyod.ini
NY -> vtuuvsr.dll -> %System32%\vtuuvsr.dll
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information in your next response.
Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.
Now open OTMovIt and copy the following into the paths to be moved field
C:\WINDOWS\system32\que1
C:\WINDOWS\system32\comms2
C:\WINDOWS\system32\tuvus.dll
Click the red Move It button and include the results with the WinPFind results.
Next,download ERUNT from here and back up your entire registry
http://www.snapfiles.com/get/erunt.html
Now open Notepad and copy everything within the quote box below into a new document. Make sure there is no space about "REGEDIT4"
REGEDIT4
[-HKEY_CLASSES_ROOT\CLSID\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"=-
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
In the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop. Right click the fix.reg file and select merge. Accept the warning if it appears.
When that's finished open HJT and place a check mark next to any of these lines that remain
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: (no name) - {9F017283-6106-4282-BADC-1E3B7B7D3A61} - C:\WINDOWS\system32\tuvus.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
Close all other windows, browser included, and click fix checked.
In addition to the WinPFind and OTMoveIt results please give me fresh ComboFix and HJT logs.
-
C:\WINDOWS\system32\que1 moved successfully.
C:\WINDOWS\system32\comms2 moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\tuvus.dll
C:\WINDOWS\system32\tuvus.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\tuvus.dll scheduled to be moved on reboot.
Created on 10/22/2007 13:43:07
WinPFind3U said it had to be restarted, then I got an error message saying Invalid floating point operation. I then restarted and no log popped up. Also got the same error message when I did OTMovIt.
-
When I ran combofix I got an error message saying sed.cfexe has encountered a problem and needs to close. Here is the log:
ComboFix 07-10-17.8 - Tara & Paul 2007-10-22 14:00:12.8 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Tara & Paul\Desktop\TryanFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\evqdnvcu.dll
C:\WINDOWS\system32\lepmqbnt.dll
C:\WINDOWS\system32\suvut.bak1
C:\WINDOWS\system32\suvut.bak1
C:\WINDOWS\system32\suvut.bak2
C:\WINDOWS\system32\suvut.bak2
C:\WINDOWS\system32\suvut.ini
C:\WINDOWS\system32\suvut.ini
C:\WINDOWS\system32\tnbqmpel.ini
C:\WINDOWS\system32\tuvus.dll
C:\WINDOWS\system32\tuvus.dll
C:\WINDOWS\system32\tuvus.dll
.
((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.
2007-10-18 20:41 <DIR> d-------- C:\Program Files\Navilog1
2007-10-17 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 <DIR> d-------- C:\VundoFix Backups
2007-10-16 09:51 <DIR> C:\Documents and Settings\Tara 2007-10-16 09:51 <DIR> Paul\Application Data\Help
2007-10-07 09:31 <DIR> C:\Documents and Settings\Tara 2007-10-07 09:31 <DIR> Paul\Application Data\AccurateRip
2007-10-07 09:30 <DIR> d-------- C:\Program Files\Illustrate
2007-10-04 15:00 <DIR> d-------- C:\Program Files\Java
2007-10-04 14:57 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-27 08:00 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 <DIR> C:\Documents and Settings\Tara 2007-09-24 13:18 <DIR> Paul\Application Data\Yahoo!
2007-09-24 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 <DIR> d-------- C:\Program Files\SpywareBlaster
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 02:49 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-18 02:02 33,792 ----a-w C:\WINDOWS\system32\vtuuvsr.dll
2007-10-17 02:26 --------- d-----w C:\Program Files\RogueRemover FREE
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-10-07 16:30 4,229,496 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-21 16:17 28,680 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 16:15 33,288 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 16:15 25,096 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 21:33 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-09-20 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-20 02:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 17:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\10-22-2007\ERDNT.EXE
+ 2007-10-22 20:50:15 4,370,432 ----a-w C:\WINDOWS\erdnt\10-22-2007\Users\00000001\ntuser.dat
+ 2007-10-22 20:50:15 151,552 ----a-w C:\WINDOWS\erdnt\10-22-2007\Users\00000002\UsrClass.dat
- 2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-22 20:59:28 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-22 21:10:52 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-17 19:02 33792 --a------ C:\WINDOWS\system32\vtuuvsr.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2007-09-07 18:42]
"EPSON Stylus CX5800F Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe" [2005-05-09 22:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-09-07 18:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"="C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 16:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Aim6"="" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Documents and Settings\Tara & Paul\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\vtuuvsr.dll [2007-10-17 19:02 33792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll 2007-10-17 19:02 33792 C:\WINDOWS\system32\vtuuvsr.dll
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 14:12:43
Windows 5.1.2600 Service Pack 2, v.2096 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-22 15:03:04 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-21 08:59
C:\ComboFix3.txt ... 2007-10-19 11:04
.
--- E O F ---
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:39 PM, on 10/22/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 7803 bytes
-
Hi tryan21,
vtuuvsr.dll is a sign of a win trojan gen infection, and maxifiles trojan. More cleansing needs to be done,
polonus
-
We're not going to worry about the sed.cfexe error at the moment but, as polonus said, we do need to rid your computer of vtuuvsr.dll for good.
1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box and hit Enter.
2. Now copy/paste the entire contents of the codebox below into the Notepad window:
File::
C:\WINDOWS\system32\vtuuvsr.dll
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
3. Save the above as CFScript.txt
4. Drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
(http://img132.imageshack.us/img132/9119/cfscriptkv9.gif) (http://imageshack.us)
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.
-
ComboFix 07-10-17.8 - Tara & Paul 2007-10-22 19:30:53.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.57 [GMT -7:00]
Running from: C:\Documents and Settings\Tara & Paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tara & Paul\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system32\vtuuvsr.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtrp.dll
C:\WINDOWS\system32\awtrp.dll
C:\WINDOWS\system32\awtrp.dll
C:\WINDOWS\system32\jokoneur.dll
C:\WINDOWS\system32\pfbilsyr.ini
C:\WINDOWS\system32\prtwa.bak2
C:\WINDOWS\system32\prtwa.ini
C:\WINDOWS\system32\ryslibfp.dll
C:\WINDOWS\system32\vtuuvsr.dll
C:\WINDOWS\system32\vtuuvsr.dll
.
((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.
2007-10-18 20:41 <DIR> d-------- C:\Program Files\Navilog1
2007-10-17 09:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 <DIR> d-------- C:\VundoFix Backups
2007-10-16 09:51 <DIR> C:\Documents and Settings\Tara 2007-10-16 09:51 <DIR> Paul\Application Data\Help
2007-10-07 09:31 <DIR> C:\Documents and Settings\Tara 2007-10-07 09:31 <DIR> Paul\Application Data\AccurateRip
2007-10-07 09:30 <DIR> d-------- C:\Program Files\Illustrate
2007-10-04 15:00 <DIR> d-------- C:\Program Files\Java
2007-10-04 14:57 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-27 08:00 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 <DIR> C:\Documents and Settings\Tara 2007-09-24 13:18 <DIR> Paul\Application Data\Yahoo!
2007-09-24 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 <DIR> d-------- C:\Program Files\SpywareBlaster
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 02:49 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-17 02:26 --------- d-----w C:\Program Files\RogueRemover FREE
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-21 16:17 28,680 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 16:15 33,288 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 16:15 25,096 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 21:33 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-09-20 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-20 02:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 17:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
.
((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\10-22-2007\ERDNT.EXE
+ 2007-10-22 20:50:15 4,370,432 ----a-w C:\WINDOWS\erdnt\10-22-2007\Users\00000001\ntuser.dat
+ 2007-10-22 20:50:15 151,552 ----a-w C:\WINDOWS\erdnt\10-22-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\10-22-2007\ERDNT.EXE
+ 2007-10-22 23:27:48 4,370,432 ----a-w C:\WINDOWS\erdnt\AutoBackup\10-22-2007\Users\00000001\ntuser.dat
+ 2007-10-22 23:27:50 151,552 ----a-w C:\WINDOWS\erdnt\AutoBackup\10-22-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-22\ERDNT.EXE
+ 2007-10-22 21:16:53 4,370,432 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-22\Users\00000001\ntuser.dat
+ 2007-10-22 21:16:55 151,552 ----a-w C:\WINDOWS\erdnt\AutoBackup\2007-10-22\Users\00000002\UsrClass.dat
- 2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-23 02:30:19 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-23 02:40:39 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_568.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2007-09-07 18:42]
"EPSON Stylus CX5800F Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe" [2005-05-09 22:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-09-07 18:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"="C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 16:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Aim6"="" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Documents and Settings\Tara & Paul\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 19:41:00
Windows 5.1.2600 Service Pack 2, v.2096 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-22 19:47:27 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-22 15:03
C:\ComboFix3.txt ... 2007-10-21 08:59
.
--- E O F ---
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:10 PM, on 10/22/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 7583 bytes
-
Your most recent logs look much better but this has been very tenacious so I would like to see another WinPFing log.
How is the computer running?
-
THE COMPUTER SEEMS TO BE RUNNING FINE. I HAVEN'T NOTICED ANYTHING UNUSUAL.
WinPFind3 logfile created on: 10/23/2007 9:06:27 AM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Tara & Paul\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2, v.2096 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2096)
191.48 Mb Total Physical Memory | 44.07 Mb Available Physical Memory | 23.02% Memory free
466.86 Mb Paging File | 286.14 Mb Available in Paging File | 61.29% Paging File free
Paging file location(s): C:\pagefile.sys 288 576;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.64 Gb Total Space | 12.67 Gb Free Space | 45.86% Space Free
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: LAPTOP
Current User Name: Tara & Paul
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr = ]
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
nmbgmonitor.exe -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
nmindexingservice.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
watchdog.exe -> %ProgramFiles%\mobile PhoneTools\WatchDog.exe -> [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2096.503.0 | Size = 224768 bytes | Modified Date = 3/11/2004 6:18:58 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.2.824.5515.beta | Size = 138680 bytes | Modified Date = 8/13/2007 2:14:18 PM | Attr = ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr = ]
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 7, 3, 1 | Size = 774144 bytes | Modified Date = 1/5/2007 1:41:10 PM | Attr = ]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr = ]
-
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 3:06:32 AM | Attr = ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr = ]
EPSON Stylus CX5800F Series -> %System32%\spool\drivers\w32x86\3\E_FATIALA.EXE -> SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 98304 bytes | Modified Date = 5/9/2005 10:00:00 PM | Attr = ]
NeroFilterCheck -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe -> Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 9/7/2007 6:42:24 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr = ]
WatchDog -> %ProgramFiles%\mobile PhoneTools\WatchDog.exe -> [Ver = | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Aim6 -> -> File not found
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr = ]
P2kAutostart -> %UserDocuments%\P2kCommanderV330\P2kAutostart.exe -> File not found
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr = ]
< User Startup > -> C:\Documents and Settings\Tara & Paul\Start Menu\Programs\Startup ->
%UserStartup%\ERUNT AutoBackup.lnk -> %ProgramFiles%\ERUNT\AUTOBACK.EXE -> [Ver = | Size = 38912 bytes | Modified Date = 10/20/2005 12:04:08 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
-
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> about:blank ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 10/31/2006 1:33:52 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 1, 615, 5858 | Size = 654832 bytes | Modified Date = 8/13/2007 2:15:10 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> Reg Data - Value does not exist [ButtonText: Yahoo! Services] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> -> File not found
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{193C772A-87BE-4B19-A7BB-445B226FE9A1} -> ewidoOnlineScan Control - CodeBase = http://downloads.ewido.net/ewidoOnlineScan.cab ->
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab ->
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> Installation Support - CodeBase = C:\Program Files\Yahoo!\Common\Yinsthelper.dll ->
{406B5949-7190-4245-91A9-30A17DE16AD0} -> Snapfish Activia - CodeBase = http://photos.walmart.com/WalmartActivia.cab ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336 ->
{644E432F-49D3-41A1-8DD5-E099162EEEC5} -> Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
{F137B9BA-89EA-4B04-9C67-2074A9DF61FD} -> Photo Upload Plugin Class - CodeBase = http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab? ->
-
[Files/Folders - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 200855552 bytes | Created Date = 1/1/1601 7:00:00 AM | Attr = HS]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 10/16/2007 9:18:27 AM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 10/16/2007 2:32:40 PM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 10/19/2007 10:39:34 AM | Attr = ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 135168 bytes | Created Date = 10/16/2007 9:15:59 AM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 10/16/2007 9:16:00 AM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Created Date = 10/15/2007 9:23:21 AM | Attr = ]
Thumbs.db -> %SystemRoot%\Thumbs.db -> [Ver = | Size = 7680 bytes | Created Date = 10/8/2007 11:54:27 AM | Attr = HS]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr = ]
SpoonUninstall.exe -> %System32%\SpoonUninstall.exe -> [Ver = | Size = 4229496 bytes | Created Date = 10/7/2007 9:31:10 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %System32%\SpoonUninstall.exe:Zone.Identifier ->
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr = ]
[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 194 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = HS]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 10/18/2007 8:44:54 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 200855552 bytes | Modified Date = 10/23/2007 8:34:04 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 10/22/2007 1:49:18 PM | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 10/22/2007 3:03:08 PM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr = HS]
Temp -> %SystemDrive%\Temp -> [Folder | Modified Date = 10/22/2007 11:58:34 AM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 10/16/2007 2:32:42 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 10/22/2007 7:33:50 PM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 10/19/2007 10:39:36 AM | Attr = ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Modified Date = 10/17/2007 2:15:54 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 10/23/2007 8:34:06 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 135168 bytes | Modified Date = 9/28/2007 9:06:10 AM | Attr = ]
CSC -> %SystemRoot%\CSC -> [Folder | Modified Date = 10/22/2007 12:09:22 PM | Attr = HS]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 10/4/2007 3:03:12 PM | Attr = S]
EPISME00.SWB -> %SystemRoot%\EPISME00.SWB -> [Ver = | Size = 9662 bytes | Modified Date = 10/16/2007 9:49:56 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 10/22/2007 2:15:28 PM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 10/16/2007 9:51:28 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 10/15/2007 9:19:54 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 10/4/2007 3:03:02 PM | Attr = HS]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 69 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 10/22/2007 7:29:02 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 10/15/2007 9:25:28 AM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 10/13/2007 9:14:48 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 10/22/2007 7:34:50 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 10/22/2007 7:34:40 PM | Attr = S]
TEMP -> %SystemRoot%\TEMP -> [Folder | Modified Date = 10/23/2007 8:54:18 AM | Attr = ]
Thumbs.db -> %SystemRoot%\Thumbs.db -> [Ver = | Size = 7680 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr = HS]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 573 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr = ]
WindowsShellOld.Manifest.1 -> %SystemRoot%\WindowsShellOld.Manifest.1 -> [Ver = | Size = 82 bytes | Modified Date = 10/3/2007 10:56:02 AM | Attr = H ]
Norton Security Scan.job -> %SystemRoot%\tasks\Norton Security Scan.job -> [Ver = | Size = 420 bytes | Modified Date = 10/12/2007 4:44:22 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 10/23/2007 8:34:32 AM | Attr = H ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 10/22/2007 7:38:48 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 10/20/2007 8:05:30 PM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 10/22/2007 7:40:28 PM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:28 PM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:30 PM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr = ]
SpoonUninstall.exe -> %System32%\SpoonUninstall.exe -> [Ver = | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %System32%\SpoonUninstall.exe:Zone.Identifier ->
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 10/22/2007 9:39:02 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 10/22/2007 7:40:26 PM | Attr =
-
[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 3:09:50 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %System32%\SpoonUninstall.exe:Zone.Identifier ->
USERTRUST , -> %System32%\SpoonUninstall.exe -> [Ver = | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
< End of report >
-
THE COMPUTER SEEMS TO BE RUNNING FINE. I HAVEN'T NOTICED ANYTHING UNUSUAL.
8)
Your logs, and your computer, are clean. You probably have this routine memorized by now but I'll post it again just in case.
Open OTMoveIt again and click the Clean Up button. This will remove the tools we've used and the backups they made.
Now download and install CleanUp (if you don't still have it from the last time), rebooting the computer if requested during installation
http://www.stevengould.org/index.php?option=com_content&task=view&id=29&Itemid=72
Open the program and click the Clean Up button in order to remove temporary files, browsing history, etc. It's a good practice to use this program from time to time as malware can lurk in some of these locations. I usually run this program after every browsing session.
Next we will re-set your restore points to make sure there is no malware hiding there. Then if you need to restore at some stage you will be clean.
1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE
You now have a clean restore point; to get rid of the old ones:
1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS 5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this 7. Accept the Warning and select OK again.
You know this is the third time you've had a pretty good dose of Vundo on your computer in the past few months. I think this lastest one might have originated with a downloader sent you (or your brother) in an email. I'm not sure of the source of the other two but it could be a malicious or hacked web site you visit. You might want to turn the web shield up to high and take a look at the sites you do visit. Or could it be your brother on one of those sort of sites you might not have an interest in ... ;D
In any event, our work is done :)
-
Well, thanks once again. I don't know what I would do without this forum! ;)
How would I know if a website is malicious or hacked? I only visit about 5 websites normally (I don't do much online). The only problem now is that my brother just moved in with us and is ALWAYS on the computer. He just isn't cautious about anything and will click and dowload everything. :-\
Also, should I install a third party firewall? If yes, which one? And how do I know how to respond to the warnings? :P
-
Hi tryan21,
How would you know. Use scandoo.com as your favorite search engine, all greens are secure. Install DrWeb's hyperlink av scanner plug-in in your browser of choice, and you can scan a link before downloading if it is clean.
There are a few things you must do once you are completely clean:
1. Re-hide your System Files and Folders to prevent any future accidents.
Reconfigure Windows XP to hide hidden files:
* Click Start. Open My Computer.
* Select the Tools menu and click Folder Options. Select the View Tab.
* Under the Hidden files and folders heading deselect "Show hidden files and folders".
* Check the "Hide protected operating system files (recommended)" option.
* Click Yes to confirm. Click OK.
2. Please download ATF Cleaner by Atribune: http://www.atribune.org/content/view/25/2/
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:
TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"
Reboot your System
TO ENABLE SYSTEM RESTORE
1. Remove check mark from "Turn Off System Restore"
2. Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:
Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
I strongly recommend installing the following applications:
* Install ad-aware 2007
* Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
* a-squaredFree as an anti-trojan solution.
An good Firewall program is COMODO + ComodoBoClean 4.25 All programs are free...
Surf secure and stay malware free,
polonus
P.S. and for your brother make a separate account without admin rights (only normal user rights) and with the program safeXP installed (download here: http://www.theorica.net/download.htm ), he can do less harm there.
-
How would I know if a website is malicious or hacked? I only visit about 5 websites normally (I don't do much online). The only problem now is that my brother just moved in with us and is ALWAYS on the computer. He just isn't cautious about anything and will click and dowload everything. :-\
one? And how do I know how to respond to the warnings? :P
There are risky sites, like porn and warez/crack sites that are reliable sources of infection (not saying those are in your list of 5 - just speaking in general terms). But whatever the sites you visit, if you seem to often have an infection after visiting a particular one be wary of it.
And I agree with Pol - giving you brother a limited account is a good idea.
Also, should I install a third party firewall? If yes, which one? And how do I know how to respond to the warnings? :P
I'll cast my vote in favor of Comodo as well, at least until avast! releases the firewall they have in development. After you install it open the interface and click Security>Tasks>Scan for Known Applications. This will build and limit the decisions you need to make. After that a little common sense helps - if you open a program you expect will want an internet connection and Comodo alerts you that it is, click to remember the action and allow it. On the other hand if you're playing solitaire and out of the blue Comodo tells you some application is trying to connect, you and I need to talk again (after you block it). And of course there's always the forum if you just can't figure it out.
Oh, and thank you too. You always bring unique challenges to the forum - challenges that make me improve my abilities and force me to be creative. I know its a pain for you but its a great learning experience for me. :)
-
Hi tryan21,
I agree with Keith here. This is the malware cleansing routine to dream about, challenging and instructive, one for the anti malware book. Bad for you, but good for the anti malware fighters (ironic remark),
Damian
-
I installed COMODO firewall and have pretty much been able to figure out the warnings and how to respond. There is one though that I'm not sure about. I get it as soon as I start my computer (everytime) and then at various times when it's been started for awhile. I haven't been allowing it although it might be harmless. I just can't figure out what program it's comming from.
It says "Generic Host process for Win32 Services is trying to act as server"
Application: svchost.exe
Parent: services.exe
-
While I normally don't like to allow inbound on my computer I have had to do so recently because of a Windows update in August that changes the way Generic Host process for Win32 Services functions. There is a thread on the Comodo forums about this here
http://forums.comodo.com/help/sychostexe-t11762.0.html
(I assume the initiator of the thread simply mistyped svchost as syvhost)
To recap the thread, its ok to allow it on certain ports and a fix is planned for Comodo v3.0 when its released.
-
Posted by: polonus
Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
I'm having a problem with Windows Updates. The download and instalation goes just fine, then I reboot and things don't work. My COMODO Firewall won't work, my Avast! scanner won't work, and when I try to go to a website it doesn't do anything. Also, a few folders and items off of the start menu don't work either. I will click things and they just don't ever open. I end up doing a system restore because I don't know what else to do. I re-tried a few times and the same thing happens.
Now here is the thing, I had like 50+ updates because the Automatic Updates was turned off. So my Windows hasn't been updated in almost a year.
-
Isolate the problems...
I'm having a problem with Windows Updates. The download and instalation goes just fine, then I reboot and things don't work. My COMODO Firewall won't work, my Avast! scanner won't work, and when I try to go to a website it doesn't do anything.
What do you mean with don't work? Freeze, do not load, what?
Also, a few folders and items off of the start menu don't work either. I will click things and they just don't ever open.
Any of them?
I end up doing a system restore because I don't know what else to do. I re-tried a few times and the same thing happens.
Can you try full computer on-line scanning?
Kaspersky (http://www.kaspersky.com/virusscanner) (very good detection rates)
BitDefender (http://www.bitdefender.com/scan8/ie.html) (free removal of the malware)
Now here is the thing, I had like 50+ updates because the Automatic Updates was turned off. So my Windows hasn't been updated in almost a year.
Why did you turn off the updates?
-
When I say "don't work" I mean I get an error message saying that Avast can't run properly and the same for COMODO. The folders, well, just what I said; I will click things and they just don't ever open.
As far as automatic updates being turned off I didn't turn them off and I'm not sure why they were off. Every time I started my computer I would get the security warning that they were turned off, I would then go turn them on, then when I would restart they would be off again. I guess after awhile I just got so used to the security warning and so sick of turning them on every time I just gave up. Honestly I didn't relize how important they were for my computer. :-X
I will go do the scans right now.
-
When you updated did you get just the critical updates, or did you install optional updates like drivers and programs too?
-
I get an error message saying that Avast can't run properly and the same for COMODO.
Can you post a screenshot? See how: http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).
The folders, well, just what I said; I will click things and they just don't ever open.
As far as automatic updates being turned off I didn't turn them off and I'm not sure why they were off.
Viruses can do that. A full scanning will be advisable.
-
When you updated did you get just the critical updates, or did you install optional updates like drivers and programs too?
I just let Automatic Updates do it's thing and then when it told me they were ready to install I installed all of them. I don't really know how to tell the difference between the critical and optional. I'm not experianced with any of this.
Oh and by the way, Automatic Updates are not being turned off every time I start my computer now (since turning on after this last virus cleaning). It stays on and lets me know when they are ready to be installed.
Posted by: Tech
Can you post a screenshot? See how: http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).
I'm not sure how to go about doing this. Because when I install the updates I have no access to the internet. So I'm not sure how I would get the screen shot to you. I end up doing a system restore in order to get online and get things working again. Am I just overlooking the obvoius here? Probably, LOL!
Still haven't scanned but I will do that now I promise.
**I have a one year old so getting all this computer stuff done is hard. :P
-
BitDefender Online Scanner
Scan report generated at: Wed, Oct 31, 2007 - 14:35:00
Scan path: A:\;C:\;D:\;E:\;
Statistics
Time
01:42:28
Files
127651
Folders
3705
Boot Sectors
2
Archives
1892
Packed Files
6425
Results
Identified Viruses
1
Infected Files
2
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
2
Engines Info
Virus Definitions
859582
Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins
14
Archive plugins
38
Unpack plugins
7
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\Program Files\HijackThis\backups\backup-20071020-200212-540.dll
Infected with: Generic.Virtumod.29FFB2FE
C:\Program Files\HijackThis\backups\backup-20071020-200212-540.dll
Disinfection failed
C:\Program Files\HijackThis\backups\backup-20071020-200212-540.dll
Deleted
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP24\A0013118.dll
Infected with: Generic.Virtumod.29FFB2FE
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP24\A0013118.dll
Disinfection failed
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP24\A0013118.dll
Deleted
-
BitDefender Online Scanner
Very good. Can you do the same with Kaspersky on-line scanning?
Are you clean now?
-
C:\Program Files\HijackThis\backups\backup-20071020-200212-540.dll
Infected with: Generic.Virtumod.29FFB2FE
...
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP24\A0013118.dll
Infected with: Generic.Virtumod.29FFB2FE
...
Well the HJT backups can't be causing any problems. When we finished the earlier cleaing did you reset the restore points as I asked?
But still, there's no active infection in that log...
Tech is going to be better at this update problem than me - I do the cleaning thing. But if it was my computer I would try manually downloading/installing 5 updates at a time until you find a group that causes a problem. Back those out, then install each of those updates from the problem group individually until you identify the one (hopefully just one) that's the culpret. There might be an error code that could help diagnose this. If not, at least we'll know which it is.
-
When we finished the earlier cleaing did you reset the restore points as I asked?
Yes, I did. I did everything you told me to do. I also installed all the programs that were recommended to me. I am doing everything within my power to keep this darn computer clean and safe from viruses. I just don't get why this keeps happening. I will try doing the updates in groups of 5 like you recomended.
Tech below is my Kaspersky scan resaults:
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 31, 2007 5:50:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2, v.2096 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/11/2007
Kaspersky Anti-Virus database records: 421850
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 43783
Number of viruses found 5
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 02:56:00
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Tara & Paul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tara & Paul\Incomplete\T-872159-Microsoft Internet Explorer 7.0.zip/Setup.exe Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\Tara & Paul\Incomplete\T-872159-Microsoft Internet Explorer 7.0.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Tara & Paul\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Tara & Paul\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Tara & Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tara & Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tara & Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tara & Paul\Local Settings\History\History.IE5\MSHist012007103120071101\index.dat Object is locked skipped
C:\Documents and Settings\Tara & Paul\Local Settings\Temp\~DF6E4C.tmp Object is locked skipped
C:\Documents and Settings\Tara & Paul\Local Settings\Temp\~DFA497.tmp Object is locked skipped
C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tara & Paul\ntuser.dat Object is locked skipped
C:\Documents and Settings\Tara & Paul\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20071020-200213-403.dll Infected: Trojan-PSW.Win32.Magania.aqw skipped
C:\Program Files\HijackThis\backups\backup-20071022-135718-301.dll Infected: Trojan-PSW.Win32.Magania.aqw skipped
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP24\change.log Object is locked skipped
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP9\A0006454.exe Infected: Trojan-Downloader.Win32.Small.gdu skipped
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP9\A0006458.exe Infected: Trojan-Downloader.Win32.BHO.al skipped
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP9\A0006459.exe Infected: Trojan-Dropper.Win32.Agent.cgq skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{19BA9DFB-BFE0-4416-91CA-47E87F976FCF}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_628.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
-
Number of viruses found 5
Number of infected objects 7
C:\Documents and Settings\Tara & Paul\Incomplete\T-872159-Microsoft Internet Explorer 7.0.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP9\A0006454.exe Infected: Trojan-Downloader.Win32.Small.gdu skipped
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP9\A0006458.exe Infected: Trojan-Downloader.Win32.BHO.al skipped
C:\System Volume Information\_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP9\A0006459.exe Infected: Trojan-Dropper.Win32.Agent.cgq skipped
From which P2P program does the incomplete file belongs?
Disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887) or Windows XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable it again.
-
C:\Documents and Settings\Tara & Paul\Incomplete\T-872159-Microsoft Internet Explorer 7.0.zip/Setup.exe Infected: Worm.Win32.VB.an skipped
Did you (or your brother) run this setup file? ::)
From which P2P program does the incomplete file belongs?
We spoke about a possibly P2P-related worm on pages 1-2 of this thread and now we're back to the same ...
Please post another HJT log.
-
I had Limewire about a year ago and tried to download something that ended up being something entirely different. It was infected and I thought I had got rid of it and resolved this whole issue. Like I said this was about a year ago. After that incident I un-installed Limewire and decided I was through with P2P applications all together. That's why when I was asked about a P2P, I said I don't use them. I had mistakenly thought this infected file was taken care of and gone a long time ago.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:12 PM, on 11/1/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193180590097
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 7849 bytes
-
I had Limewire about a year ago and tried to download something that ended up being something entirely different. It was infected and I thought I had got rid of it and resolved this whole issue. Like I said this was about a year ago. After that incident I un-installed Limewire and decided I was through with P2P applications all together. That's why when I was asked about a P2P, I said I don't use them. I had mistakenly thought this infected file was taken care of and gone a long time ago.
No probs. Limewire and Kazaa are 2 of the worst.
If you still have the file see what the date is. It sounds like it will be old ...
Is there any indication of outgoing email? The avast! email provider should warn you if there is, and you might see a general system slowdown.
Are any of the Windows Updates installing successfully?
**I have a one year old so getting all this computer stuff done is hard.
What? You let your real life get on the way of our computer work??? :P
-
If you still have the file see what the date is. It sounds like it will be old ...
Ok, this is weird because the date it was created was Monday, August 13, 2007, 10:32:03 AM. But I could have sworn this was the file that was downloaded with Limewire. And I haven't had Limewire in a very long time. Not sure what's going on there. ??? How would I remove this file? Would I just delete it like a normal file?
Is there any indication of outgoing email?
No, not that I'm aware of
haven't tried the updates, but I will right now
-
How would I remove this file? Would I just delete it like a normal file?
Try... clean your Recycle bin after that...
-
HELP!!!! My computer is a black screen. :o
I tried to install my first group of 5 updates. When I restarted I got a Microsoft error message saying Windows Explorer has encountered a problem. Nothing comes up after that, no desktop, no files or folders, nothing! The only way I'm able to get online is by sending the error report. It then brings me to the Microsoft error reporting website, then after that I can go anywhere online.
I tried last known good configuration and safe mode, but nothing works. These are the updates I tried to install; KB886185, KB896727, KB929123, KB873374, KB931906, KB913580 (this last one I didn't select, but it got installed anyway).
-
This may be your problem. Read it and maybe someone here can guide you through it. Sorry, I'm win98se.
http://support.microsoft.com/kb/314503
-
Does the computer boot now, or is it not functioning at all?
-
Ok my computer is back up. I somehow, I'm not even sure how, I found a way to get into my folders and run system restore. I didn't know what else to do. So here I am back where I started. And now I'm scared to install any updates. :-\ I did delete the file though (C:\Documents and Settings\Tara & Paul\Incomplete\T-872159-Microsoft Internet Explorer 7.0.zip/Setup.exe).
-
The lack of security patches is a big part of why you're getting so easily reinfected. Are you willing to try the 2nd group of 5 updates?
-
And now I'm scared to install any updates.
Why? The updates is precisely what protect you...
-
Are you willing to try the 2nd group of 5 updates?
The only thing I could do to get my computer working again was system restore. So, the group of 5 I installed were uninstalled. Should I do them again or a new set of 5? I'm getting confused as to how this is helping my computer if I keep having to do a sytem restore and therfore the updates are unistalled. I feel like I'm going is circles. The updates are not installing properly.
-
I feel like I'm going is circles. The updates are not installing properly.
Sometimes this happens, I mean, the update is reported as necessary (mandatory) but it can't be installed. On Windows Update site (when you're trying to update), a link to the 'error' message will be shown. You'll be probably redirected to some Microsoft page of the Knowledge Base and from there we can speculate more. Can you post these links for us?
Besides the updates does not 'install', can you run your system after that or not?
-
Besides the updates does not 'install', can you run your system after that or not?
Nope
-
Besides the updates does not 'install', can you run your system after that or not?
Nope
So, it's better not to update.
Can you post the KB info (number) of each MS update being addressed?
-
Tech, I think this is what you wanted...
KB886185, KB896727, KB929123, KB873374, KB931906, KB913580
If it isn't what you were asking for then please let me know. :P
-
Tech, I think this is what you wanted...
KB886185, KB896727, KB929123, KB873374, KB931906, KB913580
If it isn't what you were asking for then please let me know. :P
I'll need time to research... maybe tomorrow morning or night... sorry.
-
Maybe you can download the updates:
KB886185 (http://www.microsoft.com/downloads/details.aspx?familyid=da66a0ac-55ca-4591-b3e6-d78695899141&displaylang=en)
KB896727 (http://www.microsoft.com/downloads/details.aspx?familyid=648B6F0E-1695-44E5-826A-43406DF4858E&displaylang=en)
KB929123 (http://support.microsoft.com/?scid=kb%3Ben-us%3B929123&x=15&y=21)
KB873374 (http://www.microsoft.com/downloads/details.aspx?familyid=71CD9E74-7142-4780-83E5-CE54401DA1D1&displaylang=en)
KB931906 (http://www.microsoft.com/downloads/details.aspx?familyid=CA930018-4A66-4DA6-A6C5-206DF13AF316&displaylang=en)
KB913580 (http://www.microsoft.com/downloads/details.aspx?familyid=d80b43b2-727b-46b6-82d1-f2cbd916fe32&displaylang=en)
And install using troubleshooting methods:
How to troubleshoot common Windows Update, Microsoft Update, and Windows Server Update Services installation issues (http://support.microsoft.com/?scid=kb%3Ben-us%3B906602&x=7&y=12)
-
I'm not sure if this will help but I found my WindowsUpdate log. I tried reading it to see if I could find any error codes but really don't know how to read it. Although I do see a bunch of things with failure warnings. I just thought maybe it could help troubleshoot why this is happeneing. Let me know if I should post it or not.
-
I never read this log... but we have nothing to lose...
-
Here is the log from when I tried to install update KB886185
[KB886185.log]
9.163: ================================================================================
9.163: 2007/02/28 11:13:03.371 (local)
9.163: C:\WINDOWS\SoftwareDistribution\Download\35d340428a8f32f0a91986e753c6e613\update\update.exe (version 5.5.33.0)
9.163: Failed To Enable SE_SHUTDOWN_PRIVILEGE
9.233: Service Pack started with following command line: -q /Z -ER /ParentInfo:673aa638f3f9a74b9f323194ada04dab
21.360: DoInstallation: CleanPFR failed: 0x2
21.440: SetProductTypes: InfProductBuildType=BuildType.Sel
21.461: SetAltOsLoaderPath: No section uses DirId 65701; done.
22.272: DoInstallation: FetchSourceURL for c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2GDR.inf failed
22.272: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB886185$
22.482: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
24.375: BuildCabinetManifest: update.url absent
24.435: Starting AnalyzeComponents
24.435: AnalyzePhaseZero used 0 ticks
24.435: No c:\windows\INF\updtblk.inf file.
24.455: OEM file scan used 20 ticks
24.685: AnalyzePhaseOne: used 250 ticks
24.685: AnalyzeComponents: Hotpatch analysis disabled; skipping.
24.685: AnalyzeComponents: Hotpatching is disabled.
24.685: FindFirstFile c:\windows\$hf_mig$\*.*
24.765: KB886185 Setup encountered an error: The update.ver file is not correct.
24.785: KB886185 Setup encountered an error: The update.ver file is not correct.
24.805: KB886185 Setup encountered an error: The update.ver file is not correct.
24.825: KB886185 Setup encountered an error: The update.ver file is not correct.
24.845: KB886185 Setup encountered an error: The update.ver file is not correct.
24.865: KB886185 Setup encountered an error: The update.ver file is not correct.
24.885: KB886185 Setup encountered an error: The update.ver file is not correct.
25.196: KB886185 Setup encountered an error: The update.ver file is not correct.
25.627: KB886185 Setup encountered an error: The update.ver file is not correct.
25.647: KB886185 Setup encountered an error: The update.ver file is not correct.
25.667: KB886185 Setup encountered an error: The update.ver file is not correct.
25.687: KB886185 Setup encountered an error: The update.ver file is not correct.
25.707: KB886185 Setup encountered an error: The update.ver file is not correct.
25.727: KB886185 Setup encountered an error: The update.ver file is not correct.
26.007: KB886185 Setup encountered an error: The update.ver file is not correct.
26.027: KB886185 Setup encountered an error: The update.ver file is not correct.
26.047: KB886185 Setup encountered an error: The update.ver file is not correct.
26.087: KB886185 Setup encountered an error: The update.ver file is not correct.
26.087: KB886185 Setup encountered an error: The update.ver file is not correct.
26.107: KB886185 Setup encountered an error: The update.ver file is not correct.
26.127: KB886185 Setup encountered an error: The update.ver file is not correct.
26.167: KB886185 Setup encountered an error: The update.ver file is not correct.
26.197: KB886185 Setup encountered an error: The update.ver file is not correct.
26.217: KB886185 Setup encountered an error: The update.ver file is not correct.
26.237: KB886185 Setup encountered an error: The update.ver file is not correct.
26.257: KB886185 Setup encountered an error: The update.ver file is not correct.
26.277: KB886185 Setup encountered an error: The update.ver file is not correct.
26.297: KB886185 Setup encountered an error: The update.ver file is not correct.
26.317: KB886185 Setup encountered an error: The update.ver file is not correct.
26.608: KB886185 Setup encountered an error: The update.ver file is not correct.
26.888: KB886185 Setup encountered an error: The update.ver file is not correct.
26.908: KB886185 Setup encountered an error: The update.ver file is not correct.
26.928: KB886185 Setup encountered an error: The update.ver file is not correct.
26.948: KB886185 Setup encountered an error: The update.ver file is not correct.
26.968: KB886185 Setup encountered an error: The update.ver file is not correct.
26.968: KB886185 Setup encountered an error: The update.ver file is not correct.
26.988: KB886185 Setup encountered an error: The update.ver file is not correct.
27.008: KB886185 Setup encountered an error: The update.ver file is not correct.
27.008: KB886185 Setup encountered an error: The update.ver file is not correct.
27.029: KB886185 Setup encountered an error: The update.ver file is not correct.
-
27.049: AnalyzeForBranching used 20 ticks.
27.239: AnalyzePhaseTwo used 190 ticks
27.239: AnalyzePhaseThree used 0 ticks
27.239: AnalyzePhaseFive used 0 ticks
27.239: AnalyzePhaseSix used 0 ticks
27.259: AnalyzeComponents used 2824 ticks
27.259: Downloading 0 files
27.259: bPatchMode = FALSE
27.259: Inventory complete: ReturnStatus=0, 4967 ticks
27.279: Num Ticks for invent : 5007
33.538: Allocation size of drive C: is 4096 bytes, free space = 26350620672 bytes
34.039: AnalyzeDiskUsage: Skipping EstimateDiskUsageForUninstall.
34.039: Drive C: free 25129MB req: 8MB w/uninstall: NOT CALCULATED.
34.039: CabinetBuild complete
34.039: Num Ticks for Cabinet build : 6760
34.349: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
36.021: Num Ticks for Backup : 1982
36.562: Num Ticks for creating uninst inf : 541
36.592: Registering Uninstall Program for -> KB886185, KB886185 , 0x0
36.602: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
36.963: System Restore Point set.
37.163: PFE2: Not avoiding Per File Exceptions.
38.315: GetCatVersion: Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB886185.cat with error 0x57
38.916: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2QFE.inf -> c:\windows\$hf_mig$\KB886185\update\update_SP2QFE.inf.
39.036: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spuninst.exe -> c:\windows\$hf_mig$\KB886185\spuninst.exe.
39.106: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spmsg.dll -> c:\windows\$hf_mig$\KB886185\spmsg.dll.
39.266: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\spcustom.dll -> c:\windows\$hf_mig$\KB886185\update\spcustom.dll.
39.276: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\KB886185.CAT -> c:\windows\$hf_mig$\KB886185\update\KB886185.CAT.
39.607: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.exe -> c:\windows\$hf_mig$\KB886185\update\update.exe.
39.677: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.ver -> c:\windows\$hf_mig$\KB886185\update\update.ver.
39.737: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\updatebr.inf -> c:\windows\$hf_mig$\KB886185\update\updatebr.inf.
39.807: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\eula.txt -> c:\windows\$hf_mig$\KB886185\update\eula.txt.
39.837: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\branches.inf -> c:\windows\$hf_mig$\KB886185\update\branches.inf.
41.139: Copied file: C:\WINDOWS\system32\DRIVERS\ipnat.sys
41.239: Copied file: C:\WINDOWS\system32\DllCache\ipnat.sys
42.050: Copied file: c:\windows\$hf_mig$\KB886185\SP2QFE\ipnat.sys
42.641: Num Ticks for Copying files : 6079
-
42.671: Num Ticks for Reg update and deleting 0 size files : 30
91.081: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
91.081: IsRebootRequiredForFileQueue: c:\windows\system32\drivers\ipnat.sys was no-delay replaced; reboot is required.
91.081: DoInstallation: A reboot is required to complete the installation of one or more files.
91.301: RebootNecessary = 1,WizardInput = 1 , DontReboot = 1, ForceRestart = 0
3.786: ================================================================================
3.806: 2007/10/26 09:28:35.188 (local)
3.806: C:\WINDOWS\SoftwareDistribution\Download\35d340428a8f32f0a91986e753c6e613\update\update.exe (version 5.5.33.0)
3.806: Failed To Enable SE_SHUTDOWN_PRIVILEGE
3.906: Service Pack started with following command line: -q /Z -ER /ParentInfo:6bdf785f735fe34badc9e5919ff2a5a4
15.683: ---- Old Information In The Registry ------
15.683: Source:C:\WINDOWS\system32\SET4.tmp (5.2.3790.2847)
15.693: Destination:C:\WINDOWS\system32\hhctrl.ocx (5.2.3790.1166)
15.693: Source:C:\WINDOWS\system32\_000012_.tmp.dll (5.1.2600.2096)
15.693: Destination:
15.703: Source:C:\WINDOWS\system32\SETB.tmp (5.1.2600.2622)
15.703: Destination:C:\WINDOWS\system32\winsrv.dll (5.1.2600.2096)
15.703: Source:C:\WINDOWS\system32\SETC.tmp (5.1.2600.2622)
15.713: Destination:C:\WINDOWS\system32\user32.dll (5.1.2600.2096)
15.713: Source:C:\WINDOWS\system32\SETD.tmp (5.1.2600.2622)
15.713: Destination:C:\WINDOWS\system32\authz.dll (5.1.2600.2096)
15.713: Source:C:\WINDOWS\system32\_000008_.tmp.dll (5.1.2600.0)
15.713: Destination:
15.723: Source:C:\WINDOWS\system32\SET28.tmp (5.1.2600.2665)
15.723: Destination:C:\WINDOWS\system32\rpcss.dll (5.1.2600.2096)
15.723: Source:C:\WINDOWS\system32\SET29.tmp (5.1.2600.2665)
15.733: Destination:C:\WINDOWS\system32\olecli32.dll (5.1.2600.0)
15.733: Source:C:\WINDOWS\system32\SET2A.tmp (5.1.2600.2665)
15.733: Destination:C:\WINDOWS\system32\ole32.dll (5.1.2600.2096)
15.733: Source:C:\WINDOWS\system32\_000005_.tmp.dll (5.1.2600.2096)
15.733: Destination:
15.743: Source:C:\WINDOWS\system32\SET3D.tmp (2001.12.4414.311)
15.743: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
15.743: Source:C:\WINDOWS\system32\SET3E.tmp (2001.12.4414.311)
15.753: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
15.753: Source:C:\WINDOWS\system32\SET51.tmp (5.1.2600.2744)
15.753: Destination:C:\WINDOWS\system32\umpnpmgr.dll (5.1.2600.2096)
15.763: Source:C:\WINDOWS\system32\SET55.tmp (6.0.2900.2869)
15.763: Destination:C:\WINDOWS\system32\shell32.dll (6.0.2900.2096)
15.763: ---- New Information In The Registry ------
15.763: Source:C:\WINDOWS\system32\SET4.tmp (5.2.3790.2847)
15.773: Destination:C:\WINDOWS\system32\hhctrl.ocx (5.2.3790.1166)
15.773: Source:C:\WINDOWS\system32\_000012_.tmp.dll (5.1.2600.2096)
15.773: Destination:
15.773: Source:C:\WINDOWS\system32\SETB.tmp (5.1.2600.2622)
15.783: Destination:C:\WINDOWS\system32\winsrv.dll (5.1.2600.2096)
15.783: Source:C:\WINDOWS\system32\SETC.tmp (5.1.2600.2622)
15.783: Destination:C:\WINDOWS\system32\user32.dll (5.1.2600.2096)
15.783: Source:C:\WINDOWS\system32\SETD.tmp (5.1.2600.2622)
15.783: Destination:C:\WINDOWS\system32\authz.dll (5.1.2600.2096)
15.783: Source:C:\WINDOWS\system32\_000008_.tmp.dll (5.1.2600.0)
15.783: Destination:
15.793: Source:C:\WINDOWS\system32\SET28.tmp (5.1.2600.2665)
15.793: Destination:C:\WINDOWS\system32\rpcss.dll (5.1.2600.2096)
15.793: Source:C:\WINDOWS\system32\SET29.tmp (5.1.2600.2665)
15.793: Destination:C:\WINDOWS\system32\olecli32.dll (5.1.2600.0)
15.793: Source:C:\WINDOWS\system32\SET2A.tmp (5.1.2600.2665)
15.793: Destination:C:\WINDOWS\system32\ole32.dll (5.1.2600.2096)
15.803: Source:C:\WINDOWS\system32\_000005_.tmp.dll (5.1.2600.2096)
15.803: Destination:
15.803: Source:C:\WINDOWS\system32\SET3D.tmp (2001.12.4414.311)
15.803: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
15.803: Source:C:\WINDOWS\system32\SET3E.tmp (2001.12.4414.311)
15.803: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
15.803: Source:C:\WINDOWS\system32\SET51.tmp (5.1.2600.2744)
15.803: Destination:C:\WINDOWS\system32\umpnpmgr.dll (5.1.2600.2096)
15.813: Source:C:\WINDOWS\system32\SET55.tmp (6.0.2900.2869)
15.813: Destination:C:\WINDOWS\system32\shell32.dll (6.0.2900.2096)
15.823: SetProductTypes: InfProductBuildType=BuildType.Sel
15.833: SetAltOsLoaderPath: No section uses DirId 65701; done.
15.883: DoInstallation: FetchSourceURL for c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2GDR.inf failed
15.883: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB886185$
16.103: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
16.784: BuildCabinetManifest: update.url absent
-
16.784: Starting AnalyzeComponents
16.784: AnalyzePhaseZero used 0 ticks
16.784: No c:\windows\INF\updtblk.inf file.
16.784: OEM file scan used 0 ticks
16.844: AnalyzePhaseOne: used 60 ticks
16.844: AnalyzeComponents: Hotpatch analysis disabled; skipping.
16.844: AnalyzeComponents: Hotpatching is disabled.
16.844: FindFirstFile c:\windows\$hf_mig$\*.*
16.844: KB886185 Setup encountered an error: The update.ver file is not correct.
16.844: KB886185 Setup encountered an error: The update.ver file is not correct.
16.844: KB886185 Setup encountered an error: The update.ver file is not correct.
16.844: KB886185 Setup encountered an error: The update.ver file is not correct.
16.844: KB886185 Setup encountered an error: The update.ver file is not correct.
16.844: KB886185 Setup encountered an error: The update.ver file is not correct.
16.864: KB886185 Setup encountered an error: The update.ver file is not correct.
16.864: KB886185 Setup encountered an error: The update.ver file is not correct.
16.874: KB886185 Setup encountered an error: The update.ver file is not correct.
16.884: KB886185 Setup encountered an error: The update.ver file is not correct.
16.894: KB886185 Setup encountered an error: The update.ver file is not correct.
16.894: KB886185 Setup encountered an error: The update.ver file is not correct.
16.915: KB886185 Setup encountered an error: The update.ver file is not correct.
16.915: KB886185 Setup encountered an error: The update.ver file is not correct.
16.915: KB886185 Setup encountered an error: The update.ver file is not correct.
16.915: KB886185 Setup encountered an error: The update.ver file is not correct.
16.915: KB886185 Setup encountered an error: The update.ver file is not correct.
16.915: KB886185 Setup encountered an error: The update.ver file is not correct.
16.915: KB886185 Setup encountered an error: The update.ver file is not correct.
16.935: KB886185 Setup encountered an error: The update.ver file is not correct.
16.935: KB886185 Setup encountered an error: The update.ver file is not correct.
16.935: KB886185 Setup encountered an error: The update.ver file is not correct.
16.935: KB886185 Setup encountered an error: The update.ver file is not correct.
16.935: KB886185 Setup encountered an error: The update.ver file is not correct.
16.945: KB886185 Setup encountered an error: The update.ver file is not correct.
16.945: KB886185 Setup encountered an error: The update.ver file is not correct.
16.955: KB886185 Setup encountered an error: The update.ver file is not correct.
16.955: KB886185 Setup encountered an error: The update.ver file is not correct.
16.955: KB886185 Setup encountered an error: The update.ver file is not correct.
16.955: KB886185 Setup encountered an error: The update.ver file is not correct.
16.955: KB886185 Setup encountered an error: The update.ver file is not correct.
16.955: KB886185 Setup encountered an error: The update.ver file is not correct.
16.955: KB886185 Setup encountered an error: The update.ver file is not correct.
16.965: KB886185 Setup encountered an error: The update.ver file is not correct.
16.965: KB886185 Setup encountered an error: The update.ver file is not correct.
16.965: KB886185 Setup encountered an error: The update.ver file is not correct.
16.965: KB886185 Setup encountered an error: The update.ver file is not correct.
16.965: KB886185 Setup encountered an error: The update.ver file is not correct.
16.965: KB886185 Setup encountered an error: The update.ver file is not correct.
16.965: KB886185 Setup encountered an error: The update.ver file is not correct.
16.975: KB886185 Setup encountered an error: The update.ver file is not correct.
16.975: KB886185 Setup encountered an error: The update.ver file is not correct.
16.975: KB886185 Setup encountered an error: The update.ver file is not correct.
16.975: KB886185 Setup encountered an error: The update.ver file is not correct.
16.975: KB886185 Setup encountered an error: The update.ver file is not correct.
16.975: KB886185 Setup encountered an error: The update.ver file is not correct.
16.975: KB886185 Setup encountered an error: The update.ver file is not correct.
16.975: KB886185 Setup encountered an error: The update.ver file is not correct.
16.975: KB886185 Setup encountered an error: The update.ver file is not correct.
16.985: KB886185 Setup encountered an error: The update.ver file is not correct.
16.985: KB886185 Setup encountered an error: The update.ver file is not correct.
16.985: KB886185 Setup encountered an error: The update.ver file is not correct.
16.995: KB886185 Setup encountered an error: The update.ver file is not correct.
16.995: KB886185 Setup encountered an error: The update.ver file is not correct.
16.995: KB886185 Setup encountered an error: The update.ver file is not correct.
16.995: KB886185 Setup encountered an error: The update.ver file is not correct.
16.995: KB886185 Setup encountered an error: The update.ver file is not correct.
16.995: KB886185 Setup encountered an error: The update.ver file is not correct.
16.995: KB886185 Setup encountered an error: The update.ver file is not correct.
16.995: KB886185 Setup encountered an error: The update.ver file is not correct.
17.005: KB886185 Setup encountered an error: The update.ver file is not correct.
17.005: KB886185 Setup encountered an error: The update.ver file is not correct.
17.005: KB886185 Setup encountered an error: The update.ver file is not correct.
17.015: AnalyzeForBranching used 10 ticks.
17.305: AnalyzePhaseTwo used 290 ticks
17.305: AnalyzePhaseThree used 0 ticks
17.305: AnalyzePhaseFive used 0 ticks
17.305: AnalyzePhaseSix used 0 ticks
17.305: AnalyzeComponents used 521 ticks
17.305: Downloading 0 files
17.305: bPatchMode = FALSE
17.305: Inventory complete: ReturnStatus=0, 1422 ticks
17.305: Num Ticks for invent : 1422
17.956: Allocation size of drive C: is 4096 bytes, free space = 12784857088 bytes
17.956: Free space of directory c:\windows adjusted to 12784791552
18.577: AnalyzeDiskUsage: Skipping EstimateDiskUsageForUninstall.
18.577: Drive C: free 12192MB req: 8MB w/uninstall: NOT CALCULATED.
-
18.577: CabinetBuild complete
18.577: Num Ticks for Cabinet build : 1272
18.647: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
19.418: Num Ticks for Backup : 841
20.460: Num Ticks for creating uninst inf : 1042
20.470: Registering Uninstall Program for -> KB886185, KB886185 , 0x0
20.470: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
21.081: System Restore Point set.
21.151: PFE2: Not avoiding Per File Exceptions.
22.252: GetCatVersion: Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB886185.cat with error 0x57
22.773: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2QFE.inf -> c:\windows\$hf_mig$\KB886185\update\update_SP2QFE.inf.
22.843: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spuninst.exe -> c:\windows\$hf_mig$\KB886185\spuninst.exe.
22.883: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spmsg.dll -> c:\windows\$hf_mig$\KB886185\spmsg.dll.
23.264: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\spcustom.dll -> c:\windows\$hf_mig$\KB886185\update\spcustom.dll.
23.274: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\KB886185.CAT -> c:\windows\$hf_mig$\KB886185\update\KB886185.CAT.
23.454: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.exe -> c:\windows\$hf_mig$\KB886185\update\update.exe.
23.464: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.ver -> c:\windows\$hf_mig$\KB886185\update\update.ver.
23.564: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\updatebr.inf -> c:\windows\$hf_mig$\KB886185\update\updatebr.inf.
23.604: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\eula.txt -> c:\windows\$hf_mig$\KB886185\update\eula.txt.
23.664: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\branches.inf -> c:\windows\$hf_mig$\KB886185\update\branches.inf.
24.816: Copied file: C:\WINDOWS\system32\DRIVERS\ipnat.sys
24.836: Copied file: C:\WINDOWS\system32\DllCache\ipnat.sys
25.377: Copied file: c:\windows\$hf_mig$\KB886185\SP2QFE\ipnat.sys
26.018: Num Ticks for Copying files : 5558
26.028: Num Ticks for Reg update and deleting 0 size files : 10
26.158: ---- Old Information In The Registry ------
26.168: Source:C:\WINDOWS\system32\SET4.tmp (5.2.3790.2847)
26.168: Destination:C:\WINDOWS\system32\hhctrl.ocx (5.2.3790.1166)
26.168: Source:C:\WINDOWS\system32\_000012_.tmp.dll (5.1.2600.2096)
26.168: Destination:
26.178: Source:C:\WINDOWS\system32\SETB.tmp (5.1.2600.2622)
26.178: Destination:C:\WINDOWS\system32\winsrv.dll (5.1.2600.2096)
26.188: Source:C:\WINDOWS\system32\SETC.tmp (5.1.2600.2622)
26.188: Destination:C:\WINDOWS\system32\user32.dll (5.1.2600.2096)
26.198: Source:C:\WINDOWS\system32\SETD.tmp (5.1.2600.2622)
26.198: Destination:C:\WINDOWS\system32\authz.dll (5.1.2600.2096)
26.198: Source:C:\WINDOWS\system32\_000008_.tmp.dll (5.1.2600.0)
26.198: Destination:
26.198: Source:C:\WINDOWS\system32\SET28.tmp (5.1.2600.2665)
26.238: Destination:C:\WINDOWS\system32\rpcss.dll (5.1.2600.2096)
26.238: Source:C:\WINDOWS\system32\SET29.tmp (5.1.2600.2665)
26.238: Destination:C:\WINDOWS\system32\olecli32.dll (5.1.2600.0)
26.248: Source:C:\WINDOWS\system32\SET2A.tmp (5.1.2600.2665)
26.248: Destination:C:\WINDOWS\system32\ole32.dll (5.1.2600.2096)
26.248: Source:C:\WINDOWS\system32\_000005_.tmp.dll (5.1.2600.2096)
26.248: Destination:
26.258: Source:C:\WINDOWS\system32\SET3D.tmp (2001.12.4414.311)
26.258: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
26.268: Source:C:\WINDOWS\system32\SET3E.tmp (2001.12.4414.311)
26.268: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
26.278: Source:C:\WINDOWS\system32\SET51.tmp (5.1.2600.2744)
26.278: Destination:C:\WINDOWS\system32\umpnpmgr.dll (5.1.2600.2096)
26.288: Source:C:\WINDOWS\system32\SET55.tmp (6.0.2900.2869)
26.288: Destination:C:\WINDOWS\system32\shell32.dll (6.0.2900.2096)
26.288: ---- New Information In The Registry ------
26.288: Source:C:\WINDOWS\system32\SET4.tmp (5.2.3790.2847)
26.288: Destination:C:\WINDOWS\system32\hhctrl.ocx (5.2.3790.1166)
26.298: Source:C:\WINDOWS\system32\_000012_.tmp.dll (5.1.2600.2096)
26.298: Destination:
26.298: Source:C:\WINDOWS\system32\SETB.tmp (5.1.2600.2622)
26.298: Destination:C:\WINDOWS\system32\winsrv.dll (5.1.2600.2096)
26.298: Source:C:\WINDOWS\system32\SETC.tmp (5.1.2600.2622)
26.298: Destination:C:\WINDOWS\system32\user32.dll (5.1.2600.2096)
26.308: Source:C:\WINDOWS\system32\SETD.tmp (5.1.2600.2622)
26.308: Destination:C:\WINDOWS\system32\authz.dll (5.1.2600.2096)
26.308: Source:C:\WINDOWS\system32\_000008_.tmp.dll (5.1.2600.0)
26.308: Destination:
26.308: Source:C:\WINDOWS\system32\SET28.tmp (5.1.2600.2665)
26.308: Destination:C:\WINDOWS\system32\rpcss.dll (5.1.2600.2096)
26.308: Source:C:\WINDOWS\system32\SET29.tmp (5.1.2600.2665)
26.318: Destination:C:\WINDOWS\system32\olecli32.dll (5.1.2600.0)
26.318: Source:C:\WINDOWS\system32\SET2A.tmp (5.1.2600.2665)
26.328: Destination:C:\WINDOWS\system32\ole32.dll (5.1.2600.2096)
26.328: Source:C:\WINDOWS\system32\_000005_.tmp.dll (5.1.2600.2096)
26.328: Destination:
26.328: Source:C:\WINDOWS\system32\SET3D.tmp (2001.12.4414.311)
26.328: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
26.328: Source:C:\WINDOWS\system32\SET3E.tmp (2001.12.4414.311)
26.328: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
-
26.338: Source:C:\WINDOWS\system32\SET51.tmp (5.1.2600.2744)
26.338: Destination:C:\WINDOWS\system32\umpnpmgr.dll (5.1.2600.2096)
26.338: Source:C:\WINDOWS\system32\SET55.tmp (6.0.2900.2869)
26.338: Destination:C:\WINDOWS\system32\shell32.dll (6.0.2900.2096)
34.670: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
34.670: IsRebootRequiredForFileQueue: c:\windows\system32\drivers\ipnat.sys was no-delay replaced; reboot is required.
34.670: DoInstallation: A reboot is required to complete the installation of one or more files.
34.760: RebootNecessary = 1,WizardInput = 1 , DontReboot = 1, ForceRestart = 0
3.184: ================================================================================
3.204: 2007/10/28 12:18:27.940 (local)
3.204: C:\WINDOWS\SoftwareDistribution\Download\35d340428a8f32f0a91986e753c6e613\update\update.exe (version 5.5.33.0)
3.204: Failed To Enable SE_SHUTDOWN_PRIVILEGE
3.254: Service Pack started with following command line: -q /Z -ER /ParentInfo:029e2bd9fa2ed4449720d7beb2855d44
9.764: ---- Old Information In The Registry ------
9.764: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\nse3E.tmp\nsProcess.dll
9.764: Destination:
9.764: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\nse3E.tmp\
9.764: Destination:
9.774: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\_iu14D2N.tmp (51.43.0.0)
9.774: Destination:
9.774: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\A~NSISu_.exe
9.774: Destination:
9.774: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe (2007.7.12.2)
9.774: Destination:
9.774: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp
9.774: Destination:
9.774: Source:C:\Program Files\alot\bin\alot.dll (1.0.1.0)
9.774: Destination:
9.774: Source:C:\Program Files\alot\bin\
9.774: Destination:
9.774: Source:C:\Program Files\alot\
9.774: Destination:
9.774: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe (2007.7.12.2)
9.774: Destination:
9.784: Source:C:\Program Files\Yahoo!\Common\yiesrvc.dll (2006.10.31.3)
9.784: Destination:
9.784: Source:C:\Program Files\Yahoo!\Common\YIeTagBm.dll (2006.7.28.1)
9.784: Destination:
9.784: Source:C:\Program Files\Yahoo!\Common\YShortcut.dll (2006.8.15.1)
9.784: Destination:
9.784: Source:C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL (2007.3.15.1)
9.784: Destination:
9.784: Source:C:\WINDOWS\system32\_000013_.tmp.dll (5.1.2600.2096)
9.784: Destination:
9.794: Source:C:\WINDOWS\system32\SET174.tmp (5.1.2600.2622)
9.794: Destination:C:\WINDOWS\system32\winsrv.dll (5.1.2600.2096)
9.804: Source:C:\WINDOWS\system32\SET175.tmp (5.1.2600.2622)
9.804: Destination:C:\WINDOWS\system32\user32.dll (5.1.2600.2096)
9.804: Source:C:\WINDOWS\system32\SET176.tmp (5.1.2600.2622)
9.804: Destination:C:\WINDOWS\system32\authz.dll (5.1.2600.2096)
9.804: Source:C:\WINDOWS\system32\_000009_.tmp.dll (5.1.2600.0)
9.804: Destination:
9.814: Source:C:\WINDOWS\system32\SET191.tmp (5.1.2600.2665)
9.814: Destination:C:\WINDOWS\system32\rpcss.dll (5.1.2600.2096)
9.824: Source:C:\WINDOWS\system32\SET192.tmp (5.1.2600.2665)
9.824: Destination:C:\WINDOWS\system32\olecli32.dll (5.1.2600.0)
9.824: Source:C:\WINDOWS\system32\SET193.tmp (5.1.2600.2665)
9.824: Destination:C:\WINDOWS\system32\ole32.dll (5.1.2600.2096)
9.834: Source:C:\WINDOWS\system32\_000006_.tmp.dll (5.1.2600.2096)
9.834: Destination:
9.834: Source:C:\WINDOWS\system32\SET1AD.tmp (2001.12.4414.311)
9.834: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
9.844: Source:C:\WINDOWS\system32\SET1AE.tmp (2001.12.4414.311)
9.844: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
9.854: Source:C:\WINDOWS\system32\SET1C1.tmp (5.1.2600.2744)
9.854: Destination:C:\WINDOWS\system32\umpnpmgr.dll (5.1.2600.2096)
9.864: Source:C:\WINDOWS\system32\SET1C5.tmp (6.0.2900.2869)
9.864: Destination:C:\WINDOWS\system32\shell32.dll (6.0.2900.2096)
9.864: ---- New Information In The Registry ------
9.864: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\nse3E.tmp\nsProcess.dll
-
9.864: Destination:
9.864: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\nse3E.tmp\
9.864: Destination:
9.864: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\_iu14D2N.tmp (51.43.0.0)
9.864: Destination:
9.874: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\A~NSISu_.exe
9.874: Destination:
9.874: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe (2007.7.12.2)
9.874: Destination:
9.874: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp
9.874: Destination:
9.874: Source:C:\Program Files\alot\bin\alot.dll (1.0.1.0)
9.874: Destination:
9.874: Source:C:\Program Files\alot\bin\
9.874: Destination:
9.874: Source:C:\Program Files\alot\
9.874: Destination:
9.874: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe (2007.7.12.2)
9.874: Destination:
9.874: Source:C:\Program Files\Yahoo!\Common\yiesrvc.dll (2006.10.31.3)
9.874: Destination:
9.884: Source:C:\Program Files\Yahoo!\Common\YIeTagBm.dll (2006.7.28.1)
9.884: Destination:
9.884: Source:C:\Program Files\Yahoo!\Common\YShortcut.dll (2006.8.15.1)
9.884: Destination:
9.884: Source:C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL (2007.3.15.1)
9.884: Destination:
9.884: Source:C:\WINDOWS\system32\_000013_.tmp.dll (5.1.2600.2096)
9.884: Destination:
9.884: Source:C:\WINDOWS\system32\SET174.tmp (5.1.2600.2622)
9.894: Destination:C:\WINDOWS\system32\winsrv.dll (5.1.2600.2096)
9.894: Source:C:\WINDOWS\system32\SET175.tmp (5.1.2600.2622)
9.894: Destination:C:\WINDOWS\system32\user32.dll (5.1.2600.2096)
9.894: Source:C:\WINDOWS\system32\SET176.tmp (5.1.2600.2622)
9.894: Destination:C:\WINDOWS\system32\authz.dll (5.1.2600.2096)
9.904: Source:C:\WINDOWS\system32\_000009_.tmp.dll (5.1.2600.0)
9.904: Destination:
9.904: Source:C:\WINDOWS\system32\SET191.tmp (5.1.2600.2665)
9.904: Destination:C:\WINDOWS\system32\rpcss.dll (5.1.2600.2096)
9.904: Source:C:\WINDOWS\system32\SET192.tmp (5.1.2600.2665)
9.904: Destination:C:\WINDOWS\system32\olecli32.dll (5.1.2600.0)
9.904: Source:C:\WINDOWS\system32\SET193.tmp (5.1.2600.2665)
9.904: Destination:C:\WINDOWS\system32\ole32.dll (5.1.2600.2096)
9.914: Source:C:\WINDOWS\system32\_000006_.tmp.dll (5.1.2600.2096)
9.914: Destination:
9.914: Source:C:\WINDOWS\system32\SET1AD.tmp (2001.12.4414.311)
9.914: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
9.914: Source:C:\WINDOWS\system32\SET1AE.tmp (2001.12.4414.311)
9.914: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
9.914: Source:C:\WINDOWS\system32\SET1C1.tmp (5.1.2600.2744)
9.924: Destination:C:\WINDOWS\system32\umpnpmgr.dll (5.1.2600.2096)
9.924: Source:C:\WINDOWS\system32\SET1C5.tmp (6.0.2900.2869)
9.924: Destination:C:\WINDOWS\system32\shell32.dll (6.0.2900.2096)
9.944: SetProductTypes: InfProductBuildType=BuildType.Sel
9.944: SetAltOsLoaderPath: No section uses DirId 65701; done.
9.984: DoInstallation: FetchSourceURL for c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2GDR.inf failed
9.984: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB886185$
10.064: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
10.345: BuildCabinetManifest: update.url absent
10.345: Starting AnalyzeComponents
10.345: AnalyzePhaseZero used 0 ticks
10.345: No c:\windows\INF\updtblk.inf file.
10.345: OEM file scan used 0 ticks
10.405: AnalyzePhaseOne: used 60 ticks
10.405: AnalyzeComponents: Hotpatch analysis disabled; skipping.
10.405: AnalyzeComponents: Hotpatching is disabled.
10.405: FindFirstFile c:\windows\$hf_mig$\*.*
-
10.405: KB886185 Setup encountered an error: The update.ver file is not correct.
10.415: KB886185 Setup encountered an error: The update.ver file is not correct.
10.415: KB886185 Setup encountered an error: The update.ver file is not correct.
10.415: KB886185 Setup encountered an error: The update.ver file is not correct.
10.415: KB886185 Setup encountered an error: The update.ver file is not correct.
10.415: KB886185 Setup encountered an error: The update.ver file is not correct.
10.425: KB886185 Setup encountered an error: The update.ver file is not correct.
10.425: KB886185 Setup encountered an error: The update.ver file is not correct.
10.425: KB886185 Setup encountered an error: The update.ver file is not correct.
10.435: KB886185 Setup encountered an error: The update.ver file is not correct.
10.435: KB886185 Setup encountered an error: The update.ver file is not correct.
10.445: KB886185 Setup encountered an error: The update.ver file is not correct.
10.445: KB886185 Setup encountered an error: The update.ver file is not correct.
10.445: KB886185 Setup encountered an error: The update.ver file is not correct.
10.445: KB886185 Setup encountered an error: The update.ver file is not correct.
10.445: KB886185 Setup encountered an error: The update.ver file is not correct.
10.445: KB886185 Setup encountered an error: The update.ver file is not correct.
10.455: KB886185 Setup encountered an error: The update.ver file is not correct.
10.455: KB886185 Setup encountered an error: The update.ver file is not correct.
10.465: KB886185 Setup encountered an error: The update.ver file is not correct.
10.465: KB886185 Setup encountered an error: The update.ver file is not correct.
10.465: KB886185 Setup encountered an error: The update.ver file is not correct.
10.465: KB886185 Setup encountered an error: The update.ver file is not correct.
10.475: KB886185 Setup encountered an error: The update.ver file is not correct.
10.475: KB886185 Setup encountered an error: The update.ver file is not correct.
10.485: KB886185 Setup encountered an error: The update.ver file is not correct.
10.485: KB886185 Setup encountered an error: The update.ver file is not correct.
10.485: KB886185 Setup encountered an error: The update.ver file is not correct.
10.485: KB886185 Setup encountered an error: The update.ver file is not correct.
10.485: KB886185 Setup encountered an error: The update.ver file is not correct.
10.495: KB886185 Setup encountered an error: The update.ver file is not correct.
10.495: KB886185 Setup encountered an error: The update.ver file is not correct.
10.495: KB886185 Setup encountered an error: The update.ver file is not correct.
10.495: KB886185 Setup encountered an error: The update.ver file is not correct.
10.495: KB886185 Setup encountered an error: The update.ver file is not correct.
10.505: KB886185 Setup encountered an error: The update.ver file is not correct.
10.505: KB886185 Setup encountered an error: The update.ver file is not correct.
10.505: KB886185 Setup encountered an error: The update.ver file is not correct.
10.505: KB886185 Setup encountered an error: The update.ver file is not correct.
10.505: KB886185 Setup encountered an error: The update.ver file is not correct.
10.505: KB886185 Setup encountered an error: The update.ver file is not correct.
10.505: KB886185 Setup encountered an error: The update.ver file is not correct.
10.515: KB886185 Setup encountered an error: The update.ver file is not correct.
10.515: KB886185 Setup encountered an error: The update.ver file is not correct.
10.515: KB886185 Setup encountered an error: The update.ver file is not correct.
10.515: KB886185 Setup encountered an error: The update.ver file is not correct.
10.515: KB886185 Setup encountered an error: The update.ver file is not correct.
10.515: KB886185 Setup encountered an error: The update.ver file is not correct.
10.515: KB886185 Setup encountered an error: The update.ver file is not correct.
10.515: KB886185 Setup encountered an error: The update.ver file is not correct.
10.515: KB886185 Setup encountered an error: The update.ver file is not correct.
10.525: KB886185 Setup encountered an error: The update.ver file is not correct.
10.525: KB886185 Setup encountered an error: The update.ver file is not correct.
10.525: KB886185 Setup encountered an error: The update.ver file is not correct.
10.525: KB886185 Setup encountered an error: The update.ver file is not correct.
10.525: KB886185 Setup encountered an error: The update.ver file is not correct.
10.535: KB886185 Setup encountered an error: The update.ver file is not correct.
10.535: KB886185 Setup encountered an error: The update.ver file is not correct.
10.535: KB886185 Setup encountered an error: The update.ver file is not correct.
10.535: KB886185 Setup encountered an error: The update.ver file is not correct.
10.535: KB886185 Setup encountered an error: The update.ver file is not correct.
10.535: KB886185 Setup encountered an error: The update.ver file is not correct.
10.535: KB886185 Setup encountered an error: The update.ver file is not correct.
10.545: KB886185 Setup encountered an error: The update.ver file is not correct.
10.545: KB886185 Setup encountered an error: The update.ver file is not correct.
10.545: KB886185 Setup encountered an error: The update.ver file is not correct.
10.555: AnalyzeForBranching used 10 ticks.
10.635: AnalyzePhaseTwo used 80 ticks
10.635: AnalyzePhaseThree used 0 ticks
10.635: AnalyzePhaseFive used 0 ticks
10.635: AnalyzePhaseSix used 0 ticks
10.635: AnalyzeComponents used 290 ticks
10.635: Downloading 0 files
10.635: bPatchMode = FALSE
10.635: Inventory complete: ReturnStatus=0, 651 ticks
10.635: Num Ticks for invent : 651
11.096: Allocation size of drive C: is 4096 bytes, free space = 15110766592 bytes
11.296: AnalyzeDiskUsage: Skipping EstimateDiskUsageForUninstall.
11.296: Drive C: free 14410MB req: 8MB w/uninstall: NOT CALCULATED.
11.296: CabinetBuild complete
11.296: Num Ticks for Cabinet build : 661
11.356: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
11.997: Num Ticks for Backup : 701
-
12.458: Num Ticks for creating uninst inf : 461
12.488: Registering Uninstall Program for -> KB886185, KB886185 , 0x0
12.488: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
12.558: System Restore Point set.
12.608: PFE2: Not avoiding Per File Exceptions.
13.649: GetCatVersion: Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB886185.cat with error 0x57
14.050: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2QFE.inf -> c:\windows\$hf_mig$\KB886185\update\update_SP2QFE.inf.
14.120: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spuninst.exe -> c:\windows\$hf_mig$\KB886185\spuninst.exe.
14.160: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spmsg.dll -> c:\windows\$hf_mig$\KB886185\spmsg.dll.
14.290: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\spcustom.dll -> c:\windows\$hf_mig$\KB886185\update\spcustom.dll.
14.320: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\KB886185.CAT -> c:\windows\$hf_mig$\KB886185\update\KB886185.CAT.
14.501: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.exe -> c:\windows\$hf_mig$\KB886185\update\update.exe.
14.511: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.ver -> c:\windows\$hf_mig$\KB886185\update\update.ver.
14.521: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\updatebr.inf -> c:\windows\$hf_mig$\KB886185\update\updatebr.inf.
14.551: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\eula.txt -> c:\windows\$hf_mig$\KB886185\update\eula.txt.
14.561: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\branches.inf -> c:\windows\$hf_mig$\KB886185\update\branches.inf.
15.081: Copied file: C:\WINDOWS\system32\DRIVERS\ipnat.sys
15.121: Copied file: C:\WINDOWS\system32\DllCache\ipnat.sys
15.392: Copied file: c:\windows\$hf_mig$\KB886185\SP2QFE\ipnat.sys
15.612: Num Ticks for Copying files : 3154
15.662: Num Ticks for Reg update and deleting 0 size files : 50
15.712: ---- Old Information In The Registry ------
15.722: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\nse3E.tmp\nsProcess.dll
15.722: Destination:
15.722: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\nse3E.tmp\
15.722: Destination:
15.722: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\_iu14D2N.tmp (51.43.0.0)
15.722: Destination:
15.722: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\A~NSISu_.exe
15.722: Destination:
15.722: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe (2007.7.12.2)
15.722: Destination:
15.722: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp
15.722: Destination:
15.732: Source:C:\Program Files\alot\bin\alot.dll (1.0.1.0)
15.732: Destination:
15.732: Source:C:\Program Files\alot\bin\
15.732: Destination:
15.732: Source:C:\Program Files\alot\
15.732: Destination:
15.732: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe (2007.7.12.2)
15.732: Destination:
15.732: Source:C:\Program Files\Yahoo!\Common\yiesrvc.dll (2006.10.31.3)
15.732: Destination:
15.732: Source:C:\Program Files\Yahoo!\Common\YIeTagBm.dll (2006.7.28.1)
15.732: Destination:
15.732: Source:C:\Program Files\Yahoo!\Common\YShortcut.dll (2006.8.15.1)
15.732: Destination:
15.742: Source:C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL (2007.3.15.1)
15.742: Destination:
15.742: Source:C:\WINDOWS\system32\_000013_.tmp.dll (5.1.2600.2096)
15.742: Destination:
15.742: Source:C:\WINDOWS\system32\SET174.tmp (5.1.2600.2622)
15.752: Destination:C:\WINDOWS\system32\winsrv.dll (5.1.2600.2096)
15.752: Source:C:\WINDOWS\system32\SET175.tmp (5.1.2600.2622)
15.752: Destination:C:\WINDOWS\system32\user32.dll (5.1.2600.2096)
15.762: Source:C:\WINDOWS\system32\SET176.tmp (5.1.2600.2622)
15.762: Destination:C:\WINDOWS\system32\authz.dll (5.1.2600.2096)
15.762: Source:C:\WINDOWS\system32\_000009_.tmp.dll (5.1.2600.0)
15.762: Destination:
15.762: Source:C:\WINDOWS\system32\SET191.tmp (5.1.2600.2665)
15.772: Destination:C:\WINDOWS\system32\rpcss.dll (5.1.2600.2096)
15.772: Source:C:\WINDOWS\system32\SET192.tmp (5.1.2600.2665)
15.772: Destination:C:\WINDOWS\system32\olecli32.dll (5.1.2600.0)
15.782: Source:C:\WINDOWS\system32\SET193.tmp (5.1.2600.2665)
15.782: Destination:C:\WINDOWS\system32\ole32.dll (5.1.2600.2096)
15.782: Source:C:\WINDOWS\system32\_000006_.tmp.dll (5.1.2600.2096)
15.782: Destination:
15.792: Source:C:\WINDOWS\system32\SET1AD.tmp (2001.12.4414.311)
15.792: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
15.792: Source:C:\WINDOWS\system32\SET1AE.tmp (2001.12.4414.311)
15.792: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
15.802: Source:C:\WINDOWS\system32\SET1C1.tmp (5.1.2600.2744)
15.802: Destination:C:\WINDOWS\system32\umpnpmgr.dll (5.1.2600.2096)
15.812: Source:C:\WINDOWS\system32\SET1C5.tmp (6.0.2900.2869)
15.812: Destination:C:\WINDOWS\system32\shell32.dll (6.0.2900.2096)
-
15.812: ---- New Information In The Registry ------
15.812: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\nse3E.tmp\nsProcess.dll
15.812: Destination:
15.812: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\nse3E.tmp\
15.812: Destination:
15.812: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\_iu14D2N.tmp (51.43.0.0)
15.812: Destination:
15.822: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\A~NSISu_.exe
15.822: Destination:
15.822: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe (2007.7.12.2)
15.822: Destination:
15.822: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp
15.822: Destination:
15.822: Source:C:\Program Files\alot\bin\alot.dll (1.0.1.0)
15.822: Destination:
15.822: Source:C:\Program Files\alot\bin\
15.822: Destination:
15.822: Source:C:\Program Files\alot\
15.822: Destination:
15.822: Source:C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe (2007.7.12.2)
15.822: Destination:
15.822: Source:C:\Program Files\Yahoo!\Common\yiesrvc.dll (2006.10.31.3)
15.822: Destination:
15.832: Source:C:\Program Files\Yahoo!\Common\YIeTagBm.dll (2006.7.28.1)
15.832: Destination:
15.832: Source:C:\Program Files\Yahoo!\Common\YShortcut.dll (2006.8.15.1)
15.832: Destination:
15.832: Source:C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL (2007.3.15.1)
15.832: Destination:
15.832: Source:C:\WINDOWS\system32\_000013_.tmp.dll (5.1.2600.2096)
15.832: Destination:
15.832: Source:C:\WINDOWS\system32\SET174.tmp (5.1.2600.2622)
15.832: Destination:C:\WINDOWS\system32\winsrv.dll (5.1.2600.2096)
15.842: Source:C:\WINDOWS\system32\SET175.tmp (5.1.2600.2622)
15.842: Destination:C:\WINDOWS\system32\user32.dll (5.1.2600.2096)
15.842: Source:C:\WINDOWS\system32\SET176.tmp (5.1.2600.2622)
15.842: Destination:C:\WINDOWS\system32\authz.dll (5.1.2600.2096)
15.842: Source:C:\WINDOWS\system32\_000009_.tmp.dll (5.1.2600.0)
15.842: Destination:
15.852: Source:C:\WINDOWS\system32\SET191.tmp (5.1.2600.2665)
15.852: Destination:C:\WINDOWS\system32\rpcss.dll (5.1.2600.2096)
15.852: Source:C:\WINDOWS\system32\SET192.tmp (5.1.2600.2665)
15.862: Destination:C:\WINDOWS\system32\olecli32.dll (5.1.2600.0)
15.862: Source:C:\WINDOWS\system32\SET193.tmp (5.1.2600.2665)
15.862: Destination:C:\WINDOWS\system32\ole32.dll (5.1.2600.2096)
15.862: Source:C:\WINDOWS\system32\_000006_.tmp.dll (5.1.2600.2096)
15.862: Destination:
15.862: Source:C:\WINDOWS\system32\SET1AD.tmp (2001.12.4414.311)
15.873: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
15.873: Source:C:\WINDOWS\system32\SET1AE.tmp (2001.12.4414.311)
15.873: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
15.873: Source:C:\WINDOWS\system32\SET1C1.tmp (5.1.2600.2744)
15.873: Destination:C:\WINDOWS\system32\umpnpmgr.dll (5.1.2600.2096)
15.873: Source:C:\WINDOWS\system32\SET1C5.tmp (6.0.2900.2869)
15.883: Destination:C:\WINDOWS\system32\shell32.dll (6.0.2900.2096)
18.657: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
18.657: IsRebootRequiredForFileQueue: c:\windows\system32\drivers\ipnat.sys was no-delay replaced; reboot is required.
18.657: DoInstallation: A reboot is required to complete the installation of one or more files.
19.007: RebootNecessary = 1,WizardInput = 1 , DontReboot = 1, ForceRestart = 0
15.983: ================================================================================
16.003: 2007/11/01 16:11:50.535 (local)
16.003: C:\WINDOWS\SoftwareDistribution\Download\35d340428a8f32f0a91986e753c6e613\update\update.exe (version 5.5.33.0)
16.003: Failed To Enable SE_SHUTDOWN_PRIVILEGE
16.023: Service Pack started with following command line: -q /Z -ER /ParentInfo:eca8a1994017774283100644797c6cbf
20.349: ---- Old Information In The Registry ------
20.429: Source:C:\WINDOWS\system32\SETC.tmp (2001.12.4414.311)
20.429: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
20.439: Source:C:\WINDOWS\system32\SETD.tmp (2001.12.4414.311)
20.439: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
20.439: ---- New Information In The Registry ------
20.439: Source:C:\WINDOWS\system32\SETC.tmp (2001.12.4414.311)
20.439: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
20.439: Source:C:\WINDOWS\system32\SETD.tmp (2001.12.4414.311)
20.449: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
20.489: SetProductTypes: InfProductBuildType=BuildType.Sel
20.489: SetAltOsLoaderPath: No section uses DirId 65701; done.
20.759: DoInstallation: FetchSourceURL for c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2GDR.inf failed
20.759: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB886185$
20.809: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
21.330: BuildCabinetManifest: update.url absent
21.330: Starting AnalyzeComponents
21.330: AnalyzePhaseZero used 0 ticks
21.330: No c:\windows\INF\updtblk.inf file.
21.330: OEM file scan used 0 ticks
21.390: AnalyzePhaseOne: used 60 ticks
21.390: AnalyzeComponents: Hotpatch analysis disabled; skipping.
21.390: AnalyzeComponents: Hotpatching is disabled.
21.390: FindFirstFile c:\windows\$hf_mig$\*.*
-
21.400: KB886185 Setup encountered an error: The update.ver file is not correct.
21.400: KB886185 Setup encountered an error: The update.ver file is not correct.
21.400: KB886185 Setup encountered an error: The update.ver file is not correct.
21.400: KB886185 Setup encountered an error: The update.ver file is not correct.
21.400: KB886185 Setup encountered an error: The update.ver file is not correct.
21.400: KB886185 Setup encountered an error: The update.ver file is not correct.
21.410: KB886185 Setup encountered an error: The update.ver file is not correct.
21.410: KB886185 Setup encountered an error: The update.ver file is not correct.
21.410: KB886185 Setup encountered an error: The update.ver file is not correct.
21.410: KB886185 Setup encountered an error: The update.ver file is not correct.
21.410: KB886185 Setup encountered an error: The update.ver file is not correct.
21.430: KB886185 Setup encountered an error: The update.ver file is not correct.
21.430: KB886185 Setup encountered an error: The update.ver file is not correct.
21.430: KB886185 Setup encountered an error: The update.ver file is not correct.
21.440: KB886185 Setup encountered an error: The update.ver file is not correct.
21.440: KB886185 Setup encountered an error: The update.ver file is not correct.
21.440: KB886185 Setup encountered an error: The update.ver file is not correct.
21.440: KB886185 Setup encountered an error: The update.ver file is not correct.
21.450: KB886185 Setup encountered an error: The update.ver file is not correct.
21.450: KB886185 Setup encountered an error: The update.ver file is not correct.
21.450: KB886185 Setup encountered an error: The update.ver file is not correct.
21.450: KB886185 Setup encountered an error: The update.ver file is not correct.
21.450: KB886185 Setup encountered an error: The update.ver file is not correct.
21.460: KB886185 Setup encountered an error: The update.ver file is not correct.
21.460: KB886185 Setup encountered an error: The update.ver file is not correct.
21.460: KB886185 Setup encountered an error: The update.ver file is not correct.
21.460: KB886185 Setup encountered an error: The update.ver file is not correct.
21.470: KB886185 Setup encountered an error: The update.ver file is not correct.
21.470: KB886185 Setup encountered an error: The update.ver file is not correct.
21.480: KB886185 Setup encountered an error: The update.ver file is not correct.
21.480: KB886185 Setup encountered an error: The update.ver file is not correct.
21.480: KB886185 Setup encountered an error: The update.ver file is not correct.
21.480: KB886185 Setup encountered an error: The update.ver file is not correct.
21.480: KB886185 Setup encountered an error: The update.ver file is not correct.
21.480: KB886185 Setup encountered an error: The update.ver file is not correct.
21.490: KB886185 Setup encountered an error: The update.ver file is not correct.
21.490: KB886185 Setup encountered an error: The update.ver file is not correct.
21.490: KB886185 Setup encountered an error: The update.ver file is not correct.
21.490: KB886185 Setup encountered an error: The update.ver file is not correct.
21.490: KB886185 Setup encountered an error: The update.ver file is not correct.
21.490: KB886185 Setup encountered an error: The update.ver file is not correct.
21.510: KB886185 Setup encountered an error: The update.ver file is not correct.
21.520: KB886185 Setup encountered an error: The update.ver file is not correct.
21.520: KB886185 Setup encountered an error: The update.ver file is not correct.
21.520: KB886185 Setup encountered an error: The update.ver file is not correct.
21.531: KB886185 Setup encountered an error: The update.ver file is not correct.
21.531: KB886185 Setup encountered an error: The update.ver file is not correct.
21.531: KB886185 Setup encountered an error: The update.ver file is not correct.
21.531: KB886185 Setup encountered an error: The update.ver file is not correct.
21.531: KB886185 Setup encountered an error: The update.ver file is not correct.
21.531: KB886185 Setup encountered an error: The update.ver file is not correct.
21.531: KB886185 Setup encountered an error: The update.ver file is not correct.
21.541: KB886185 Setup encountered an error: The update.ver file is not correct.
21.541: KB886185 Setup encountered an error: The update.ver file is not correct.
21.541: KB886185 Setup encountered an error: The update.ver file is not correct.
21.541: KB886185 Setup encountered an error: The update.ver file is not correct.
21.541: KB886185 Setup encountered an error: The update.ver file is not correct.
21.541: KB886185 Setup encountered an error: The update.ver file is not correct.
21.541: KB886185 Setup encountered an error: The update.ver file is not correct.
21.551: KB886185 Setup encountered an error: The update.ver file is not correct.
21.551: KB886185 Setup encountered an error: The update.ver file is not correct.
21.551: KB886185 Setup encountered an error: The update.ver file is not correct.
21.551: KB886185 Setup encountered an error: The update.ver file is not correct.
21.551: KB886185 Setup encountered an error: The update.ver file is not correct.
21.551: KB886185 Setup encountered an error: The update.ver file is not correct.
21.551: KB886185 Setup encountered an error: The update.ver file is not correct.
21.551: KB886185 Setup encountered an error: The update.ver file is not correct.
21.561: KB886185 Setup encountered an error: The update.ver file is not correct.
21.561: KB886185 Setup encountered an error: The update.ver file is not correct.
21.571: KB886185 Setup encountered an error: The update.ver file is not correct.
21.571: KB886185 Setup encountered an error: The update.ver file is not correct.
21.571: KB886185 Setup encountered an error: The update.ver file is not correct.
21.571: KB886185 Setup encountered an error: The update.ver file is not correct.
21.571: KB886185 Setup encountered an error: The update.ver file is not correct.
21.571: KB886185 Setup encountered an error: The update.ver file is not correct.
21.571: KB886185 Setup encountered an error: The update.ver file is not correct.
21.601: AnalyzeForBranching used 30 ticks.
21.721: AnalyzePhaseTwo used 120 ticks
21.721: AnalyzePhaseThree used 0 ticks
21.721: AnalyzePhaseFive used 0 ticks
21.721: AnalyzePhaseSix used 0 ticks
21.721: AnalyzeComponents used 391 ticks
21.721: Downloading 0 files
21.721: bPatchMode = FALSE
-
21.721: Inventory complete: ReturnStatus=0, 962 ticks
21.731: Num Ticks for invent : 972
22.392: Allocation size of drive C: is 4096 bytes, free space = 23228149760 bytes
22.392: Free space of directory c:\windows adjusted to 23228084224
22.622: AnalyzeDiskUsage: Skipping EstimateDiskUsageForUninstall.
22.622: Drive C: free 22152MB req: 8MB w/uninstall: NOT CALCULATED.
22.622: CabinetBuild complete
22.622: Num Ticks for Cabinet build : 891
22.722: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
23.964: Num Ticks for Backup : 1342
24.475: Num Ticks for creating uninst inf : 511
24.555: Registering Uninstall Program for -> KB886185, KB886185 , 0x0
24.565: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
25.026: System Restore Point set.
25.096: PFE2: Not avoiding Per File Exceptions.
26.177: GetCatVersion: Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB886185.cat with error 0x57
26.408: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2QFE.inf -> c:\windows\$hf_mig$\KB886185\update\update_SP2QFE.inf.
26.528: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spuninst.exe -> c:\windows\$hf_mig$\KB886185\spuninst.exe.
26.568: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spmsg.dll -> c:\windows\$hf_mig$\KB886185\spmsg.dll.
26.698: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\spcustom.dll -> c:\windows\$hf_mig$\KB886185\update\spcustom.dll.
26.738: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\KB886185.CAT -> c:\windows\$hf_mig$\KB886185\update\KB886185.CAT.
27.048: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.exe -> c:\windows\$hf_mig$\KB886185\update\update.exe.
27.078: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.ver -> c:\windows\$hf_mig$\KB886185\update\update.ver.
27.109: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\updatebr.inf -> c:\windows\$hf_mig$\KB886185\update\updatebr.inf.
27.149: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\eula.txt -> c:\windows\$hf_mig$\KB886185\update\eula.txt.
27.169: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\branches.inf -> c:\windows\$hf_mig$\KB886185\update\branches.inf.
27.769: Copied file: C:\WINDOWS\system32\DRIVERS\ipnat.sys
27.820: Copied file: C:\WINDOWS\system32\DllCache\ipnat.sys
28.460: Copied file: c:\windows\$hf_mig$\KB886185\SP2QFE\ipnat.sys
28.861: Num Ticks for Copying files : 4386
28.921: Num Ticks for Reg update and deleting 0 size files : 60
29.001: ---- Old Information In The Registry ------
29.001: Source:C:\WINDOWS\system32\SETC.tmp (2001.12.4414.311)
29.001: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
29.011: Source:C:\WINDOWS\system32\SETD.tmp (2001.12.4414.311)
29.011: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
29.021: ---- New Information In The Registry ------
29.021: Source:C:\WINDOWS\system32\SETC.tmp (2001.12.4414.311)
29.021: Destination:C:\WINDOWS\system32\mtxoci.dll (2001.12.4414.254)
29.021: Source:C:\WINDOWS\system32\SETD.tmp (2001.12.4414.311)
29.021: Destination:C:\WINDOWS\system32\mtxclu.dll (2001.12.4414.254)
37.994: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
37.994: IsRebootRequiredForFileQueue: c:\windows\system32\drivers\ipnat.sys was no-delay replaced; reboot is required.
37.994: DoInstallation: A reboot is required to complete the installation of one or more files.
38.164: RebootNecessary = 1,WizardInput = 1 , DontReboot = 1, ForceRestart = 0
10.275: ================================================================================
10.335: 2007/11/06 10:12:51.373 (local)
10.335: C:\WINDOWS\SoftwareDistribution\Download\35d340428a8f32f0a91986e753c6e613\update\update.exe (version 5.5.33.0)
10.335: Failed To Enable SE_SHUTDOWN_PRIVILEGE
10.435: Service Pack started with following command line: -q /Z -ER /ParentInfo:7701dd94aa0ff044bda8cffbfa03bb44
28.321: DoInstallation: CleanPFR failed: 0x2
28.431: SetProductTypes: InfProductBuildType=BuildType.Sel
28.451: SetAltOsLoaderPath: No section uses DirId 65701; done.
29.092: DoInstallation: FetchSourceURL for c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2GDR.inf failed
29.092: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB886185$
29.132: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
29.612: BuildCabinetManifest: update.url absent
29.612: Starting AnalyzeComponents
29.612: AnalyzePhaseZero used 0 ticks
29.612: No c:\windows\INF\updtblk.inf file.
29.612: OEM file scan used 0 ticks
29.672: AnalyzePhaseOne: used 60 ticks
29.672: AnalyzeComponents: Hotpatch analysis disabled; skipping.
29.672: AnalyzeComponents: Hotpatching is disabled.
29.672: FindFirstFile c:\windows\$hf_mig$\*.*
-
29.723: KB886185 Setup encountered an error: The update.ver file is not correct.
29.773: KB886185 Setup encountered an error: The update.ver file is not correct.
29.793: KB886185 Setup encountered an error: The update.ver file is not correct.
29.833: KB886185 Setup encountered an error: The update.ver file is not correct.
29.913: KB886185 Setup encountered an error: The update.ver file is not correct.
29.943: KB886185 Setup encountered an error: The update.ver file is not correct.
29.973: KB886185 Setup encountered an error: The update.ver file is not correct.
30.013: KB886185 Setup encountered an error: The update.ver file is not correct.
30.063: KB886185 Setup encountered an error: The update.ver file is not correct.
30.123: KB886185 Setup encountered an error: The update.ver file is not correct.
30.153: KB886185 Setup encountered an error: The update.ver file is not correct.
30.303: KB886185 Setup encountered an error: The update.ver file is not correct.
30.323: KB886185 Setup encountered an error: The update.ver file is not correct.
30.353: KB886185 Setup encountered an error: The update.ver file is not correct.
30.444: KB886185 Setup encountered an error: The update.ver file is not correct.
30.484: KB886185 Setup encountered an error: The update.ver file is not correct.
30.504: KB886185 Setup encountered an error: The update.ver file is not correct.
30.554: KB886185 Setup encountered an error: The update.ver file is not correct.
30.594: KB886185 Setup encountered an error: The update.ver file is not correct.
30.644: KB886185 Setup encountered an error: The update.ver file is not correct.
30.694: KB886185 Setup encountered an error: The update.ver file is not correct.
30.724: KB886185 Setup encountered an error: The update.ver file is not correct.
30.774: KB886185 Setup encountered an error: The update.ver file is not correct.
30.854: KB886185 Setup encountered an error: The update.ver file is not correct.
30.994: KB886185 Setup encountered an error: The update.ver file is not correct.
31.115: KB886185 Setup encountered an error: The update.ver file is not correct.
31.155: KB886185 Setup encountered an error: The update.ver file is not correct.
31.325: KB886185 Setup encountered an error: The update.ver file is not correct.
31.345: KB886185 Setup encountered an error: The update.ver file is not correct.
31.375: KB886185 Setup encountered an error: The update.ver file is not correct.
31.415: KB886185 Setup encountered an error: The update.ver file is not correct.
31.485: KB886185 Setup encountered an error: The update.ver file is not correct.
31.555: KB886185 Setup encountered an error: The update.ver file is not correct.
31.635: KB886185 Setup encountered an error: The update.ver file is not correct.
31.685: KB886185 Setup encountered an error: The update.ver file is not correct.
31.695: KB886185 Setup encountered an error: The update.ver file is not correct.
31.715: KB886185 Setup encountered an error: The update.ver file is not correct.
31.765: KB886185 Setup encountered an error: The update.ver file is not correct.
31.806: KB886185 Setup encountered an error: The update.ver file is not correct.
31.846: KB886185 Setup encountered an error: The update.ver file is not correct.
31.876: KB886185 Setup encountered an error: The update.ver file is not correct.
32.026: KB886185 Setup encountered an error: The update.ver file is not correct.
32.156: KB886185 Setup encountered an error: The update.ver file is not correct.
32.326: KB886185 Setup encountered an error: The update.ver file is not correct.
32.346: KB886185 Setup encountered an error: The update.ver file is not correct.
32.356: KB886185 Setup encountered an error: The update.ver file is not correct.
32.406: KB886185 Setup encountered an error: The update.ver file is not correct.
32.436: KB886185 Setup encountered an error: The update.ver file is not correct.
32.446: KB886185 Setup encountered an error: The update.ver file is not correct.
32.466: KB886185 Setup encountered an error: The update.ver file is not correct.
32.527: KB886185 Setup encountered an error: The update.ver file is not correct.
32.567: KB886185 Setup encountered an error: The update.ver file is not correct.
32.617: KB886185 Setup encountered an error: The update.ver file is not correct.
32.647: KB886185 Setup encountered an error: The update.ver file is not correct.
32.697: KB886185 Setup encountered an error: The update.ver file is not correct.
32.737: KB886185 Setup encountered an error: The update.ver file is not correct.
32.807: KB886185 Setup encountered an error: The update.ver file is not correct.
32.847: KB886185 Setup encountered an error: The update.ver file is not correct.
32.857: KB886185 Setup encountered an error: The update.ver file is not correct.
32.927: KB886185 Setup encountered an error: The update.ver file is not correct.
32.997: KB886185 Setup encountered an error: The update.ver file is not correct.
33.027: KB886185 Setup encountered an error: The update.ver file is not correct.
33.097: KB886185 Setup encountered an error: The update.ver file is not correct.
33.127: KB886185 Setup encountered an error: The update.ver file is not correct.
33.258: KB886185 Setup encountered an error: The update.ver file is not correct.
33.298: KB886185 Setup encountered an error: The update.ver file is not correct.
33.368: KB886185 Setup encountered an error: The update.ver file is not correct.
33.478: KB886185 Setup encountered an error: The update.ver file is not correct.
33.638: KB886185 Setup encountered an error: The update.ver file is not correct.
33.798: KB886185 Setup encountered an error: The update.ver file is not correct.
33.959: KB886185 Setup encountered an error: The update.ver file is not correct.
34.109: KB886185 Setup encountered an error: The update.ver file is not correct.
34.289: KB886185 Setup encountered an error: The update.ver file is not correct.
34.519: KB886185 Setup encountered an error: The update.ver file is not correct.
34.680: KB886185 Setup encountered an error: The update.ver file is not correct.
34.920: KB886185 Setup encountered an error: The update.ver file is not correct.
35.120: KB886185 Setup encountered an error: The update.ver file is not correct.
35.260: AnalyzeForBranching used 140 ticks.
-
35.641: AnalyzePhaseTwo used 381 ticks
35.641: AnalyzePhaseThree used 0 ticks
35.641: AnalyzePhaseFive used 0 ticks
35.641: AnalyzePhaseSix used 0 ticks
35.641: AnalyzeComponents used 6029 ticks
35.641: Downloading 0 files
35.641: bPatchMode = FALSE
35.641: Inventory complete: ReturnStatus=0, 6549 ticks
35.641: Num Ticks for invent : 6549
40.949: Allocation size of drive C: is 4096 bytes, free space = 22872649728 bytes
40.949: Free space of directory c:\windows adjusted to 22872584192
41.469: AnalyzeDiskUsage: Skipping EstimateDiskUsageForUninstall.
41.469: Drive C: free 21812MB req: 8MB w/uninstall: NOT CALCULATED.
41.469: CabinetBuild complete
41.469: Num Ticks for Cabinet build : 5828
41.620: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
43.292: Num Ticks for Backup : 1823
44.243: Num Ticks for creating uninst inf : 951
44.384: Registering Uninstall Program for -> KB886185, KB886185 , 0x0
44.384: LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
44.594: System Restore Point set.
44.824: PFE2: Not avoiding Per File Exceptions.
45.876: GetCatVersion: Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB886185.cat with error 0x57
46.497: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update_SP2QFE.inf -> c:\windows\$hf_mig$\KB886185\update\update_SP2QFE.inf.
46.637: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spuninst.exe -> c:\windows\$hf_mig$\KB886185\spuninst.exe.
46.807: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\spmsg.dll -> c:\windows\$hf_mig$\KB886185\spmsg.dll.
47.138: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\spcustom.dll -> c:\windows\$hf_mig$\KB886185\update\spcustom.dll.
47.158: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\KB886185.CAT -> c:\windows\$hf_mig$\KB886185\update\KB886185.CAT.
47.368: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.exe -> c:\windows\$hf_mig$\KB886185\update\update.exe.
47.378: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\update.ver -> c:\windows\$hf_mig$\KB886185\update\update.ver.
47.408: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\updatebr.inf -> c:\windows\$hf_mig$\KB886185\update\updatebr.inf.
47.438: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\eula.txt -> c:\windows\$hf_mig$\KB886185\update\eula.txt.
47.468: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\35d340428a8f32f0a91986e753c6e613\update\branches.inf -> c:\windows\$hf_mig$\KB886185\update\branches.inf.
48.339: Copied file: C:\WINDOWS\system32\DRIVERS\ipnat.sys
48.449: Copied file: C:\WINDOWS\system32\DllCache\ipnat.sys
49.000: Copied file: c:\windows\$hf_mig$\KB886185\SP2QFE\ipnat.sys
49.541: Num Ticks for Copying files : 5298
49.661: Num Ticks for Reg update and deleting 0 size files : 120
73.746: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
73.746: IsRebootRequiredForFileQueue: c:\windows\system32\drivers\ipnat.sys was no-delay replaced; reboot is required.
73.746: DoInstallation: A reboot is required to complete the installation of one or more files.
74.036: RebootNecessary = 1,WizardInput = 1 , DontReboot = 1, ForceRestart = 0
-
Sorry, I can't understand the logs.
Indeed Microsoft support is needed. Maybe you can redirect their support team to the posts here.
I know... MS support is very weak, late and terrible... But, after all, these are their software, their updates, their logs... Sorry, I'm lost here.
-
Ok well thanks for your help anyway.
Just to give you a little update I tried a program called dial-a-fix that I found after a lot of research and got the updates to install without any horrible system problems. But, everything still wasn't right. When I restarted I got a few error messages from Avast!, COMODO, and it seemed like there was no internet connection (although there was). Avast! gave me error 10050...
But anyway, I will try with Microsoft and thank you for trying.
-
Since you had to use some potentially infected restore points would you mind posting one more HJT log. I don't think there will be any active infection but I want to make sure no stray registry entries came back.
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:44 PM, on 11/6/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193180590097
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 7594 bytes
-
I've been trying to find an easy fix for that failing update but I'm just not. Seems like a common problem but its beyond my ability to fix :(
Well, the HJT log looks clean .......
-
Hi
May I suggest this site? The link to the forum is in the column on the left.
http://aumha.org/
-
I've been trying to find an easy fix for that failing update but I'm just not. Seems like a common problem but its beyond my ability to fix :(
Well, the HJT log looks clean .......
Maybe you can help me with this... I've been on a Windows community forum and they told me to do a few things. I've done everything they've told me to except one thing I can't figure out. this is what they told me It may say "Install is not needed since Windows Update Agent is already installed." If so, then run the exe with the command line switch /wuforce, like this:
WindowsUpdateAgent30-x86.exe /wuforce
to force the install.
How and where do I run the exe with the /wuforce? I don't know where I put the command line. I know this forum has nothing to do with all this, but they won't tell me how to do it even though I've asked about 3 times. and you guys have always been prompt to helping me when I can't figure something out. :)
-
That probably means to open a command window (click Start>Run Type "cmd without the quotes and hit Enter) and issue the command from there.
But could you post a link to that thread so I can make sure I'm telling you the correct thing?
-
The forum is weird and hard to link to, but here I think this will work:
http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsupdate&mid=f6fb943a-97c2-4695-81f6-7475542572a2 (http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsupdate&mid=f6fb943a-97c2-4695-81f6-7475542572a2)
-
I've been trying to find an easy fix for that failing update but I'm just not. Seems like a common problem but its beyond my ability to fix :(
Well, the HJT log looks clean .......
Maybe you can help me with this... I've been on a Windows community forum and they told me to do a few things. I've done everything they've told me to except one thing I can't figure out. this is what they told me It may say "Install is not needed since Windows Update Agent is already installed." If so, then run the exe with the command line switch /wuforce, like this:
WindowsUpdateAgent30-x86.exe /wuforce
to force the install.
How and where do I run the exe with the /wuforce? I don't know where I put the command line. I know this forum has nothing to do with all this, but they won't tell me how to do it even though I've asked about 3 times. and you guys have always been prompt to helping me when I can't figure something out. :)
I followed your link, (never liked that layout)
Click start button, click run
on the box that apears, use the browse function to locate the file WindowsUpdateAgent30-x86.exe , click on that file and click open. The file should now appear in the box. Add to the end of the file name in the box, a space then type /wuforce Click run.
The command line mauserme gave you should do the same thing.
-
Click start button, click run
on the box that apears, use the browse function to locate the file WindowsUpdateAgent30-x86.exe , click on that file and click open. The file should now appear in the box. Add to the end of the file name in the box, a space then type /wuforce Click run.
Pretty much equivalent, but I would go with oldman's in this case ::)
It will be easier.
-
Thanks so much! ;D
-
;D You're welcome. Are the updates working now?