I previously had a security package (Charter Security Suite) installed but moved to an area where Charter services are not available. Instead of using the program's Uninstall function I used the Windows Add/Remove function. Now the firewall is still on and I cannot turn it off. The Control Panel/Security window shows Firewall On..and expanding it says Charter Security Suite 6.15 ia on. There seems to be no way to turn it off. The problem this causes is I cannot receive incoming communications such as updates, virus updates, etc. and always receive an error message that I am not connected to the internet.
mmobilman 0 Newbie Poster
jholland1964 650 Posting Expert Team Colleague Featured Poster
From what I could find this thing can be a real @#%@! to remove.
Have you looked for it's program file? Maybe there is an uninstaller in there.
Have you tried in Safe Mode?
techsheaven 45 Posting Pro in Training
The best solution would be to try to reinstall the software and uninstall it again, but it is probably not an option for you. . .
You will need to go to another computer and download autoruns to a USB Flash Drive (or media of your choice):
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
If you don't have access to another PC, you could try to disable it like this:
Hold down the windows key and press r
type msconfig in the text box and hit ENTER
check the services tab and the startup tab for the unwanted program
deselect the check-box next to each entry (there may be several).
Click OK
Restart
After restart check box to not show Microsoft Configuration Utility
Click OK
Post back here with your results
Good Luck
jholland1964 650 Posting Expert Team Colleague Featured Poster
How about doing a System Scan with HiJackThis and posting the log here. We very likely then can give you the names and locations of the files you need to stop from running.
Get HiJackThis Version 2.0.4 from http://free.antivirus.com/hijackthis/
Open the program and Run a System Scan and save the log.
Copy/Paste the log back here and we can take a look.
Edited by jholland1964 because: n/a
Biker920 0 Posting Whiz in Training Featured Poster
Charter Security Suite is developed by F-Secure Corporation. The most popular version of this product is 1.0. The names of program executable files are fsavgui.exe, fscuif.exe. Maybe this will help when you people start hunting files to kill. Later---
mmobilman 0 Newbie Poster
I cannot reinstall the program because Charter says I am not a current subscriber. I tried the msconfig procedure and that did not turn the firewall off. I tried the autorun procedure and there were two F-Secure files that could not be removed because the files could not be found. The firewall is still on and blocking me. My next step will be to use the Hijackthis program. I'll post the results when I get them.
mmobilman 0 Newbie Poster
Logfile of HijackThis v1.99.1
Scan saved at 10:14:39 AM, on 6/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Linksys\WMP110\gtwpssrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\WMP110\WLSngS.exe
C:\Program Files\Linksys\WMP110\WMP110.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jack Davis\Desktop\Downloads\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Gamevance - {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - C:\Program Files\Gamevance\gamevancelib32.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - c:\program files\billeo\billeo.dll
O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Gamevance Text - {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - c:\program files\billeo\billeo.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WMP110] C:\Program Files\Linksys\WMP110\WMP110.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - c:\program files\billeo\billeo.dll (HKCU)
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.att.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: GTWPSSRV (GTWPSService) - Unknown owner - C:\Program Files\Linksys\WMP110\gtwpssrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Linksys\WMP110\jswpsapi.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WLSng Service - TODO: <Company name> - C:\Program Files\Linksys\WMP110\WLSngS.exe
jholland1964 650 Posting Expert Team Colleague Featured Poster
That is probably a three year old version of HiJackThis. Where did you get it? That isn't the one from the link I gave you above.
It won't give a good reading at all. You need to delete or uninstall that one and download the newest version and run another System Scan
Get HiJackThis Version 2.0.4 from http://free.antivirus.com/hijackthis/
But even looking at this log it shows NO firewall and NO anti-virus program running on the computer.
Download the newest version and run another scan.
You really need to run the programs in our Read Me sticky. You have quite a few nasty items on there, even looking at this very old HJT version, that is obvious. The computer is out of date for sure, java is way out of date.
Download this program, run it and post back with the small log it will provide.
But FIRST:
Download Security Check by screen317 from here http://screen317.spywareinfoforum.org/SecurityCheck.exe or here.http://screen317.changelog.fr/SecurityCheck.exe
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Edited by jholland1964 because: n/a
mmobilman 0 Newbie Poster
Logfile of Security Check......
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG Anti-Rootkit Free
OneCare Advisor (Windows Live Toolbar)
iolo technologies' Search and Recover 3
```````````````````````````````
Anti-malware/Other Utilities Check:
MVPS Hosts File
Out of date HijackThis installed!
Windows Defender
Windows Defender Signatures
AVG Anti-Rootkit Free
HijackThis 1.99.1
CCleaner (remove only)
Java(TM) SE Runtime Environment 6 Update 1
Adobe Flash Player 10.0.22.87
Adobe Reader 8.1.6
Out of date Adobe Reader installed!
Mozilla Firefox (3.0.8) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Windows Defender MsMpEng.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
Log file of Hijackthis 2.0.4
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:55:40 AM, on 6/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Linksys\WMP110\gtwpssrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\WMP110\WLSngS.exe
C:\Program Files\Linksys\WMP110\WMP110.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\wuauclt.exe
I understand that no firewall is shown, but Control Panel/Security/Firewall expanded shows "Security Suite 6.15 is on"
jholland1964 650 Posting Expert Team Colleague Featured Poster
That isn't the whole log. You have posted only the top portion.
Your computer is GROSSLY out of date. That Security Check log shows that. It shows no anti virus program, no firewall, AVG Rootkit Free which is NO LONGER available as a stand alone product so it is way out of date, out of date Firefox, way out of date Java way out of date.
Even though it "shows" that Security Suite 6.15 is on, it doesn't show anywhere in the logs you have posted, and it WOULD show.
Your computer is so out of date it is likely there is infection/malware on there, the original HJT log you posted showed that for certain.
You need to follow the steps in our Read Me Sticky
http://www.daniweb.com/forums/thread134865.html
mmobilman 0 Newbie Poster
I am doing as you indicated and will get back to you after finishing Read Me Sticky
jholland1964 650 Posting Expert Team Colleague Featured Poster
I will be happy to read all the logs when they are posted.
mmobilman 0 Newbie Poster
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4169
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/4/2010 4:33:18 PM
mbam-log-2010-06-04 (16-33-18).txt
Scan type: Full scan (C:\|)
Objects scanned: 265035
Time elapsed: 1 hour(s), 14 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 19
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{014c4232-6904-47b9-9144-7e0fb7277444} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0ab02d6c-f605-425f-b7cb-b9e96c9faf1e} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{32864a05-9d09-472c-abd0-081818ec713b} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\gvtl (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PCClear_Plus_Global (Rogue.PCClearPlus) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Gamevance (Adware.Gamevance) -> Delete on reboot.
Files Infected:
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Delete on reboot.
C:\Program Files\Gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-04 11:35:33
Windows 5.1.2600 Service Pack 3
Running: otgi11nq.exe; Driver: C:\DOCUME~1\JACKDA~1\LOCALS~1\Temp\pxtdypow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-04 15:10:08
Windows 5.1.2600 Service Pack 3
Running: otgi11nq.exe; Driver: C:\DOCUME~1\JACKDA~1\LOCALS~1\Temp\pxtdypow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
Device \FileSystem\Fastfat \Fat ED7F2D20
Device \FileSystem\Fastfat \Fat ED802428
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-03-17.01) - NTFSx86
Run by Jack Davis at 16:41:16.29 on Fri 06/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.564 [GMT -5:00]
AV: Charter High-Speed Security Suite 6.15 *On-access scanning enabled* (Outdated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Charter High-Speed Security Suite 6.15 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Linksys\WMP110\gtwpssrv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WMP110\WLSngS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Linksys\WMP110\WMP110.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jack Davis\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://google.icq.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} -
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Billeo: {465e08e7-f005-4389-980f-1d8764b3486c} - c:\program files\billeo\billeo.dll
BHO: TTB000000 Class: {62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} - c:\windows\COUPON~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Billeo: {6adb0f93-1aa5-4bcf-9df4-cea689a3c111} - c:\program files\billeo\billeo.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: CouponBar: {5bed3930-2e9e-76d8-bacc-80df2188d455} - c:\windows\CouponBarIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} -
TB: {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Fix-It AV] c:\progra~1\vcom\fix-it\MemCheck.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [WMP110] c:\program files\linksys\wmp110\WMP110.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billeo.lnk - c:\program files\billeo\billeo.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: &Block this popup
IE: &Copy Location - c:\windows\web\graburl.htm
IE: &ICQ Toolbar Search - c:\program files\icqtoolbar\toolbaru.dll/SEARCH.HTML
IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll/search.htm
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {1F958B09-3312-7f0e-9723-4C1324C57B20}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760}
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760}
IE: {300DB664-75B5-47c0-8B45-A44ACCF73C00} - {0928F506-07E8-470c-979D-147C296D4879}
IE: {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
IE: {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\system32\oline.dll
LSP: winsflt.dll
Trusted Zone: musicmatch.com\online
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.att.net/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: HookRC Class: {a5780613-492e-4a2a-a7fd-549610edf6cc} - c:\program files\vcom\recovery commander\RCHOOK.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - No File
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\jackda~1\applic~1\mozilla\firefox\profiles\qcjv76j7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.thedailytimes.com/section/pub
FF - component: c:\program files\mozilla firefox\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\billeotoolbar.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPPGWrap.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2007-12-29 4064]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-5-7 3968]
R2 GTWPSService;GTWPSSRV;c:\program files\linksys\wmp110\gtwpssrv.exe [2009-3-15 34816]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WLSng Service;WLSng Service;c:\program files\linksys\wmp110\WLSngS.exe [2009-3-15 233472]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-3-15 57344]
R3 WMP110v2;Linksys WMP110 RangePlus Wireless PCI Adapter Wireless Driver;c:\windows\system32\drivers\WMP110v2.sys [2009-3-15 625024]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\linksys\wmp110\jswpsapi.exe [2009-3-15 352338]
============== File Associations ===============
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
=============== Created Last 30 ================
2010-06-04 20:16:21 0 d-----w- c:\docume~1\jackda~1\applic~1\Malwarebytes
2010-06-04 20:15:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 20:15:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 20:15:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 20:15:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-01 19:29:21 0 d-----w- c:\docume~1\jackda~1\applic~1\PCMM2010
==================== Find3M ====================
2010-05-12 16:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2007-05-12 15:33:58 774144 ----a-w- c:\program files\RngInterstitial.dll
2004-08-04 11:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2006-09-07 14:37:32 10240 --sha-w- c:\windows\rnapxs\rnapxs.dat
2006-05-23 13:48:56 152 --sh--r- c:\windows\system32\3E9D3B08BB.sys
2006-05-05 18:11:56 88 --sh--r- c:\windows\system32\BB083B9D3E.sys
2006-05-23 13:48:59 6686 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-10-02 16:05:07 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat
============= FINISH: 16:42:09.79 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/15/2006 11:24:01 AM
System Uptime: 6/4/2010 4:35:38 PM (0 hours ago)
Motherboard: Dell Computer Corp. | | 0WF887
Processor: Intel(R) Celeron(R) CPU 2.53GHz | Microprocessor | 2527/533mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 71 GiB total, 31.895 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1501: 4/10/2010 8:55:31 AM - Software Distribution Service 3.0
RP1502: 4/10/2010 10:25:00 PM - Software Distribution Service 3.0
RP1503: 4/13/2010 7:15:10 AM - Software Distribution Service 3.0
RP1504: 4/14/2010 10:25:51 PM - Software Distribution Service 3.0
RP1505: 4/15/2010 12:42:41 PM - Software Distribution Service 3.0
RP1506: 4/20/2010 6:13:37 AM - Software Distribution Service 3.0
RP1507: 4/23/2010 8:01:19 AM - Software Distribution Service 3.0
RP1508: 4/27/2010 8:20:52 AM - Software Distribution Service 3.0
RP1509: 4/30/2010 8:34:03 AM - Software Distribution Service 3.0
RP1510: 5/4/2010 8:05:19 AM - Software Distribution Service 3.0
RP1511: 5/6/2010 12:29:04 PM - Software Distribution Service 3.0
RP1512: 5/12/2010 2:59:37 PM - Software Distribution Service 3.0
RP1513: 5/12/2010 10:30:24 PM - Software Distribution Service 3.0
RP1514: 5/13/2010 12:51:32 PM - Software Distribution Service 3.0
RP1515: 5/18/2010 7:39:15 AM - Software Distribution Service 3.0
RP1516: 5/20/2010 8:54:01 AM - Software Distribution Service 3.0
RP1517: 5/25/2010 7:19:41 AM - Software Distribution Service 3.0
RP1518: 5/27/2010 3:00:18 AM - Software Distribution Service 3.0
RP1519: 5/27/2010 10:22:26 PM - Software Distribution Service 3.0
RP1520: 6/1/2010 7:35:00 AM - Software Distribution Service 3.0
RP1521: 6/4/2010 3:21:11 AM - Software Distribution Service 3.0
==== Installed Programs ======================
123 Free Solitaire
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe PhotoDeluxe 2.0
Adobe Reader 8.1.6
Adobe Type Manager 4.0
Adobe® Photoshop® Album Starter Edition 3.0
jholland1964 650 Posting Expert Team Colleague Featured Poster
Note to others reading this thread, these instructions are for THIS computer ONLY. This tool is NEVER to be used unless first instructed to do so by a helper.
Please download ComboFix by sUBs from HERE
· You must download it to and run it from your Desktop
· Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
· Double click combofix.exe & follow the prompts.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
Run Combofix ONCE only!!
· When finished, it will produce a log. Please save that log to post in your next reply.
Edited by jholland1964 because: n/a
mmobilman 0 Newbie Poster
I received a message that Charter Security Suite was activated and to disable it before combofix could finish. That is the one thing I can NOT do
jholland1964 650 Posting Expert Team Colleague Featured Poster
Have you done a file search for Charter Security?
mmobilman 0 Newbie Poster
There is a folder in Program Files named Charter Security Suite. There are several folders, most of them empty. There are six files not in folders: fsdeph.dll; fsisu.dll; fsisuNT.dll; fsld32.dll; fsuinst.ENG; and install. None of the files can be deleted because they are "full or write-protected". What would happen if I reinstalled XP?
jholland1964 650 Posting Expert Team Colleague Featured Poster
You say the install file is there? See if that works.
mmobilman 0 Newbie Poster
It is not an .exe file. Clicking on it returns the following data:
[Files]
fsisu.dll=1
fsisuNT.dll=1
fsld32.dll=1
fsuninst.exe=1
fsuninst.ENG=1
fsdeph.dll=1
[FSUNINST]
F-Secure Management Agent=1
F-Secure Anti-Virus=1
F-Secure Internet Shield=1
F-Secure Web Filter=1
F-Secure TNB=1
F-Secure Diagnostics=1
F-Secure E-mail Scanning=1
F-Secure FWES=1
F-Secure GUI=1
F-Secure Spam Scanner=1
F-Secure Spam Control=1
F-Secure Anti-Spyware=1
F-Secure DAAS=1
F-Secure Anti-Virus Client Security Installer=1
F-Secure Anti-Spyware Scanner=1
F-Secure Help=1
News Service=1
[F-Secure Management Agent]
UninstallerFileName=fsuninst.exe
[F-Secure Anti-Virus]
UninstallerFileName=fsuninst.exe
[F-Secure Internet Shield]
UninstallerFileName=fsuninst.exe
[F-Secure Web Filter]
UninstallerFileName=fsuninst.exe
[F-Secure TNB]
UninstallerFileName=fsuninst.exe
[F-Secure Diagnostics]
UninstallerFileName=fsuninst.exe
[F-Secure E-mail Scanning]
UninstallerFileName=fsuninst.exe
[F-Secure FWES]
UninstallerFileName=fsuninst.exe
[F-Secure GUI]
UninstallerFileName=fsuninst.exe
[F-Secure Spam Scanner]
UninstallerFileName=fsuninst.exe
[F-Secure Spam Control]
UninstallerFileName=fsuninst.exe
[F-Secure Anti-Spyware]
UninstallerFileName=fsuninst.exe
[F-Secure DAAS]
UninstallerFileName=fsuninst.exe
[F-Secure Anti-Virus Client Security Installer]
UninstallerFileName=fsuninst.exe
[F-Secure Anti-Spyware Scanner]
UninstallerFileName=fsuninst.exe
[F-Secure Help]
UninstallerFileName=fsuninst.exe
[News Service]
UninstallerFileName=fsuninst.exe
jholland1964 650 Posting Expert Team Colleague Featured Poster
Ok, see if this will work for removal:
Revo Uninstaller
http://www.revouninstaller.com/revo_uninstaller_free_download.html
You can download this and try to remove those files which will not remove. This is a free 30 day trial of this program. Hopefully it will work.
Select the application in the list of installed applications and press the "Uninstall" button in the toolbar, or right-click the application and click the "Uninstall" command in the displayed menu. Revo Uninstaller will show an uninstall wizard, which will give you 4 options to choose from:
* Built-in uninstall mode - run only the application's uninstaller without any additional scanning
* Safe uninstall mode - includes the Built-in mode and performs additional scans in the Registry and on the hard drive to find leftover items that are safe to delete. This is the fastest mode.
* Moderate uninstall mode - includes the Safe mode and performs an extended scan to find all of the application's leftover information in the most common places of the Registry and on the hard drive
* Advanced uninstall mode - includes the Moderate mode and performs a deep and thorough scan to find all of the application's leftover information in the Registry and on the hard drive. This is the slowest mode.
Edited by jholland1964 because: n/a
mmobilman 0 Newbie Poster
The program does not show the Charter Security Suite. When I attempted to bring it onscreen by entering it in the search box and then hitting Enter the program completely shut down. On the bright side I might use the program to get rid of some of those old outdated programs on this machine. It's getting closer to the time for reformatting I think.
jholland1964 650 Posting Expert Team Colleague Featured Poster
Have you tried contacting the Charter People? I know you no longer have the program but you DID maybe they can tell you how to get rid of it by calling their help line.
mmobilman 0 Newbie Poster
It's one of those "no human available" things. I've tried calling but am told to enter my account number to be redirected. I don't have a record of that. Pressed O to get an operator and she says I have to have an account number before she can connect me. I tried their Chat support but was told my problem is not in their knowledge base and gave me a telephone number. I do have a pending support request with F-Secure, the company that I believe developed the Charter Security Suite. I do want you to know that I really appreciate all the effort you have expended to help me. Thank you so very much.
jholland1964 650 Posting Expert Team Colleague Featured Poster
I wish I could have been more help. If you feel comfortable with a reformat then this may very well be your best option. That way you will know the "illusive" firewall will be gone and it no longer will be able to interfere with the normal usage of the computer.
mmobilman 0 Newbie Poster
Well your help wasn't wasted. I did get rid of some Malware, and the undo program helped me get rid of a lot of old, outdated, and no longer used programs. If I don't get any help from F-Secure I suppose reformat is the way I will have to go. I don't look forward to it because it's a lot of work, but seems to be the only solution. Sometimes one just has to bite the bullet.
mmobilman 0 Newbie Poster
One more final point.......I reopened the uninstaller program and found a menu option Forced Uninstall. I was able to browse to the Charter folder and ALL items were removed by the program. However, it left the firewall in place. Oh well, life goes on.
jholland1964 650 Posting Expert Team Colleague Featured Poster
Did you try it in Safe Mode? This I think, is the only thing we haven't tried here. The firewall shouldn't operate in Safe Mode so the files wouldn't be in use.
mmobilman 0 Newbie Poster
I did a system restore to get back the files I deleted earlier. The program once again deleted them, this time in Safe Mode. While all efforts to locate any Charter files of any kind comes up blank, it is still riding high and ever vigilant in Security Center. Thanks for the "one more try".
jholland1964 650 Posting Expert Team Colleague Featured Poster
I did a system restore to get back the files I deleted earlier. The program once again deleted them, this time in Safe Mode. While all efforts to locate any Charter files of any kind comes up blank, it is still riding high and ever vigilant in Security Center. Thanks for the "one more try".
If you have used System Restore like this then this is the reason you cannot remove it all. System Restore actually operates only on a very few system files and settings. System Restore backs up your registry. System Restore does not backup your data. If you delete or damage a file, System Restore will not recover it. System Restore will NOT uninstall a program. In fact if you have installed a program and find you don't want it and you use System Restore to try to remove it then it may leave you with much of the program on the system taking up space but it just won't be listed in Add/Remove, making it much harder to uninstall. System Restore does not keep old copies of your files or settings. If you're looking for an "old version" of a file or program that you used to have on your machine, System Restore isn't going to have it.
mmobilman 0 Newbie Poster
I didn't know that. You mentioned Safe Mode and since I had already uninsalled it with that program it wasn't there when I went into safe mode. I used restore to get it back. I know better now.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.