|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
system security program vista (moved from Vista Forum)
Help I am going crazy!
Suddendly my computer is in chaos. Seems SYSTEM SECURITY has taken over. I have protection through the cable network which is CHARTER SECURITY SUITE in Oregon. But this security system keeps telling me I have viruses, trojans. My charter security says I am fine. I downloaded AVG and it got rid of 10 viruses. I can not delete this system security from visit apart of the vista windows? I keep getting pop ups that say "it has blocked a program from accessing the internet. Then down below it names it as . Pop ups keep coming and if I "give in" and update, then of course they want 30 bucks. I can not find this in my control panel ( programs) so I can not delete it. As I am fighting these I then get pop ups from microsofr windows saying " 79B1.tmp has stopped working and IC29.tmp and 2221.tmp. also 7884.tmp. I noticed when I go to my favorites and scroll down to find something, it closes on me and also seems hard to type, like some letters don't want to work. Yes it seems like alot, I hope there is an easy answer and fix. This has been going on for 2 days now. I did remove the Charter security protection, that was not it. Information on the system security is folder path C:\users\jeanie appData\roaming\micro name: system security link |
#2
|
||||
|
||||
Hello smiley59,
Not sure from that description exactly what may be a cause of issues there. Let's get more details and check. To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan. If necessary allow it to locate or download a copy of HijackThis as needed. Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt. RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt). You can break logs into parts and use separate posts here when replying and posting the log files, if needed. |
#3
|
|||
|
|||
Rsit
I hope I understood correctly.
The pop ups are not as bad, but still being re-directed on web pages and keeps saying I havea trojan horse SHeun 2 MDY. Today no pages were up, just wallpaper and it was like a radio station was coming through????? Sure hope you can help me Logfile of random's system information tool 1.05 (written by random/random) Run by jeanie at 2009-01-23 22:26:33 Microsoft® Windows Vista™ Home Premium Service Pack 1 System drive C: has 338 GB (91%) free of 370 GB Total RAM: 2039 MB (63% free) nfo.txt logfile of random's system information tool 1.05 2009-01-23 22:26:44 ======Uninstall list====== -->"C:\Program Files\Gateway Games\Bejeweled 2 Deluxe\Uninstall.exe" -->"C:\Program Files\Gateway Games\Blasterball 3\Uninstall.exe" -->"C:\Program Files\Gateway Games\BloodTies\Uninstall.exe" -->"C:\Program Files\Gateway Games\Bookworm Adventures\Uninstall.exe" -->"C:\Program Files\Gateway Games\Bounce Symphony\Uninstall.exe" -->"C:\Program Files\Gateway Games\Chuzzle Deluxe\Uninstall.exe" -->"C:\Program Files\Gateway Games\Gateway Game Console\Uninstall.exe" -->"C:\Program Files\Gateway Games\Magic Ball 3\Uninstall.exe" -->"C:\Program Files\Gateway Games\Tradewinds\Uninstall.exe" -->"C:\Program Files\Gateway Games\Trivia Gems\Uninstall.exe" -->"C:\Program Files\Gateway Games\Trivia Machine\Uninstall.exe" -->"C:\Program Files\Gateway Games\Virtual Villagers - A New Home\Uninstall.exe" -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419} Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_acti veX.exe Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003} Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL BigFix-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34FF0741-EC67-4C05-AC2A-6D257123DF2E}\setup.exe" -l0x9 -uninst -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll" Browser Address Error Redirector-->regsvr32 /u /s "c:\windows\system32\BAE.dll" Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini Canon MP210 series User Registration-->C:\Program Files\Canon\IJEREG\MP210 series\UNINST.EXE Canon MP210 series-->"C:\Windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP210_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP210_series /L0x0009 Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE} Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE2CC4A5-2128-4EA2-941D-14F7A6A1AB61} /l1033 Gateway Connect-->MsiExec.exe /I{EE5EEDAF-F932-462B-A2CB-EEBDF819D5F5} Gateway Games-->"C:\Program Files\Gateway Games\Uninstall.exe" Gateway Recovery Center Installer-->MsiExec.exe /X{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718} Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72} Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29} Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll" HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall Intel(R) Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF} Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010} Microsoft Money Essentials-->"C:\Program Files\Microsoft Money 2007\MNYCoreFiles\Setup\uninst.exe" /s:120 Microsoft Money Shared Libraries-->MsiExec.exe /X{5F00DF7E-418B-4CD9-8EC5-781156BCC49E} Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE} Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE} Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE} Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE} Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE} Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE} Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE} Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE} Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE} Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE} Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE} Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7} Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8} Microsoft WSE 2.0 SP3 Runtime-->MsiExec.exe /X{F3CA9611-CD42-4562-ADAB-A554CF8E17F1} Mind Medley (remove only)-->"C:\Program Files\Mind Medley\Uninstall.exe" MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF} MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71} Napster Burn Engine-->MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1} OLYMPUS CAMEDIA Master 4.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.1 Power2Go 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall PS2 Multimedia Keyboard Driver-->"C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\setup.exe" -ul QuickTime-->C:\Windows\unvise32qt.exe C:\Windows\system32\QuickTime\Uninstall.log Quit Counter-->"C:\Program Files\Quit Counter\unins000.exe" RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Realtek High Definition Audio Driver-->RtlUpd.exe -r -m Rhapsody Player Engine-->MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52} ScanSoft OmniPage SE 4-->MsiExec.exe /X{DEE88727-779B-47A9-ACEF-F87CA5F92A65} Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85} Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7} Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2} Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B} Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4} Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77} Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F} Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC} Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C} Security Update for Visio 2007 (KB947590)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41} Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F40&SU BSYS_200014F1\HXFSETUP.EXE -U -IPDBRYCMzK.inf Spare Backup-->MsiExec.exe /X{A57C6094-FC5A-4DEC-B1E0-1B2F48EEE8F4} Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003} UltimateBet-->"C:\Poker Application\UltimateBet\unins000.exe" UltimateBet-->C:\PROGRA~1\ULTIMA~1\UNWISE.EXE C:\PROGRA~1\ULTIMA~1\INSTALL.LOG Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E} Update for Microsoft Office Excel 2007 Help (KB957242)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {51864046-74C8-487B-97CD-6167A4B1DB56} Update for Microsoft Office OneNote 2007 Help (KB957245)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {7332DE60-DC79-4578-A60A-A5EA0D6E032B} Update for Microsoft Office PowerPoint 2007 Help (KB957247)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {B20E2C59-EEC5-4102-9E50-5DBB2093C37D} Update for Microsoft Office Word 2007 Help (KB957252)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {54DF3345-0720-4224-9740-C7E00303F565} Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42} Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278} ======Security center information====== AV: AVG Anti-Virus Free FW: CA Personal Firewall AS: AVG Anti-Virus Free (disabled) AS: Windows Defender System event log Computer Name: jeanie-PC Event Code: 7036 Message: The TPM Base Services service entered the stopped state. Record Number: 97718 Source Name: Service Control Manager Time Written: 20090124062055.000000-000 Event Type: Information User: Computer Name: jeanie-PC Event Code: 7036 Message: The Security Center service entered the running state. Record Number: 97719 Source Name: Service Control Manager Time Written: 20090124062055.000000-000 Event Type: Information User: Computer Name: jeanie-PC Event Code: 7036 Message: The Windows Update service entered the running state. Record Number: 97720 Source Name: Service Control Manager Time Written: 20090124062056.000000-000 Event Type: Information User: Computer Name: jeanie-PC Event Code: 537 Message: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer. TBS could not be started. Record Number: 97721 Source Name: Microsoft-Windows-TBS Time Written: 20090124062055.115716-000 Event Type: Information User: NT AUTHORITY\LOCAL SERVICE Computer Name: jeanie-PC Event Code: 7036 Message: The Windows Media Center Service Launcher service entered the stopped state. Record Number: 97722 Source Name: Service Control Manager Time Written: 20090124062057.000000-000 Event Type: Information User: Application event log Computer Name: jeanie-PC Event Code: 1 Message: Certificate Services Client has been started successfully. Record Number: 25426 Source Name: Microsoft-Windows-CertificateServicesClient Time Written: 20090124061948.800116-000 Event Type: Information User: NT AUTHORITY\SYSTEM Computer Name: jeanie-PC Event Code: 1 Message: The Windows Security Center Service has started. Record Number: 25427 Source Name: SecurityCenter Time Written: 20090124062055.000000-000 Event Type: Information User: Computer Name: jeanie-PC Event Code: 103 Message: WinMail (3656) WindowsMail0: The database engine stopped the instance (0). Record Number: 25428 Source Name: ESENT Time Written: 20090124062256.000000-000 Event Type: Information User: Computer Name: jeanie-PC Event Code: 1001 Message: Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries. Record Number: 25429 Source Name: Microsoft-Windows-LoadPerf Time Written: 20090124062306.000000-000 Event Type: Information User: Computer Name: jeanie-PC Event Code: 1000 Message: Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service. Record Number: 25430 Source Name: Microsoft-Windows-LoadPerf Time Written: 20090124062306.000000-000 Event Type: Information User: Security event log Computer Name: jeanie-PC Event Code: 5038 Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Windows\System32\drivers\t cpip.sys Record Number: 31217 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090124062642.225516-000 Event Type: Audit Failure user |
#4
|
|||
|
|||
part 2
Computer Name: jeanie-PC
Event Code: 5038 Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Windows\System32\drivers\t cpip.sys Record Number: 31218 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090124062642.250516-000 Event Type: Audit Failure User: Computer Name: jeanie-PC Event Code: 5038 Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Windows\System32\drivers\t cpip.sys Record Number: 31219 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090124062642.276516-000 Event Type: Audit Failure User: Computer Name: jeanie-PC Event Code: 5038 Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Windows\System32\drivers\t cpip.sys Record Number: 31220 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090124062642.301516-000 Event Type: Audit Failure User: Computer Name: jeanie-PC Event Code: 5038 Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Windows\System32\drivers\t cpip.sys Record Number: 31221 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090124062642.325516-000 Event Type: Audit Failure User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemR oot%\System32\Wbem "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;. WSF;.WSH;.MSC "PROCESSOR_ARCHITECTURE"=x86 "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "USERNAME"=SYSTEM "windir"=%SystemRoot% "PROCESSOR_LEVEL"=6 "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel "PROCESSOR_REVISION"=0f0d "NUMBER_OF_PROCESSORS"=2 -----------------EOF----------------- |
#5
|
|||
|
|||
part 3
Logfile of random's system information tool 1.05 (written by random/random)
Run by jeanie at 2009-01-23 22:26:33 Microsoft® Windows Vista™ Home Premium Service Pack 1 System drive C: has 338 GB (91%) free of 370 GB Total RAM: 2039 MB (63% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:26:43 PM, on 1/23/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\zHotkey.exe C:\Windows\ModPS2Key.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Spare Backup\SpareBackup.exe C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\BigFix\bigfix.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Internet Explorer\IEUser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe C:\Users\jeanie\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M1TPUB77\RSIT[1].exe C:\Program Files\trend micro\jeanie.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...=DTP&M=GT5660E R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...=DTP&M=GT5660E R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" O4 - HKLM\..\Run: [Skytel] Skytel.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU) O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/j...javadl.sun.com O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://www.charter.net/files/charter...uite/fscax.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 7961 bytes ======Scheduled tasks folder====== C:\Windows\tasks\At1.job C:\Windows\tasks\At10.job C:\Windows\tasks\At11.job C:\Windows\tasks\At12.job C:\Windows\tasks\At13.job C:\Windows\tasks\At14.job C:\Windows\tasks\At15.job C:\Windows\tasks\At16.job C:\Windows\tasks\At17.job C:\Windows\tasks\At18.job C:\Windows\tasks\At19.job C:\Windows\tasks\At2.job C:\Windows\tasks\At20.job C:\Windows\tasks\At21.job C:\Windows\tasks\At22.job C:\Windows\tasks\At23.job C:\Windows\tasks\At24.job C:\Windows\tasks\At25.job C:\Windows\tasks\At26.job C:\Windows\tasks\At27.job C:\Windows\tasks\At28.job C:\Windows\tasks\At29.job C:\Windows\tasks\At3.job C:\Windows\tasks\At30.job C:\Windows\tasks\At31.job C:\Windows\tasks\At32.job C:\Windows\tasks\At33.job C:\Windows\tasks\At34.job C:\Windows\tasks\At35.job C:\Windows\tasks\At36.job C:\Windows\tasks\At37.job C:\Windows\tasks\At38.job C:\Windows\tasks\At39.job C:\Windows\tasks\At4.job C:\Windows\tasks\At40.job C:\Windows\tasks\At41.job C:\Windows\tasks\At42.job C:\Windows\tasks\At43.job C:\Windows\tasks\At44.job C:\Windows\tasks\At45.job C:\Windows\tasks\At46.job C:\Windows\tasks\At47.job C:\Windows\tasks\At48.job C:\Windows\tasks\At5.job C:\Windows\tasks\At6.job C:\Windows\tasks\At7.job C:\Windows\tasks\At8.job C:\Windows\tasks\At9.job C:\Windows\tasks\Registry OK Schedule.job C:\Windows\tasks\Uniblue SpyEraser.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-02-15 370296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}] AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-01-19 455960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-23 320920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2007-12-19 2403392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}] CBrowserHelperObject Object - c:\windows\system32\BAE.dll [2006-02-01 94208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-23 34816] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2007-12-19 2403392] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run] "CHotkey"=C:\Windows\zHotkey.exe [2006-11-07 547840] "ShowWnd"=C:\Windows\ShowWnd.exe [2005-01-27 36864] "ModPS2"=C:\Windows\ModPS2Key.exe [2006-11-07 53248] "RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-04-23 4435968] "Spare Backup"=C:\Program Files\Spare Backup\SpareBackup.exe [2007-09-13 5252936] "CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-14 644696] "CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-03 1603152] "OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400] "Skytel"=C:\Windows\Skytel.exe [2007-04-13 1822720] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792] "AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-01-19 1261336] "IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-02-11 141848] "HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-02-11 166424] "Persistence"=C:\Windows\system32\igfxpers.exe [2008-02-11 133656] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-23 136600] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce] "Launcher"=C:\Windows\SMINST\launcher.exe [2007-07-13 40072] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run] "ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-18 125952] "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-18 202240] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell] [] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup BigFix.lnk - C:\Program Files\BigFix\bigfix.exe C:\Users\jeanie\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="avgrsstx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\Windows\system32\igfxdev.dll [2008-02-11 204800] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "EnableUIADesktopToggle"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] |
#6
|
|||
|
|||
final
======List of files/folders created in the last 1 months======
2009-01-23 22:26:33 ----D---- C:\rsit 2009-01-23 22:26:33 ----D---- C:\Program Files\trend micro 2009-01-23 18:25:07 ----D---- C:\ProgramData\SITEguard 2009-01-23 18:23:43 ----D---- C:\ProgramData\STOPzilla! 2009-01-23 18:23:43 ----D---- C:\Program Files\Common Files\iS3 2009-01-23 17:41:38 ----A---- C:\Windows\system32\javaws.exe 2009-01-23 17:41:38 ----A---- C:\Windows\system32\javaw.exe 2009-01-23 17:41:38 ----A---- C:\Windows\system32\java.exe 2009-01-23 17:41:38 ----A---- C:\Windows\system32\deploytk.dll 2009-01-22 21:24:35 ----D---- C:\Program Files\Registry OK 2009-01-21 20:40:03 ----D---- C:\ProgramData\Uniblue 2009-01-21 20:40:02 ----D---- C:\Users\jeanie\AppData\Roaming\Uniblue 2009-01-21 20:39:56 ----D---- C:\Program Files\Uniblue 2009-01-21 11:58:06 ----D---- C:\Program Files\Intelinet 2009-01-19 21:42:16 ----HD---- C:\$AVG8.VAULT$ 2009-01-19 21:38:28 ----A---- C:\Windows\system32\avgrsstx.dll 2009-01-19 21:37:41 ----D---- C:\ProgramData\avg8 2009-01-19 21:37:41 ----D---- C:\Program Files\AVG 2009-01-19 20:30:32 ----A---- C:\Windows\ntbtlog.txt 2009-01-19 20:25:34 ----D---- C:\Users\jeanie\AppData\Roaming\CyberLink 2009-01-19 20:25:09 ----D---- C:\ProgramData\CyberLink 2009-01-19 16:37:33 ----D---- C:\ProgramData\1941139646 2009-01-19 12:53:21 ----A---- C:\Windows\system32\1DNJe4hY.exe.a_a 2009-01-19 12:53:21 ----A---- C:\Windows\system32\1DNJe4hY.exe 2009-01-04 14:04:12 ----D---- C:\Users\jeanie\AppData\Roaming\Anuman Interactive 2009-01-01 17:31:57 ----D---- C:\Users\jeanie\AppData\Roaming\F-Secure ======List of files/folders modified in the last 1 months====== 2009-01-23 22:26:43 ----D---- C:\Windows\Temp 2009-01-23 22:26:33 ----RD---- C:\Program Files 2009-01-23 22:23:06 ----HD---- C:\Windows\inf 2009-01-23 22:23:06 ----D---- C:\Windows\System32 2009-01-23 22:23:06 ----A---- C:\Windows\system32\PerfStringBackup.INI 2009-01-23 22:19:12 ----D---- C:\Users\jeanie\AppData\Roaming\Spare Backup 2009-01-23 18:38:00 ----HD---- C:\Config.msi 2009-01-23 18:34:10 ----SHD---- C:\Windows\Installer 2009-01-23 18:34:10 ----D---- C:\Windows\system32\drivers 2009-01-23 18:33:20 ----SHD---- C:\System Volume Information 2009-01-23 18:28:43 ----D---- C:\Windows\Prefetch 2009-01-23 18:25:07 ----HD---- C:\ProgramData 2009-01-23 18:23:43 ----D---- C:\Program Files\Common Files 2009-01-23 18:14:19 ----SD---- C:\Users\jeanie\AppData\Roaming\Microsoft 2009-01-23 18:13:23 ----D---- C:\Program Files\Eusing Free Registry Cleaner 2009-01-23 18:07:58 ----AD---- C:\ProgramData\TEMP 2009-01-23 17:41:58 ----SD---- C:\Windows\Downloaded Program Files 2009-01-23 17:41:15 ----D---- C:\Program Files\Java 2009-01-22 21:24:54 ----D---- C:\Windows\Tasks 2009-01-22 21:24:54 ----D---- C:\Windows\system32\Tasks 2009-01-22 10:06:02 ----D---- C:\Windows 2009-01-22 10:05:07 ----D---- C:\Program Files\Common Files\Symantec Shared 2009-01-21 13:44:21 ----D---- C:\Windows\rescache 2009-01-21 13:39:09 ----D---- C:\Windows\system32\catroot 2009-01-21 13:37:34 ----D---- C:\Windows\system32\catroot2 2009-01-21 13:37:00 ----D---- C:\Windows\winsxs 2009-01-20 20:29:23 ----D---- C:\Program Files\Charter Security Suite 2009-01-20 20:27:36 ----D---- C:\ProgramData\f-secure 2009-01-20 19:22:02 ----D---- C:\Windows\system32\WDI 2009-01-19 21:46:51 ----SD---- C:\ProgramData\Microsoft 2009-01-14 12:33:13 ----D---- C:\Program Files\Windows Mail 2009-01-09 17:35:28 ----A---- C:\Windows\system32\mrt.exe 2009-01-07 07:58:23 ----D---- C:\Program Files\Games ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-01-19 97928] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-01-19 26824] R1 Cdr4_xp;Cdr4_xp; C:\Windows\system32\drivers\Cdr4_xp.sys [2005-09-07 44288] R1 Cdralw2k;Cdralw2k; C:\Windows\system32\drivers\Cdralw2k.sys [2005-09-07 24960] R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672] R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192] R3 AvgWfpX;AVG Free8 Firewall Driver x86; C:\Windows\System32\Drivers\avgwfpx.sys [2009-01-19 69128] R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-11-08 986624] R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-11-08 258048] R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 2302976] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-04-23 1769952] R3 RTL8023xp;Realtek 10/100 NIC Family NDIS x86 Driver; C:\Windows\system32\DRIVERS\Rtnicxp.sys [2006-11-01 47104] R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-18 35328] R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-11-08 659968] R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328] S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\Windows\system32\drivers\ac97intc.sys [2006-11-01 108032] S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-01 45056] S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208] S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632] S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-01 235520] S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 2302976] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192] S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888] S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016] S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-01 2589184] S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\Windows\system32\DRIVERS\SymIM.sys [] S3 SymIMMP;SymIMMP; C:\Windows\system32\DRIVERS\SymIM.sys [] S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432] S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-01-19 875288] R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-01-19 231704] R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2007-12-19 65536] R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560] S3 GameConsoleService;GameConsoleService; C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe [2008-05-05 165416] S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-19 138168] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184] -----------------EOF----------------- |
#7
|
||||
|
||||
Indications of malware files showing here, but not the more active components I would expect to see. Let's remove some items then scan repair as well.
The folders list show these having been used there recently - I am listing them from worst down as far as being more a scam software than beneficial, with the top one (STOPzilla!) also being actually advertised in adware/malware popups. STOPzilla! Registry OK Uniblue Eusing Free Registry Cleaner Either just not beneficial, and really just intended to secure payment from you for them, or even can be a cause of problems instead of helping. ----------------- To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Download OTMoveIt3 by OldTimer to your desktop. Then click OTMoveIt3.exe to run it (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator"). Copy the file path(s) below (inside the Code box) to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy): Code:
:processes explorer.exe :files C:\Windows\tasks\At*.job C:\ProgramData\1941139646 C:\Windows\system32\1DNJe4hY.exe.a_a C:\Windows\system32\1DNJe4hY.exe :reg [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell] :commands [zipfiles] [emptytemp] [start explorer] A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes". ------------------- Download Malwarebytes' Anti-Malware from Here or Here. Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform quick scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then. --------------------- Run a new RSIT scan and post that main log along with the OTMoveIt log and the Malwarebytes log please. OTMoveIt created a zip file of the items removed I would like to check out. Just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer. C:\_OTMoveIt\MovedFiles\(mmddyyyy_hhmmss).zip (Where "mmddyyyy_hhmmss" is the date and time the scan was run) You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded. |
#8
|
|||
|
|||
move it
I copy and pasted from the results side. I was not asked to reboot and the pop up read. can not open file
========== PROCESSES ========== Process explorer.exe killed successfully. ========== FILES ========== C:\Windows\tasks\At1.job moved successfully. C:\Windows\tasks\At10.job moved successfully. C:\Windows\tasks\At11.job moved successfully. C:\Windows\tasks\At12.job moved successfully. C:\Windows\tasks\At13.job moved successfully. C:\Windows\tasks\At14.job moved successfully. C:\Windows\tasks\At15.job moved successfully. C:\Windows\tasks\At16.job moved successfully. C:\Windows\tasks\At17.job moved successfully. C:\Windows\tasks\At18.job moved successfully. C:\Windows\tasks\At19.job moved successfully. C:\Windows\tasks\At2.job moved successfully. C:\Windows\tasks\At20.job moved successfully. C:\Windows\tasks\At21.job moved successfully. C:\Windows\tasks\At22.job moved successfully. C:\Windows\tasks\At23.job moved successfully. C:\Windows\tasks\At24.job moved successfully. C:\Windows\tasks\At25.job moved successfully. C:\Windows\tasks\At26.job moved successfully. C:\Windows\tasks\At27.job moved successfully. C:\Windows\tasks\At28.job moved successfully. C:\Windows\tasks\At29.job moved successfully. C:\Windows\tasks\At3.job moved successfully. C:\Windows\tasks\At30.job moved successfully. C:\Windows\tasks\At31.job moved successfully. C:\Windows\tasks\At32.job moved successfully. C:\Windows\tasks\At33.job moved successfully. C:\Windows\tasks\At34.job moved successfully. C:\Windows\tasks\At35.job moved successfully. C:\Windows\tasks\At36.job moved successfully. C:\Windows\tasks\At37.job moved successfully. C:\Windows\tasks\At38.job moved successfully. C:\Windows\tasks\At39.job moved successfully. C:\Windows\tasks\At4.job moved successfully. C:\Windows\tasks\At40.job moved successfully. C:\Windows\tasks\At41.job moved successfully. C:\Windows\tasks\At42.job moved successfully. C:\Windows\tasks\At43.job moved successfully. C:\Windows\tasks\At44.job moved successfully. C:\Windows\tasks\At45.job moved successfully. C:\Windows\tasks\At46.job moved successfully. C:\Windows\tasks\At47.job moved successfully. C:\Windows\tasks\At48.job moved successfully. C:\Windows\tasks\At5.job moved successfully. C:\Windows\tasks\At6.job moved successfully. C:\Windows\tasks\At7.job moved successfully. C:\Windows\tasks\At8.job moved successfully. C:\Windows\tasks\At9.job moved successfully. C:\ProgramData\1941139646 moved successfully. C:\Windows\system32\1DNJe4hY.exe.a_a moved successfully. C:\Windows\system32\1DNJe4hY.exe moved successfully. ========== REGISTRY ========== Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell\\ deleted successfully. ========== COMMANDS ========== User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. Local Service Temporary Internet Files folder emptied. Windows Temp folder emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01242009_120731 |
#9
|
|||
|
|||
malwarebytes
Malwarebytes' Anti-Malware 1.33
Database version: 1689 Windows 6.0.6001 Service Pack 1 1/24/2009 12:27:24 PM mbam-log-2009-01-24 (12-27-24).txt Scan type: Quick Scan Objects scanned: 45751 Time elapsed: 2 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 7 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 4 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\IntelinetSecure (Rogue.Intelinet) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Intelinet (Rogue.Intelinet) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\SpyClean (Rogue.SpyClean) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\Intelinet (Rogue.Intelinet) -> Quarantined and deleted successfully. C:\Program Files\Intelinet\Backup (Rogue.Intelinet) -> Quarantined and deleted successfully. C:\Program Files\Intelinet\Logs (Rogue.Intelinet) -> Quarantined and deleted successfully. C:\Users\jeanie\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\Intelinet\Logs\2009_01_21.log (Rogue.Intelinet) -> Quarantined and deleted successfully. C:\Users\jeanie\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\System Security\System Security.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully. C:\Users\jeanie\Desktop\System Security.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully. |
#10
|
||||
|
||||
Something blocked the creation of the zip file - might be Vista permissions issues. Post back a new RSIT log and let's see how things look now.
|
#11
|
|||
|
|||
rsit log
Logfile of random's system information tool 1.05 (written by random/random)
Run by jeanie at 2009-01-24 18:17:44 Microsoft® Windows Vista™ Home Premium Service Pack 1 System drive C: has 337 GB (91%) free of 370 GB Total RAM: 2039 MB (64% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:17:49 PM, on 1/24/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\zHotkey.exe C:\Windows\ModPS2Key.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Spare Backup\SpareBackup.exe C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\BigFix\bigfix.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Mail\WinMail.exe C:\Program Files\Internet Explorer\IEUser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe C:\Users\jeanie\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\ADKRBR82\RSIT[1].exe C:\Program Files\trend micro\jeanie.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...=DTP&M=GT5660E R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...=DTP&M=GT5660E R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" O4 - HKLM\..\Run: [Skytel] Skytel.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU) O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/j...javadl.sun.com O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://www.charter.net/files/charter...uite/fscax.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 7442 bytes ======Scheduled tasks folder====== C:\Windows\tasks\Registry OK Schedule.job C:\Windows\tasks\Uniblue SpyEraser.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-02-15 370296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-23 320920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2007-12-19 2403392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}] CBrowserHelperObject Object - c:\windows\system32\BAE.dll [2006-02-01 94208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-23 34816] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2007-12-19 2403392] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run] "CHotkey"=C:\Windows\zHotkey.exe [2006-11-07 547840] "ShowWnd"=C:\Windows\ShowWnd.exe [2005-01-27 36864] "ModPS2"=C:\Windows\ModPS2Key.exe [2006-11-07 53248] "RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-04-23 4435968] "Spare Backup"=C:\Program Files\Spare Backup\SpareBackup.exe [2007-09-13 5252936] "CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-05-14 644696] "CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-03 1603152] "OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe [2007-02-04 79400] "Skytel"=C:\Windows\Skytel.exe [2007-04-13 1822720] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792] "IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-02-11 141848] "HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-02-11 166424] "Persistence"=C:\Windows\system32\igfxpers.exe [2008-02-11 133656] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-23 136600] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce] "Launcher"=C:\Windows\SMINST\launcher.exe [2007-07-13 40072] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run] "ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-18 125952] "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-18 202240] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup BigFix.lnk - C:\Program Files\BigFix\bigfix.exe C:\Users\jeanie\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\Windows\system32\igfxdev.dll [2008-02-11 204800] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "EnableUIADesktopToggle"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] ======List of files/folders created in the last 1 months====== 2009-01-24 12:17:12 ----D---- C:\Users\jeanie\AppData\Roaming\Malwarebytes 2009-01-24 12:17:08 ----D---- C:\ProgramData\Malwarebytes 2009-01-24 12:17:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2009-01-24 12:07:31 ----D---- C:\_OTMoveIt 2009-01-23 22:26:33 ----D---- C:\rsit 2009-01-23 22:26:33 ----D---- C:\Program Files\trend micro 2009-01-23 18:25:07 ----D---- C:\ProgramData\SITEguard 2009-01-23 18:23:43 ----D---- C:\ProgramData\STOPzilla! 2009-01-23 18:23:43 ----D---- C:\Program Files\Common Files\iS3 2009-01-23 17:41:38 ----A---- C:\Windows\system32\javaws.exe 2009-01-23 17:41:38 ----A---- C:\Windows\system32\javaw.exe 2009-01-23 17:41:38 ----A---- C:\Windows\system32\java.exe 2009-01-23 17:41:38 ----A---- C:\Windows\system32\deploytk.dll 2009-01-22 21:24:35 ----D---- C:\Program Files\Registry OK 2009-01-21 20:40:03 ----D---- C:\ProgramData\Uniblue 2009-01-21 20:40:02 ----D---- C:\Users\jeanie\AppData\Roaming\Uniblue 2009-01-21 20:39:56 ----D---- C:\Program Files\Uniblue 2009-01-19 21:37:41 ----D---- C:\ProgramData\avg8 2009-01-19 21:37:41 ----D---- C:\Program Files\AVG 2009-01-19 20:30:32 ----A---- C:\Windows\ntbtlog.txt 2009-01-19 20:25:34 ----D---- C:\Users\jeanie\AppData\Roaming\CyberLink 2009-01-19 20:25:09 ----D---- C:\ProgramData\CyberLink 2009-01-04 14:04:12 ----D---- C:\Users\jeanie\AppData\Roaming\Anuman Interactive 2009-01-01 17:31:57 ----D---- C:\Users\jeanie\AppData\Roaming\F-Secure ======List of files/folders modified in the last 1 months====== 2009-01-24 18:17:46 ----D---- C:\Windows\Temp 2009-01-24 18:17:37 ----D---- C:\Windows\Prefetch 2009-01-24 18:09:20 ----D---- C:\Users\jeanie\AppData\Roaming\Spare Backup 2009-01-24 18:07:03 ----HD---- C:\Windows\inf 2009-01-24 18:07:03 ----D---- C:\Windows\System32 2009-01-24 18:07:03 ----A---- C:\Windows\system32\PerfStringBackup.INI 2009-01-24 12:55:37 ----SHD---- C:\System Volume Information 2009-01-24 12:55:34 ----SD---- C:\Users\jeanie\AppData\Roaming\Microsoft 2009-01-24 12:55:34 ----D---- C:\Windows\system32\drivers 2009-01-24 12:55:34 ----D---- C:\Windows 2009-01-24 12:55:33 ----HD---- C:\ProgramData 2009-01-24 12:27:24 ----RD---- C:\Program Files 2009-01-24 12:07:31 ----D---- C:\Windows\Tasks 2009-01-23 18:38:00 ----HD---- C:\Config.msi 2009-01-23 18:34:10 ----SHD---- C:\Windows\Installer 2009-01-23 18:23:43 ----D---- C:\Program Files\Common Files 2009-01-23 18:13:23 ----D---- C:\Program Files\Eusing Free Registry Cleaner 2009-01-23 18:07:58 ----AD---- C:\ProgramData\TEMP 2009-01-23 17:41:58 ----SD---- C:\Windows\Downloaded Program Files 2009-01-23 17:41:15 ----D---- C:\Program Files\Java 2009-01-22 21:24:54 ----D---- C:\Windows\system32\Tasks 2009-01-22 10:05:07 ----D---- C:\Program Files\Common Files\Symantec Shared 2009-01-21 13:44:21 ----D---- C:\Windows\rescache 2009-01-21 13:39:09 ----D---- C:\Windows\system32\catroot 2009-01-21 13:37:34 ----D---- C:\Windows\system32\catroot2 2009-01-21 13:37:00 ----D---- C:\Windows\winsxs 2009-01-20 20:29:23 ----D---- C:\Program Files\Charter Security Suite 2009-01-20 20:27:36 ----D---- C:\ProgramData\f-secure 2009-01-20 19:22:02 ----D---- C:\Windows\system32\WDI 2009-01-19 21:46:51 ----SD---- C:\ProgramData\Microsoft 2009-01-14 12:33:13 ----D---- C:\Program Files\Windows Mail 2009-01-09 17:35:28 ----A---- C:\Windows\system32\mrt.exe 2009-01-07 07:58:23 ----D---- C:\Program Files\Games ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 Cdr4_xp;Cdr4_xp; C:\Windows\system32\drivers\Cdr4_xp.sys [2005-09-07 44288] R1 Cdralw2k;Cdralw2k; C:\Windows\system32\drivers\Cdralw2k.sys [2005-09-07 24960] R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672] R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192] R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-11-08 986624] R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-11-08 258048] R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 2302976] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-04-23 1769952] R3 RTL8023xp;Realtek 10/100 NIC Family NDIS x86 Driver; C:\Windows\system32\DRIVERS\Rtnicxp.sys [2006-11-01 47104] R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-18 35328] R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-11-08 659968] R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328] S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\Windows\system32\drivers\ac97intc.sys [2006-11-01 108032] S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-01 45056] S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208] S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632] S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-01 235520] S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 2302976] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192] S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888] S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016] S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-01 2589184] S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\Windows\system32\DRIVERS\SymIM.sys [] S3 SymIMMP;SymIMMP; C:\Windows\system32\DRIVERS\SymIM.sys [] S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432] S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2007-12-19 65536] R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560] S3 GameConsoleService;GameConsoleService; C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe [2008-05-05 165416] S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-19 138168] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184] -----------------EOF----------------- |
#12
|
||||
|
||||
Good progress. Now some minor changes and then scan to see what might remain.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Close all open windows and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) ------------------- Then Go here and run the Kaspersky online scan, and post back the log it creates. To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do. When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log. Then locate that log and copy/paste those contents back here please. The scan requires a good bit of database downloading and can take quite a while to complete. |
#13
|
|||
|
|||
kaspersky scan
ASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 24, 2009 Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, January 25, 2009 04:06:18 Records in database: 1701544 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Files scanned: 138712 Threat name: 2 Infected objects: 3 Suspicious objects: 0 Duration of the scan: 01:27:16 File name / Threat name / Threats count C:\Users\jeanie\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\VMP011RQ\setup[1].exe Infected: not-a-virus:FraudTool.Win32.Agent.dx 2 C:\_OTMoveIt\MovedFiles\01242009_120731\Windows\sy stem32\1DNJe4hY.exe Infected: Trojan-Downloader.Win32.Agent.bele 1 The selected area was scanned. |
#14
|
||||
|
||||
Very good - just a file you already removed and then a leftover method to introduce infection through the Internet. Just need to delete that IE temp folder to remove that.
Close IE and any open windows and open OTMoveIt again. Copy the file path(s) below (inside the Code box) to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy): Code:
:files C:\Users\jeanie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VMP011RQ A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes". ------------------- Then just post back that new OTMoveIt log as well as an update on how things are running there now please. |
#15
|
|||
|
|||
========== FILES ==========
File/Folder C:\Users\jeanie\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\VMP011RQ not found. OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01252009_184319 Is this what you wanted? I could not find another FILE to send you. The computer is running good, but since I got this trojan , do I need better protection? I have no virus protection at this moment but what about the firewall and defender that are in the system. I am thinking about getting Norton which fave a trial period when I bought the computer. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
video compressing program (moved from Vista Forum) | monka56 | Applications | 1 | March 27th, 2009 04:55 PM |
Vista refusing to start up; graphics card problem? (moved from Vista Forum) | SkyRay | Hardware | 0 | February 8th, 2009 09:25 AM |
Need help using system restore disc (moved from Vista Forum) | kitty34 | Hardware | 1 | January 20th, 2009 09:09 AM |
opening folders in a software program (Moved from Vista Forum) | cindiloohoo | Applications | 0 | September 21st, 2008 01:47 AM |
Security Toolbar 7.1 (moved from Vista Forum) | Alec121 | Malware Removal | 1 | November 16th, 2007 03:48 AM |
All times are GMT +1. The time now is 10:42 AM.