I am running Windows Vista home edition. Recently I think a virus or something has ruined my computer. I can no longer download any program from the web and many of the programs that reside on my hard drive will not function. I am led to believe their is a registry problem. Microsofts suggestions of doing restores just made the entire situation worse. Any help appreciated.
khwhitaker 0 Junior Poster
Edited by khwhitaker because: n/a
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Hi and welcome to the Daniweb forums :).
==========
Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Make sure that you restart the computer.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
==============
Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
khwhitaker 0 Junior Poster
finally got ESET to work, nothing else will work however, as I cannot download anything. My keyboard is also jumping all over the place now.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1f641c9b381f4a418a2d939f1b97b45a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-05 03:53:02
# local_time=2009-11-04 10:53:02 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 93997415 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=196917
# found=0
# cleaned=0
# scan_time=3294
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1f641c9b381f4a418a2d939f1b97b45a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-05 01:01:57
# local_time=2009-11-05 08:01:57 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 94030234 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=196139
# found=0
# cleaned=0
# scan_time=3410
MCSChiefTech 0 Newbie Poster
Hello!
Perhaps a more detailed explanation would help? What exactly do you mean by your keyboard "jumping around"?
What exactly happens when you try to run or download a program? What browser are you using? What antivirus software do you currently have installed on your computer?
Before jumping to the conclusion of a virus, we should definitely eliminate any of the simpler, more mundane things. :)
What I would try before anything is running a chkdsk from Windows Orb>Computer>Right Click your C: Drive (Where windows is installed)>Properties>Tools>Error Checking, click "check now">Check both boxes>"Start">Restart your computer. it will take a while, so make sure you don't need to do anything for a while!
Let us have that info and how a chkdsk turns out!
--John, MCS
A+ Certified
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Are you able to download from another pc and save to a flash drive that you can then use on the problematic pc?
khwhitaker 0 Junior Poster
I ran chkdsk yesterday but can't find the log so I will run it again. What I mean by the keyboard jumping, dumb way to put it, sorry, is that while I am typing the cursor is jumping all over the place in the midst of typing and I am not using hotkeys. It's not something I usually have an issue with. Since having my hard drive replaced last fall I have been using what the IT guy installed, AVG, Spybot, and superanti-spyware, I run AVG daily, or did, it stopped working this week also. Spybot, once a week and Super Anti spyware once weekly. I have updates set on auto, and it seemed to start with an issue with updating Adobe Reader. It would not update and started shutting down while in use, not opening a document from an attachment etc. It later started effecting Adobe Acrobat Professional in the same ways, now it won't run at all. Now I cannot download anything nor open any attachments. Right now my keyboard is working fine, weird, but earlier it was going crazy. I will run the diskcheck again and try to find the file, I think I am doing it right, I went to Admin. Tools>event viewer>Windows Logs>Application>and searched for "Autochk" in the source collumn. IDK if I am looking for it in the right place. Thank you very much for your help and I will post the results as soon as I am able.
khwhitaker 0 Junior Poster
Are you able to download from another pc and save to a flash drive that you can then use on the problematic pc?
that's a great idea, hadn't thought of it, want me to try this first or do the chkdsk?
MCSChiefTech 0 Newbie Poster
I'd go ahead and try Crunchie's idea first, before taking your computer offline for the 10-20mins for a chkdsk.
To me it really sounds more like some kind of hardware/software issue than a virus. I'd try running something like Memtest or (my preference falls with) Prime95. Google it and download it. It's pretty straightforward to install and use. If it starts turning up errors, your computer could be overheating or there may be an issue with your processor or memory. If that happens, I'd try reapplying thermal paste to your processor and removing and reinstalling your memory.
Just a gut instinct.
You may have to do that through the thumb drive as well.
Go ahead and see if you can scan with MBAM first and then I'd suggest trying Prime95. :)
Let us know how that turns out.
--John, MCS
A+ Certified
Edited by MCSChiefTech because: n/a
khwhitaker 0 Junior Poster
Malwarebytes' Anti-Malware 1.41
Database version: 3107
Windows 6.0.6002 Service Pack 2
11/5/2009 5:29:23 PM
mbam-log-2009-11-05 (17-29-23).txt
Scan type: Full Scan (C:\|)
Objects scanned: 300004
Time elapsed: 1 hour(s), 4 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Intelinet (Rogue.Intelinet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IntelinetSecure (Rogue.Intelinet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Intelinet (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Backup (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Program Files\Intelinet\Logs (Rogue.Intelinet) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Intelinet\Logs\2008_10_15.log (Rogue.Intelinet) -> Quarantined and deleted successfully.
C:\Windows\System32\urqRIbxu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\system\rundll32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
khwhitaker 0 Junior Poster
logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:18 PM, on 11/5/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {744EC540-7CAC-4B6A-8581-CBD7CC81024B} - C:\Windows\system32\jkkKeCtS.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; Tablet PC 2.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.mofunzone.com/popups/downhill_jam.shtml"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255708832175
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/DiagWebControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll,diwupesa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Installer - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Windows\system32\Wacom_Tablet.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 11642 bytes
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Rootkit activity. Not good. Let's run another tool and see what else may be lurking.
Please download ComboFix by sUBs from HERE or HERE
- You must download it to and run it from your Desktop
- Physically disconnect from the internet.
- Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
- Double click combofix.exe & follow the prompts.
- When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
- Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Run Combofix ONCE only!!
==
What anti-virus are you running? I see AVG in the log, but not in the running processes.
Edited by crunchie because: n/a
khwhitaker 0 Junior Poster
Avg daily but it has stopped working at all, won't even open now, began this week, starting the combo fix now, thank you
khwhitaker 0 Junior Poster
Combofix Log...
ComboFix 09-11-05.01 - Auberey 11/05/2009 19:10:56.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1055 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\$RECYCLE.BIN\S-1-5-21-2152478756-3922319563-605102323-500
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.
2009-11-06 00:21:35 . 2009-11-06 00:26:07 0 d-----w- C:\Users\Auberey\AppData\Local\temp
2009-11-06 00:21:35 . 2009-11-06 00:21:35 0 d-----w- C:\Users\Default\AppData\Local\temp
2009-11-05 22:36:21 . 2009-11-05 22:36:21 0 d-----w- C:\Program Files\Trend Micro
2009-11-05 21:19:51 . 2009-11-05 21:19:51 0 d-----w- C:\Users\Auberey\AppData\Roaming\Malwarebytes
2009-11-05 21:19:47 . 2009-09-10 19:54:06 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2009-11-05 21:19:45 . 2009-11-05 21:19:50 4096 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-05 21:19:45 . 2009-11-05 21:19:45 0 d-----w- C:\ProgramData\Malwarebytes
2009-11-05 21:19:45 . 2009-09-10 19:53:50 19160 ----a-w- C:\Windows\system32\drivers\mbam.sys
2009-11-05 02:52:16 . 2009-11-05 02:52:16 0 d-----w- C:\Program Files\ESET
2009-11-05 00:07:36 . 2009-09-10 14:58:28 310784 ----a-w- C:\Windows\system32\unregmp2.exe
2009-11-05 00:07:33 . 2009-09-10 14:59:26 8147456 ----a-w- C:\Windows\system32\wmploc.DLL
2009-11-04 18:40:53 . 2009-08-07 02:24:08 44768 ----a-w- C:\Windows\system32\wups2.dll
2009-11-04 18:40:53 . 2009-08-07 02:24:04 53472 ----a-w- C:\Windows\system32\wuauclt.exe
2009-11-04 18:40:53 . 2009-08-07 02:23:45 1929952 ----a-w- C:\Windows\system32\wuaueng.dll
2009-11-04 18:40:53 . 2009-08-07 01:45:15 2421760 ----a-w- C:\Windows\system32\wucltux.dll
2009-11-04 18:40:36 . 2009-08-07 02:24:09 35552 ----a-w- C:\Windows\system32\wups.dll
2009-11-04 18:40:36 . 2009-08-07 02:23:52 575704 ----a-w- C:\Windows\system32\wuapi.dll
2009-11-04 18:40:36 . 2009-08-07 01:44:40 87552 ----a-w- C:\Windows\system32\wudriver.dll
2009-11-04 18:40:20 . 2009-08-07 00:23:06 171608 ----a-w- C:\Windows\system32\wuwebv.dll
2009-11-04 18:40:20 . 2009-08-06 23:44:46 33792 ----a-w- C:\Windows\system32\wuapp.exe
2009-11-01 01:54:23 . 2009-11-01 01:54:41 0 d-----w- C:\$AVG
2009-11-01 01:53:23 . 2009-11-01 01:53:26 0 d-----w- C:\ProgramData\avg9
2009-10-21 12:38:04 . 2009-10-06 12:15:57 2064152 ----a-w- C:\ProgramData\avg8\update\backup\avgcorex.dll
2009-10-21 11:37:58 . 2009-10-21 11:40:05 0 d-----w- C:\Windows\system32\ca-ES
2009-10-21 11:37:58 . 2009-10-21 11:39:58 0 d-----w- C:\Windows\system32\eu-ES
2009-10-21 11:37:55 . 2009-10-21 11:39:55 0 d-----w- C:\Windows\system32\vi-VN
2009-10-21 11:15:46 . 2009-10-21 11:15:46 0 d-----w- C:\Windows\system32\EventProviders
2009-10-20 17:12:59 . 2009-04-11 06:28:22 406528 ----a-w- C:\Windows\system32\msvcp60.dll
2009-10-20 17:11:59 . 2009-04-11 06:28:26 177664 ----a-w- C:\Windows\system32\WSDMon.dll
2009-10-20 17:10:45 . 2009-04-11 06:28:18 247808 ----a-w- C:\Windows\system32\drvstore.dll
2009-10-20 16:39:05 . 2009-09-10 16:48:01 218624 ----a-w- C:\Windows\system32\msv1_0.dll
2009-10-20 16:39:02 . 2009-08-04 12:34:19 3600456 ----a-w- C:\Windows\system32\ntkrnlpa.exe
2009-10-20 16:39:02 . 2009-08-04 12:34:19 3548216 ----a-w- C:\Windows\system32\ntoskrnl.exe
2009-10-20 16:33:06 . 2009-09-04 11:41:59 60928 ----a-w- C:\Windows\system32\msasn1.dll
2009-10-20 16:32:46 . 2009-09-14 09:29:50 144896 ----a-w- C:\Windows\system32\drivers\srv2.sys
2009-10-20 16:30:40 . 2009-05-08 12:53:00 604672 ----a-w- C:\Windows\system32\WMSPDMOD.DLL
2009-10-20 16:23:46 . 2009-10-01 14:29:14 195440 ----a-w- C:\Windows\system32\MpSigStub.exe
2009-10-20 15:47:24 . 2009-10-20 15:47:24 3584 ----a-r- C:\Users\Auberey\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-10-20 15:47:23 . 2009-10-20 15:47:23 0 d-----w- C:\Program Files\Windows Installer Clean Up
2009-10-20 15:47:00 . 2009-10-20 15:47:00 0 d-----w- C:\Program Files\MSECACHE
2009-10-20 15:28:10 . 2009-10-20 15:28:11 86016 ----a-w- C:\ProgramData\NOS\Adobe_Downloads\arh.exe
2009-10-17 12:50:49 . 2009-10-06 12:15:53 2023704 ----a-w- C:\ProgramData\avg8\update\backup\avgtray.exe
2009-10-07 13:59:27 . 2009-10-06 12:15:05 1142552 ----a-w- C:\ProgramData\avg8\update\backup\avgupd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 00:25:06 . 2008-12-31 22:47:11 0 d-----w- C:\Users\Auberey\AppData\Roaming\WTablet
2009-11-04 23:57:55 . 2009-03-23 03:34:02 117760 ----a-w- C:\Users\Auberey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-04 13:17:33 . 2008-09-17 13:09:56 0 d-----w- C:\ProgramData\avg8(1304)
2009-11-04 12:41:39 . 2009-04-20 14:00:48 1356 ----a-w- C:\Users\Auberey\AppData\Local\d3d9caps.dat
2009-11-04 03:27:17 . 2008-09-18 16:04:06 4096 d-----w- C:\Program Files\Common Files\Adobe
2009-11-01 21:22:39 . 2008-09-17 13:09:56 0 d-----w- C:\ProgramData\avg8(1318)
2009-11-01 19:55:59 . 2008-09-17 13:09:56 0 d-----w- C:\ProgramData\avg8(1048)
2009-11-01 19:17:28 . 2008-09-17 13:09:56 0 d-----w- C:\ProgramData\avg8(1132)
2009-11-01 01:53:26 . 2008-09-17 13:09:58 0 d-----w- C:\Program Files\AVG
2009-10-21 11:40:50 . 2006-11-02 12:37:34 0 d-----w- C:\Program Files\Windows Calendar
2009-10-21 11:40:50 . 2006-11-02 11:18:33 4096 d-----w- C:\Program Files\Windows Mail
2009-10-21 11:40:48 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Sidebar
2009-10-21 11:40:47 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Journal
2009-10-21 11:40:47 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Collaboration
2009-10-21 11:40:43 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Photo Gallery
2009-10-21 11:40:37 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Defender
2009-10-21 11:37:46 . 2006-11-02 10:25:05 665600 ----a-w- C:\Windows\inf\drvindex.dat
2009-10-21 11:35:20 . 2009-10-21 11:35:20 0 ---ha-w- C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-10-20 15:52:39 . 2008-09-18 16:00:14 4096 d-----w- C:\ProgramData\NOS
2009-10-17 14:56:10 . 2008-09-17 13:11:52 4096 d-----w- C:\Program Files\SUPERAntiSpyware
2009-10-05 23:32:14 . 2008-11-01 21:34:49 3766 --sha-w- C:\ProgramData\KGyGaAvL.sys
2009-10-05 23:32:14 . 2008-11-01 21:34:49 3766 --sha-w- C:\ProgramData\KGyGaAvL.sys
2009-10-05 23:32:01 . 2008-11-01 21:34:50 168 --sha-r- C:\ProgramData\46F4CA0B28.sys
2009-10-05 23:32:01 . 2008-11-01 21:34:50 168 --sha-r- C:\ProgramData\46F4CA0B28.sys
2009-09-26 18:45:18 . 2009-09-25 01:49:22 126970 ----a-w- C:\Users\Auberey\AppData\Roaming\Move Networks\uninstall.exe
2009-09-26 18:45:18 . 2009-08-03 21:48:42 4187512 ----a-w- C:\Users\Auberey\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
2009-09-25 01:49:21 . 2009-06-16 06:35:40 4183416 ----a-w- C:\Users\Auberey\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
2009-09-18 03:47:05 . 2009-09-18 03:47:03 45 ----a-w- C:\Users\Auberey\jagex_runescape_preferences2.dat
2009-09-18 03:47:05 . 2009-09-18 03:46:04 37 ----a-w- C:\Users\Auberey\jagex_runescape_preferences.dat
2009-09-09 23:19:37 . 2008-09-17 10:18:53 4096 d-----w- C:\Program Files\Microsoft Silverlight
2009-09-07 22:33:39 . 2009-09-07 22:33:39 0 ---ha-w- C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-09-07 19:53:36 . 2006-11-02 10:32:57 101888 ----a-w- C:\Windows\system32\ifxcardm.dll
2009-09-07 19:53:33 . 2006-11-02 10:32:57 82432 ----a-w- C:\Windows\system32\axaltocm.dll
2009-09-07 19:36:16 . 2008-11-22 05:57:23 4096 d-----w- C:\Program Files\Java
2009-09-07 18:45:30 . 2009-09-07 18:45:30 0 d-----w- C:\Users\Auberey\AppData\Roaming\PeerNetworking
2009-08-29 00:27:49 . 2009-09-02 23:20:59 4240384 ----a-w- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 . 2009-09-02 23:20:57 28672 ----a-w- C:\Windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 . 2009-10-20 16:38:11 916480 ----a-w- C:\Windows\system32\wininet.dll
2009-08-27 05:17:43 . 2009-10-20 16:38:09 71680 ----a-w- C:\Windows\system32\iesetup.dll
2009-08-27 05:17:43 . 2009-10-20 16:38:09 109056 ----a-w- C:\Windows\system32\iesysprep.dll
2009-08-27 03:42:29 . 2009-10-20 16:38:09 133632 ----a-w- C:\Windows\system32\ieUnatt.exe
2009-08-26 16:43:18 . 2008-09-16 21:34:43 140960 ----a-w- C:\Users\Auberey\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-18 03:33:52 . 2009-08-18 03:33:52 1193832 ----a-w- C:\Windows\system32\FM20.DLL
2009-08-15 12:36:06 . 2009-02-02 14:48:34 11952 ----a-w- C:\Windows\system32\avgrsstx.dll
2009-08-15 12:36:05 . 2008-09-17 13:10:05 335240 ----a-w- C:\Windows\system32\drivers\avgldx86.sys
2009-08-15 12:36:05 . 2008-09-17 13:10:01 27784 ----a-w- C:\Windows\system32\drivers\avgmfx86.sys
2009-08-14 16:27:34 . 2009-09-09 17:40:55 904776 ----a-w- C:\Windows\system32\drivers\tcpip.sys
2009-08-14 15:53:34 . 2009-09-09 17:40:51 17920 ----a-w- C:\Windows\system32\netevent.dll
2009-08-14 13:49:20 . 2009-09-09 17:40:51 9728 ----a-w- C:\Windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 . 2009-09-09 17:40:51 17920 ----a-w- C:\Windows\system32\ROUTE.EXE
2009-08-14 13:49:18 . 2009-09-09 17:40:51 11264 ----a-w- C:\Windows\system32\MRINFO.EXE
2009-08-14 13:49:15 . 2009-09-09 17:40:52 27136 ----a-w- C:\Windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 . 2009-09-09 17:40:52 19968 ----a-w- C:\Windows\system32\ARP.EXE
2009-08-14 13:49:14 . 2009-09-09 17:40:51 8704 ----a-w- C:\Windows\system32\HOSTNAME.EXE
2009-08-14 13:49:13 . 2009-09-09 17:40:51 10240 ----a-w- C:\Windows\system32\finger.exe
2009-08-14 13:48:21 . 2009-09-09 17:40:54 30720 ----a-w- C:\Windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48:02 . 2009-09-09 17:40:54 105984 ----a-w- C:\Windows\system32\netiohlp.dll
2009-01-13 20:56:45 . 2009-01-06 22:43:10 88 --sh--r- C:\Windows\System32\46F4CA0B28.sys
2009-01-13 20:59:34 . 2009-01-06 22:43:10 952 --sha-w- C:\Windows\System32\KGyGaAvL.sys
2009-06-19 19:15:45 . 2009-06-19 19:15:45 8975 --sh--w- C:\Windows\System32\vudigoyi.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 13:55:58 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55:58 1090816 ----a-w- C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 13:55:58 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 13:55:58 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-28 12:42:59 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-06-18 18:01:34 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-06-18 18:01:26 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-06-18 18:01:30 133656]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 06:12:02 483328]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 19:53:56 1312080]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\Windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-9-19 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 14:13:36 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 13:57:20 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-11-24 14:36:54 73728 ----a-w- C:\Windows\System32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\System32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):3c,a8,99,f1,43,52,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4215972033-1050644244-1932678965-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\System32\drivers\avgldx86.sys [9/17/2008 8:10:05 AM 335240]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 1:07:14 PM 9968]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 1:07:12 PM 74480]
R1 StarPortLite;StarPort Storage Controller (Lite);C:\Windows\System32\drivers\StarPortLite.sys [10/2/2008 9:01:13 PM 93544]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [5/7/2009 6:11:20 PM 1153368]
R2 TabletServiceWacom;TabletServiceWacom;C:\Windows\System32\Wacom_Tablet.exe [12/31/2008 5:43:14 PM 1373480]
R3 ti21sony;ti21sony;C:\Windows\System32\drivers\ti21sony.sys [9/16/2008 9:48:44 PM 227328]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [7/1/2009 8:20:45 AM 297752]
S2 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;C:\CFusionMX7\runtime\bin\jrunsvc.exe [10/20/2008 11:20:30 AM 61440]
S2 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe [10/20/2008 11:19:39 AM 2711312]
S3 fssfltr;FssFltr;C:\Windows\System32\drivers\fssfltr.sys [9/5/2009 6:17:46 PM 54632]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48:42 PM 704864]
S3 getPlus(R) Installer;getPlus(R) Installer;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [8/16/2009 5:24:57 PM 59552]
S3 getPlusHelper;getPlus(R) Helper;C:\Windows\System32\svchost.exe -k getPlusHelper [9/18/2008 7:24:33 AM 21504]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 1:07:16 PM 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 C:\Windows\Tasks\NSSstub.job
- C:\Windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-01-03 04:24:24 . 2009-01-03 04:24:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
BHO-{744EC540-7CAC-4B6A-8581-CBD7CC81024B} - C:\Windows\system32\jkkKeCtS.dll
AddRemove-_{91CABF8F-A81C-4CB0-A1B0-D55B25F1B150} - C:\Program Files\Corel\Corel Painter X\MSILauncher {91CABF8F-A81C-4CB0-A1B0-D55B25F1B150}
khwhitaker 0 Junior Poster
HJT Log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:11 PM, on 11/5/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {744EC540-7CAC-4B6A-8581-CBD7CC81024B} - C:\Windows\system32\jkkKeCtS.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; Tablet PC 2.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.mofunzone.com/popups/downhill_jam.shtml"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255708832175
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/DiagWebControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Installer - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Windows\system32\Wacom_Tablet.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 11148 bytes
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Your combofix log was incomplete. Please post the entire log.
==
Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.
C:\Windows\System32\vudigoyi.exe
khwhitaker 0 Junior Poster
because I could not open AVG I went through Security in the control panel and it was turned off, I turned off all security programs but the combofix log says that it was still running. No idea what is going on with it.
khwhitaker 0 Junior Poster
ComboFix 09-11-05.01 - Auberey 11/05/2009 19:10:56.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1055 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\$RECYCLE.BIN\S-1-5-21-2152478756-3922319563-605102323-500
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.
2009-11-06 00:21:35 . 2009-11-06 00:26:07 0 d-----w- C:\Users\Auberey\AppData\Local\temp
2009-11-06 00:21:35 . 2009-11-06 00:21:35 0 d-----w- C:\Users\Default\AppData\Local\temp
2009-11-05 22:36:21 . 2009-11-05 22:36:21 0 d-----w- C:\Program Files\Trend Micro
2009-11-05 21:19:51 . 2009-11-05 21:19:51 0 d-----w- C:\Users\Auberey\AppData\Roaming\Malwarebytes
2009-11-05 21:19:47 . 2009-09-10 19:54:06 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2009-11-05 21:19:45 . 2009-11-05 21:19:50 4096 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-05 21:19:45 . 2009-11-05 21:19:45 0 d-----w- C:\ProgramData\Malwarebytes
2009-11-05 21:19:45 . 2009-09-10 19:53:50 19160 ----a-w- C:\Windows\system32\drivers\mbam.sys
2009-11-05 02:52:16 . 2009-11-05 02:52:16 0 d-----w- C:\Program Files\ESET
2009-11-05 00:07:36 . 2009-09-10 14:58:28 310784 ----a-w- C:\Windows\system32\unregmp2.exe
2009-11-05 00:07:33 . 2009-09-10 14:59:26 8147456 ----a-w- C:\Windows\system32\wmploc.DLL
2009-11-04 18:40:53 . 2009-08-07 02:24:08 44768 ----a-w- C:\Windows\system32\wups2.dll
2009-11-04 18:40:53 . 2009-08-07 02:24:04 53472 ----a-w- C:\Windows\system32\wuauclt.exe
2009-11-04 18:40:53 . 2009-08-07 02:23:45 1929952 ----a-w- C:\Windows\system32\wuaueng.dll
2009-11-04 18:40:53 . 2009-08-07 01:45:15 2421760 ----a-w- C:\Windows\system32\wucltux.dll
2009-11-04 18:40:36 . 2009-08-07 02:24:09 35552 ----a-w- C:\Windows\system32\wups.dll
2009-11-04 18:40:36 . 2009-08-07 02:23:52 575704 ----a-w- C:\Windows\system32\wuapi.dll
2009-11-04 18:40:36 . 2009-08-07 01:44:40 87552 ----a-w- C:\Windows\system32\wudriver.dll
2009-11-04 18:40:20 . 2009-08-07 00:23:06 171608 ----a-w- C:\Windows\system32\wuwebv.dll
2009-11-04 18:40:20 . 2009-08-06 23:44:46 33792 ----a-w- C:\Windows\system32\wuapp.exe
2009-11-01 01:54:23 . 2009-11-01 01:54:41 0 d-----w- C:\$AVG
2009-11-01 01:53:23 . 2009-11-01 01:53:26 0 d-----w- C:\ProgramData\avg9
2009-10-21 12:38:04 . 2009-10-06 12:15:57 2064152 ----a-w- C:\ProgramData\avg8\update\backup\avgcorex.dll
2009-10-21 11:37:58 . 2009-10-21 11:40:05 0 d-----w- C:\Windows\system32\ca-ES
2009-10-21 11:37:58 . 2009-10-21 11:39:58 0 d-----w- C:\Windows\system32\eu-ES
2009-10-21 11:37:55 . 2009-10-21 11:39:55 0 d-----w- C:\Windows\system32\vi-VN
2009-10-21 11:15:46 . 2009-10-21 11:15:46 0 d-----w- C:\Windows\system32\EventProviders
2009-10-20 17:12:59 . 2009-04-11 06:28:22 406528 ----a-w- C:\Windows\system32\msvcp60.dll
2009-10-20 17:11:59 . 2009-04-11 06:28:26 177664 ----a-w- C:\Windows\system32\WSDMon.dll
2009-10-20 17:10:45 . 2009-04-11 06:28:18 247808 ----a-w- C:\Windows\system32\drvstore.dll
2009-10-20 16:39:05 . 2009-09-10 16:48:01 218624 ----a-w- C:\Windows\system32\msv1_0.dll
2009-10-20 16:39:02 . 2009-08-04 12:34:19 3600456 ----a-w- C:\Windows\system32\ntkrnlpa.exe
2009-10-20 16:39:02 . 2009-08-04 12:34:19 3548216 ----a-w- C:\Windows\system32\ntoskrnl.exe
2009-10-20 16:33:06 . 2009-09-04 11:41:59 60928 ----a-w- C:\Windows\system32\msasn1.dll
2009-10-20 16:32:46 . 2009-09-14 09:29:50 144896 ----a-w- C:\Windows\system32\drivers\srv2.sys
2009-10-20 16:30:40 . 2009-05-08 12:53:00 604672 ----a-w- C:\Windows\system32\WMSPDMOD.DLL
2009-10-20 16:23:46 . 2009-10-01 14:29:14 195440 ----a-w- C:\Windows\system32\MpSigStub.exe
2009-10-20 15:47:24 . 2009-10-20 15:47:24 3584 ----a-r- C:\Users\Auberey\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-10-20 15:47:23 . 2009-10-20 15:47:23 0 d-----w- C:\Program Files\Windows Installer Clean Up
2009-10-20 15:47:00 . 2009-10-20 15:47:00 0 d-----w- C:\Program Files\MSECACHE
2009-10-20 15:28:10 . 2009-10-20 15:28:11 86016 ----a-w- C:\ProgramData\NOS\Adobe_Downloads\arh.exe
2009-10-17 12:50:49 . 2009-10-06 12:15:53 2023704 ----a-w- C:\ProgramData\avg8\update\backup\avgtray.exe
2009-10-07 13:59:27 . 2009-10-06 12:15:05 1142552 ----a-w- C:\ProgramData\avg8\update\backup\avgupd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 00:25:06 . 2008-12-31 22:47:11 0 d-----w- C:\Users\Auberey\AppData\Roaming\WTablet
2009-11-04 23:57:55 . 2009-03-23 03:34:02 117760 ----a-w- C:\Users\Auberey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-04 13:17:33 . 2008-09-17 13:09:56 0 d-----w- C:\ProgramData\avg8(1304)
2009-11-04 12:41:39 . 2009-04-20 14:00:48 1356 ----a-w- C:\Users\Auberey\AppData\Local\d3d9caps.dat
2009-11-04 03:27:17 . 2008-09-18 16:04:06 4096 d-----w- C:\Program Files\Common Files\Adobe
2009-11-01 21:22:39 . 2008-09-17 13:09:56 0 d-----w- C:\ProgramData\avg8(1318)
2009-11-01 19:55:59 . 2008-09-17 13:09:56 0 d-----w- C:\ProgramData\avg8(1048)
2009-11-01 19:17:28 . 2008-09-17 13:09:56 0 d-----w- C:\ProgramData\avg8(1132)
2009-11-01 01:53:26 . 2008-09-17 13:09:58 0 d-----w- C:\Program Files\AVG
2009-10-21 11:40:50 . 2006-11-02 12:37:34 0 d-----w- C:\Program Files\Windows Calendar
2009-10-21 11:40:50 . 2006-11-02 11:18:33 4096 d-----w- C:\Program Files\Windows Mail
2009-10-21 11:40:48 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Sidebar
2009-10-21 11:40:47 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Journal
2009-10-21 11:40:47 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Collaboration
2009-10-21 11:40:43 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Photo Gallery
2009-10-21 11:40:37 . 2006-11-02 12:37:34 4096 d-----w- C:\Program Files\Windows Defender
2009-10-21 11:37:46 . 2006-11-02 10:25:05 665600 ----a-w- C:\Windows\inf\drvindex.dat
2009-10-21 11:35:20 . 2009-10-21 11:35:20 0 ---ha-w- C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-10-20 15:52:39 . 2008-09-18 16:00:14 4096 d-----w- C:\ProgramData\NOS
2009-10-17 14:56:10 . 2008-09-17 13:11:52 4096 d-----w- C:\Program Files\SUPERAntiSpyware
2009-10-05 23:32:14 . 2008-11-01 21:34:49 3766 --sha-w- C:\ProgramData\KGyGaAvL.sys
2009-10-05 23:32:14 . 2008-11-01 21:34:49 3766 --sha-w- C:\ProgramData\KGyGaAvL.sys
2009-10-05 23:32:01 . 2008-11-01 21:34:50 168 --sha-r- C:\ProgramData\46F4CA0B28.sys
2009-10-05 23:32:01 . 2008-11-01 21:34:50 168 --sha-r- C:\ProgramData\46F4CA0B28.sys
2009-09-26 18:45:18 . 2009-09-25 01:49:22 126970 ----a-w- C:\Users\Auberey\AppData\Roaming\Move Networks\uninstall.exe
2009-09-26 18:45:18 . 2009-08-03 21:48:42 4187512 ----a-w- C:\Users\Auberey\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
2009-09-25 01:49:21 . 2009-06-16 06:35:40 4183416 ----a-w- C:\Users\Auberey\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
2009-09-18 03:47:05 . 2009-09-18 03:47:03 45 ----a-w- C:\Users\Auberey\jagex_runescape_preferences2.dat
2009-09-18 03:47:05 . 2009-09-18 03:46:04 37 ----a-w- C:\Users\Auberey\jagex_runescape_preferences.dat
2009-09-09 23:19:37 . 2008-09-17 10:18:53 4096 d-----w- C:\Program Files\Microsoft Silverlight
2009-09-07 22:33:39 . 2009-09-07 22:33:39 0 ---ha-w- C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-09-07 19:53:36 . 2006-11-02 10:32:57 101888 ----a-w- C:\Windows\system32\ifxcardm.dll
2009-09-07 19:53:33 . 2006-11-02 10:32:57 82432 ----a-w- C:\Windows\system32\axaltocm.dll
2009-09-07 19:36:16 . 2008-11-22 05:57:23 4096 d-----w- C:\Program Files\Java
2009-09-07 18:45:30 . 2009-09-07 18:45:30 0 d-----w- C:\Users\Auberey\AppData\Roaming\PeerNetworking
2009-08-29 00:27:49 . 2009-09-02 23:20:59 4240384 ----a-w- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 . 2009-09-02 23:20:57 28672 ----a-w- C:\Windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 . 2009-10-20 16:38:11 916480 ----a-w- C:\Windows\system32\wininet.dll
2009-08-27 05:17:43 . 2009-10-20 16:38:09 71680 ----a-w- C:\Windows\system32\iesetup.dll
2009-08-27 05:17:43 . 2009-10-20 16:38:09 109056 ----a-w- C:\Windows\system32\iesysprep.dll
2009-08-27 03:42:29 . 2009-10-20 16:38:09 133632 ----a-w- C:\Windows\system32\ieUnatt.exe
2009-08-26 16:43:18 . 2008-09-16 21:34:43 140960 ----a-w- C:\Users\Auberey\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-18 03:33:52 . 2009-08-18 03:33:52 1193832 ----a-w- C:\Windows\system32\FM20.DLL
2009-08-15 12:36:06 . 2009-02-02 14:48:34 11952 ----a-w- C:\Windows\system32\avgrsstx.dll
2009-08-15 12:36:05 . 2008-09-17 13:10:05 335240 ----a-w- C:\Windows\system32\drivers\avgldx86.sys
2009-08-15 12:36:05 . 2008-09-17 13:10:01 27784 ----a-w- C:\Windows\system32\drivers\avgmfx86.sys
2009-08-14 16:27:34 . 2009-09-09 17:40:55 904776 ----a-w- C:\Windows\system32\drivers\tcpip.sys
2009-08-14 15:53:34 . 2009-09-09 17:40:51 17920 ----a-w- C:\Windows\system32\netevent.dll
2009-08-14 13:49:20 . 2009-09-09 17:40:51 9728 ----a-w- C:\Windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 . 2009-09-09 17:40:51 17920 ----a-w- C:\Windows\system32\ROUTE.EXE
2009-08-14 13:49:18 . 2009-09-09 17:40:51 11264 ----a-w- C:\Windows\system32\MRINFO.EXE
2009-08-14 13:49:15 . 2009-09-09 17:40:52 27136 ----a-w- C:\Windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 . 2009-09-09 17:40:52 19968 ----a-w- C:\Windows\system32\ARP.EXE
2009-08-14 13:49:14 . 2009-09-09 17:40:51 8704 ----a-w- C:\Windows\system32\HOSTNAME.EXE
2009-08-14 13:49:13 . 2009-09-09 17:40:51 10240 ----a-w- C:\Windows\system32\finger.exe
2009-08-14 13:48:21 . 2009-09-09 17:40:54 30720 ----a-w- C:\Windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48:02 . 2009-09-09 17:40:54 105984 ----a-w- C:\Windows\system32\netiohlp.dll
2009-01-13 20:56:45 . 2009-01-06 22:43:10 88 --sh--r- C:\Windows\System32\46F4CA0B28.sys
2009-01-13 20:59:34 . 2009-01-06 22:43:10 952 --sha-w- C:\Windows\System32\KGyGaAvL.sys
2009-06-19 19:15:45 . 2009-06-19 19:15:45 8975 --sh--w- C:\Windows\System32\vudigoyi.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 13:55:58 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55:58 1090816 ----a-w- C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 13:55:58 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 13:55:58 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-28 12:42:59 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-06-18 18:01:34 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-06-18 18:01:26 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-06-18 18:01:30 133656]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 06:12:02 483328]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 19:53:56 1312080]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\Windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-9-19 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 14:13:36 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 13:57:20 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-11-24 14:36:54 73728 ----a-w- C:\Windows\System32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\System32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):3c,a8,99,f1,43,52,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4215972033-1050644244-1932678965-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\System32\drivers\avgldx86.sys [9/17/2008 8:10:05 AM 335240]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 1:07:14 PM 9968]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 1:07:12 PM 74480]
R1 StarPortLite;StarPort Storage Controller (Lite);C:\Windows\System32\drivers\StarPortLite.sys [10/2/2008 9:01:13 PM 93544]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [5/7/2009 6:11:20 PM 1153368]
R2 TabletServiceWacom;TabletServiceWacom;C:\Windows\System32\Wacom_Tablet.exe [12/31/2008 5:43:14 PM 1373480]
R3 ti21sony;ti21sony;C:\Windows\System32\drivers\ti21sony.sys [9/16/2008 9:48:44 PM 227328]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [7/1/2009 8:20:45 AM 297752]
S2 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;C:\CFusionMX7\runtime\bin\jrunsvc.exe [10/20/2008 11:20:30 AM 61440]
S2 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe [10/20/2008 11:19:39 AM 2711312]
S3 fssfltr;FssFltr;C:\Windows\System32\drivers\fssfltr.sys [9/5/2009 6:17:46 PM 54632]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48:42 PM 704864]
S3 getPlus(R) Installer;getPlus(R) Installer;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [8/16/2009 5:24:57 PM 59552]
S3 getPlusHelper;getPlus(R) Helper;C:\Windows\System32\svchost.exe -k getPlusHelper [9/18/2008 7:24:33 AM 21504]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 1:07:16 PM 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 C:\Windows\Tasks\NSSstub.job
- C:\Windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-01-03 04:24:24 . 2009-01-03 04:24:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
BHO-{744EC540-7CAC-4B6A-8581-CBD7CC81024B} - C:\Windows\system32\jkkKeCtS.dll
AddRemove-_{91CABF8F-A81C-4CB0-A1B0-D55B25F1B150} - C:\Program Files\Corel\Corel Painter X\MSILauncher {91CABF8F-A81C-4CB0-A1B0-D55B25F1B150}
sorry, hope this one is complete
Edited by mike_2000_17 because: Fixed formatting
khwhitaker 0 Junior Poster
my husband was watching it and said that it shut itself down a couple of minutes after it had finished and something about a dump file but it went too fast for him to read it. Would it be in the event log?
MCSChiefTech 0 Newbie Poster
Hey! Thanks for getting back so quickly!
I'm only okay at reading HJT logs, but as a general rule of thumb I've found, anything that doesn't have a name is bad news, and anything that doesn't look familiar, google search it. :)
By this logic, the following look suspicious to me:
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {744EC540-7CAC-4B6A-8581-CBD7CC81024B} - C:\Windows\system32\jkkKeCtS.dll (file missing)
I'm not too sure about this one:
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
upon google searches, it seems to be part of Adobe something or other, but its curious that it's unlabeled...
This one checks out on a google search as part of spyware doctor:
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
My suggestion would be to fix the R3 and 2 O2s I mentioned above and see if that helps.
Everything else I read through looks about right to me.
Let us know how that turns out!
--John, MCS
A+ Certified
Edited by MCSChiefTech because: n/a
MCSChiefTech 0 Newbie Poster
my husband was watching it and said that it shut itself down a couple of minutes after it had finished and something about a dump file but it went too fast for him to read it. Would it be in the event log?
Was it a Blue Screen?
There are a few things I'd suggest here.
To keep it from restarting in the future, so you can read and WRITE DOWN the exact error (and the hex IE: 0x0000000, 0x231HD77 etc... code) for us, go Start orb>Right click "Computer">Properties>Advanced system settings (on the left)>Advanced tab>Startup and Recovery>Under "System failure" uncheck "automatically restart"
There should be some data in the log as well. This link will help you help us:
http://www.bleepingcomputer.com/forums/topic40108.html
I think its for windows XP but it is similar enough that it should be straightforward.
Let us know what you find or if you need more help!
I'm going to be out for a while tonight, so I may not be able to check back for a while- but you're in good hands here on Daniweb. :)
Good luck!
--John, MCS
A+ Certified
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
my husband was watching it and said that it shut itself down a couple of minutes after it had finished and something about a dump file but it went too fast for him to read it. Would it be in the event log?
Looks like the same log as before still with the end missing. The log can be found in C:\Qoobox.
Did you manage to upload that file for a scan? I need you to do that before we go further.
Although I appreciate the assistance, I will ask you to follow my instructions here or we can end up in confusion.
khwhitaker 0 Junior Poster
Your combofix log was incomplete. Please post the entire log.
==
Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.
C:\Windows\System32\vudigoyi.exe
This file is not in the folder at this point?
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
That looks like a question that only you can answer :). You need to take a look. It may be hidden, so you will need to uncheck that option in Folder Options.
Alternatively, you could copy/paste the full path into the line at Jotti's.
khwhitaker 0 Junior Poster
Looks like the same log as before still with the end missing. The log can be found in C:\Qoobox.
Did you manage to upload that file for a scan? I need you to do that before we go further.
Although I appreciate the assistance, I will ask you to follow my instructions here or we can end up in confusion.
txt file in C:\Qoobox...
2009-11-06 00:35:56 . 2009-11-06 00:35:56 1,270 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-_{91CABF8F-A81C-4CB0-A1B0-D55B25F1B150}.reg.dat
2009-11-06 00:35:18 . 2009-11-06 00:35:18 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{744EC540-7CAC-4B6A-8581-CBD7CC81024B}.reg.dat
2009-11-06 00:19:55 . 2009-11-06 00:19:55 900 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_TDSSSERV.SYS.reg.dat
2009-11-06 00:19:02 . 2009-11-06 00:19:02 6,535 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-06 00:05:18 . 2009-11-06 00:10:56 62 ----a-w- C:\Qoobox\Quarantine\catchme.log
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
If that is all that is there, it looks like it's gone.
Try the online scan for me for now then.
khwhitaker 0 Junior Poster
That looks like a question that only you can answer :). You need to take a look. It may be hidden, so you will need to uncheck that option in Folder Options.
Alternatively, you could copy/paste the full path into the line at Jotti's.
File was hidden:). Ran it through both scanners nothing found in either one. Running online scan now.
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
I still do not like the look of it.
1. Please open Notepad
- Click Start , then Run
- Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
FileLook::
C:\Windows\System32\vudigoyi.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
- Combofix.txt
- A new HijackThis log.
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Edited by crunchie because: n/a
khwhitaker 0 Junior Poster
Will complete the above. In the mean time here is the online scanner log...
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1f641c9b381f4a418a2d939f1b97b45a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-05 03:53:02
# local_time=2009-11-04 10:53:02 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 93997415 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=196917
# found=0
# cleaned=0
# scan_time=3294
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1f641c9b381f4a418a2d939f1b97b45a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-05 01:01:57
# local_time=2009-11-05 08:01:57 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 94030234 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=196139
# found=0
# cleaned=0
# scan_time=3410
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1f641c9b381f4a418a2d939f1b97b45a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-11-06 02:54:45
# local_time=2009-11-05 09:54:45 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 0 94080213 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=194134
# found=0
# cleaned=0
# scan_time=3399
khwhitaker 0 Junior Poster
On doing the run I recieve an error message stating...
"This file does not have a program associated with it for performing this action. Create an association in the Set Associations control panel."
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Thats a bit strange considering it has already run. Try the remedy given at http://keznews.com/4558_Restore_and_Reset_File_Association_in_Windows_Vista for restoring file associations and try combofix again
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.