Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

posting logfile second attempt

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

posting logfile second attempt

Unread postby jcecil » March 24th, 2009, 12:12 am

Using "select all" never occurred to me. I've never participated in a forum before so, all this posting and everything is new to me. Thanks for your patience. I'll try it again. John Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:03 PM, on 3/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
C:\Program Files\ATT Internet Tools\blsloader.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{288A443B-C939-44B1-B502-CE87B81E9228}: NameServer = 85.255.112.121,85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.121,85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\..\{288A443B-C939-44B1-B502-CE87B81E9228}: NameServer = 85.255.112.121,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.121,85.255.112.123
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe

--
End of file - 5220 bytes
jcecil
Banned Member
 
Posts: 15
Joined: March 21st, 2009, 10:39 pm
Advertisement
Register to Remove

Re: posting logfile second attempt

Unread postby Dakeyras » March 24th, 2009, 7:19 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hi jcecil and welcome to Malware Removal :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Next:

Using "select all" never occurred to me. I've never participated in a forum before so, all this posting and everything is new to me. Thanks for your patience. I'll try it again.

Absolutely fine, just take your time OK. Remember any problems and or you do not understand anything as stated above in my welcome speech, just stop what you are doing and inform myself. I have identified some of the malware present on your computer so at least I have a general idea of what to expect but please be aware anything can occur when malware is involved.

OK for now I just have one task for your good self to carry out as I need to carry out some further research on your behalf before we carry out any proactive measures OK.

Next:

In the interim I would like to view a list of currently installed software applications on you're computer. How to provide as follows:

Start/Run HiJackThis and click on Open the Misc Tools section

  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.

When completed the above, please post back the following:

  • Any problems encountered and or further symptoms?
  • Uninstall list.
  • A new HijackThis Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: posting logfile second attempt

Unread postby jcecil » March 24th, 2009, 11:51 pm

Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player 11
AT&T Pop-Up Catcher
ATT-RemoteControl
AVG 8.5
getPlus(R) for Adobe
GOM Player
HijackThis 2.0.2
hp photosmart printer series (Remove only)
InCD
IrfanView (remove only)
LView Pro Full Version
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
News Rover -- Usenet newsreader
PowerDVD
Prism Video Converter
SiS Audio Driver
Skype™ 3.2
VLC media player 0.9.8a
Windows XP Service Pack 2
WinRAR archiver

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:20 PM, on 3/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATT Internet Tools\blsloader.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{288A443B-C939-44B1-B502-CE87B81E9228}: NameServer = 85.255.112.121,85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.121,85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\..\{288A443B-C939-44B1-B502-CE87B81E9228}: NameServer = 85.255.112.121,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.121,85.255.112.123
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 4589 bytes
jcecil
Banned Member
 
Posts: 15
Joined: March 21st, 2009, 10:39 pm

Re: posting logfile second attempt

Unread postby Dakeyras » March 25th, 2009, 7:56 am

Hi :)

I notice you have uninstalled the AT&T Internet Security Suite application and have replaced it with Grisofts AVG 8.5, any particular reason for this may I ask?

Also in future do not make any other changes to your computer during the course of this malware removal process unless I specifically advise so OK, thank you.

The HijackThis uninstall list you posted is somewhat small in size and no evidence of Microsoft Security Updates what so ever, have you been uninstalling applications via the Add/Remove feature in the Control Panel yourself or is that exactly the contents of the list when generated?

Any questions I ask your good self please reply, even if just to inform you do not understand as this will prove benificial towards myself assisting you more efficiently.

Next:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs can be read here
    How to temporarily disable AVG 8 so that it won't interfere with ComboFix
    Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
    • Click Tools
    • Click Advanced
    • In the left hand pane, scroll down to Resident Shield
    • In the main pane, deselect Enable Resident Shield
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now?
  • Any problems encountered and or further symptoms?
  • Answers to my questions.
  • ComboFix Log.
  • A new Uninstall list.
  • A new HijackThis Log.

Note: Post all requested logs individually if they are suddenly larger than the previous you have provided.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: posting logfile second attempt

Unread postby jcecil » March 25th, 2009, 8:36 pm

Computer appears to work fine, now. I did a couple of searches, clicked on links and went directly to them, no doubleclick stuff. I went to AT&T and changed my phone service bundle to stop long-distance service. When I did, the security suite was disabled, so I uninstalled it and got AVG. Also, when I tried to download security updates for windows, the hijacker wouldn't let me. It would start, then would say "connection to server unexpectedly terminated". It seems to work now, however this is an unregistered version of XP and they won't give me any updates unless I register. I don't know what to do. Here are the requested logs.ComboFix 09-03-23.01 - john 2009-03-25 17:54:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.291 [GMT -5:00]
Running from: c:\documents and settings\john.JOHN-N4EBF8PJUN\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\john.JOHN-N4EBF8PJUN\Start Menu\Programs\WatchFree
c:\documents and settings\LocalService.NT AUTHORITY\Application Data\twain_32
c:\documents and settings\LocalService.NT AUTHORITY\Application Data\twain_32\user.ds
c:\recycler\RB4.tmp
c:\windows\system32\drivers\gaopdxfvdpqjwsrpiewiomycpkbgrwrpdivqxm.sys
c:\windows\system32\drivers\gaopdxucbfoofjxvitlexukltkbphxnsvxfmqi.sys
c:\windows\system32\drivers\gaopdxyksrqxehrkmoiyndpqjxuboioyxknbga.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxngxwhgvtrjcnublmmspmpoieutysivdn.dll
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-23 14:19 . 2009-03-25 10:05 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-23 14:03 . 2009-03-23 14:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-23 14:03 . 2009-03-23 14:03 <DIR> d-------- c:\documents and settings\john.JOHN-N4EBF8PJUN\Application Data\AVGTOOLBAR
2009-03-23 14:03 . 2009-03-23 14:03 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-23 14:03 . 2009-03-23 14:03 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-23 14:03 . 2009-03-23 14:03 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-23 14:02 . 2009-03-23 14:02 <DIR> d-------- c:\program files\AVG
2009-03-23 14:02 . 2009-03-23 14:02 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-03-21 21:08 . 2009-03-21 21:08 <DIR> d-------- c:\program files\Trend Micro
2009-03-18 21:18 . 2009-03-18 21:18 38,400 --a------ c:\windows\system32\drivers\quadraserv.sys
2009-03-15 07:47 . 2009-03-15 07:47 <DIR> d-------- c:\documents and settings\john.JOHN-N4EBF8PJUN\Application Data\NCH Software
2009-03-15 04:54 . 2009-03-15 05:04 <DIR> d-------- c:\program files\NCH Software
2009-03-14 23:03 . 2009-01-16 18:34 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-03-14 23:03 . 2009-01-16 18:34 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-03-14 23:02 . 2009-03-14 23:03 <DIR> d-------- c:\windows\system32\Adobe
2009-03-14 20:43 . 2009-03-14 20:43 <DIR> d-------- c:\program files\Skype
2009-03-14 20:43 . 2009-03-14 20:43 <DIR> d-------- c:\program files\Common Files\Skype
2009-03-14 20:43 . 2009-03-23 01:54 <DIR> d-------- c:\documents and settings\john.JOHN-N4EBF8PJUN\Application Data\Skype
2009-03-13 05:38 . 2009-03-13 05:38 <DIR> d-------- c:\program files\IrfanView
2009-03-12 17:16 . 2009-03-12 17:16 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Motive
2009-03-12 17:15 . 2009-03-12 17:16 <DIR> d-------- c:\program files\Common Files\Motive
2009-03-12 17:15 . 2009-03-12 17:16 <DIR> d-------- c:\program files\ATT
2009-03-12 17:15 . 2005-07-12 02:28 69,632 --a------ c:\windows\system32\MCCDevice.dll
2009-03-12 17:15 . 2005-07-12 02:28 6,048 --a------ c:\windows\system32\MCC16.dll
2009-03-12 04:43 . 2009-03-12 04:43 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-11 04:43 . 2009-03-11 04:43 <DIR> d-------- c:\documents and settings\john.JOHN-N4EBF8PJUN\Application Data\Forte
2009-03-10 18:28 . 2009-03-14 16:09 <DIR> d-------- c:\documents and settings\john.JOHN-N4EBF8PJUN\Application Data\skypePM
2009-03-10 18:28 . 2009-03-10 18:28 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-10 18:21 . 2009-03-14 20:43 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2009-03-10 14:32 . 2009-03-10 14:32 <DIR> d-------- c:\documents and settings\john.JOHN-N4EBF8PJUN\Application Data\GRETECH
2009-03-10 13:05 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-10 13:05 . 2001-08-17 13:56 7,552 --a------ c:\windows\system32\drivers\SONYPVU1.SYS
2009-03-10 13:05 . 2001-08-17 13:56 7,552 --a--c--- c:\windows\system32\dllcache\sonypvu1.sys
2009-03-10 11:47 . 2001-08-17 12:19 40,704 --a------ c:\windows\system32\drivers\es1371mp.sys
2009-03-10 11:47 . 2001-08-17 12:19 40,704 --a--c--- c:\windows\system32\dllcache\es1371mp.sys
2009-03-09 21:05 . 2009-03-09 21:05 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-09 20:53 . 2009-03-09 21:00 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-09 20:39 . 2009-03-09 20:39 <DIR> d-------- c:\program files\NOS
2009-03-09 20:39 . 2009-03-09 20:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-03-09 20:10 . 2009-03-09 20:10 34 --a------ c:\windows\hpfsched.ini
2009-03-09 20:06 . 2009-03-09 20:06 <DIR> d-------- c:\program files\hp photosmart
2009-03-09 20:05 . 2006-01-13 01:46 311,296 --a------ c:\windows\system32\hphmon03.exe
2009-03-09 20:05 . 2006-01-13 01:46 249,856 --a------ c:\windows\system32\hph_asui.exe
2009-03-09 20:05 . 2006-01-13 01:46 50,800 --a------ c:\windows\system32\drivers\hphid409.sys
2009-03-09 20:05 . 2006-01-13 01:46 50,211 --a------ c:\windows\system32\drivers\hphs2k09.sys
2009-03-09 20:05 . 2006-01-13 01:46 40,525 --a------ c:\windows\system32\inc.hpi
2009-03-09 20:05 . 2006-01-13 01:46 40,448 --a------ c:\windows\system32\hpfinsta.exe
2009-03-09 20:05 . 2006-01-13 01:46 36,864 --a------ c:\windows\hpfsched.exe
2009-03-09 20:05 . 2006-01-13 01:46 28,773 --a------ c:\windows\system32\master.hpi
2009-03-09 20:05 . 2006-01-13 01:46 18,864 --a------ c:\windows\system32\drivers\hphius09.sys
2009-03-09 20:05 . 2006-01-13 01:46 16,112 --a------ c:\windows\system32\drivers\hphipr09.sys
2009-03-09 20:04 . 2009-03-09 20:05 <DIR> d-------- c:\temp\photosmart
2009-03-09 20:04 . 2006-01-13 01:46 335,872 --a------ c:\windows\system32\Hphc3203.dll
2009-03-09 20:04 . 2006-01-13 01:46 262,144 --a------ c:\windows\system32\hpzcon04.dll
2009-03-09 20:04 . 2006-01-13 01:46 200,704 --a------ c:\windows\system32\hpzcoi04.dll
2009-03-09 20:04 . 2006-01-13 01:46 184,832 --a------ c:\windows\system32\hpfinst.dll
2009-03-09 20:04 . 2006-01-13 01:46 98,304 --------- c:\windows\system32\hphidr09.dll
2009-03-09 20:04 . 2006-01-13 01:46 81,920 --------- c:\windows\system32\hphipr09.dll
2009-03-09 20:04 . 2006-01-13 01:46 77,824 --------- c:\windows\system32\hphipm09.exe
2009-03-09 20:04 . 2006-01-13 01:46 3,691 --------- c:\windows\hphinfs.dat
2009-03-09 19:45 . 2004-08-03 22:58 207,360 --a------ c:\windows\system32\drivers\Dot4.sys
2009-03-09 19:45 . 2004-08-03 22:58 207,360 --a--c--- c:\windows\system32\dllcache\dot4.sys
2009-03-09 19:45 . 2001-08-17 13:47 23,808 --a------ c:\windows\system32\drivers\Dot4usb.sys
2009-03-09 19:45 . 2001-08-17 13:47 23,808 --a--c--- c:\windows\system32\dllcache\dot4usb.sys
2009-03-09 19:45 . 2001-08-17 13:47 12,928 --a------ c:\windows\system32\drivers\Dot4Prt.sys
2009-03-09 19:45 . 2001-08-17 13:47 12,928 --a--c--- c:\windows\system32\dllcache\dot4prt.sys
2009-03-09 15:59 . 2009-03-09 16:00 <DIR> d-------- c:\documents and settings\john.JOHN-N4EBF8PJUN\Application Data\vlc
2009-03-09 11:27 . 2009-03-09 11:27 <DIR> d-------- c:\program files\VideoLAN
2009-03-09 11:25 . 2009-03-09 11:25 <DIR> d-------- c:\program files\GRETECH
2009-03-09 11:24 . 2009-03-25 17:36 701 --a------ c:\windows\NewsRover.INI
2009-03-09 10:38 . 2009-03-09 10:38 108,974 --a------ c:\windows\News Rover Uninstaller.exe
2009-03-09 10:37 . 2009-03-25 07:21 <DIR> d-------- c:\program files\NewsRover
2009-03-09 10:28 . 2009-03-09 10:28 24,576 --a------ c:\windows\system32\msxml3a.dll
2009-03-09 10:28 . 2009-03-09 10:28 9,062 --a------ c:\windows\system32\small1.ico
2009-03-09 10:28 . 2009-03-09 10:28 9,062 --a------ c:\windows\system32\small.ico
2009-03-09 10:27 . 2009-03-09 20:04 <DIR> d-------- C:\temp
2009-03-09 10:27 . 2009-03-09 10:29 <DIR> d-------- c:\program files\ATT Internet Tools
2009-03-09 10:18 . 2009-03-09 10:18 <DIR> d--h----- c:\windows\PIF
2009-03-09 10:11 . 2009-03-23 13:15 <DIR> d-------- c:\documents and settings\john.JOHN-N4EBF8PJUN\Application Data\AT&T
2009-03-09 10:11 . 2009-03-23 13:15 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\AT&T
2009-03-09 10:08 . 2009-03-09 10:08 <DIR> d-------- c:\documents and settings\JOHN~1\LOCALS~1
2009-03-09 10:08 . 2009-03-09 10:08 <DIR> d-------- c:\documents and settings\JOHN~1
2009-03-09 01:09 . 2009-03-09 01:09 <DIR> d---s---- c:\windows\system32\Microsoft
2009-03-09 01:03 . 2009-03-09 01:10 316,640 --a------ c:\windows\WMSysPr9.prx
2009-03-09 01:02 . 2004-08-04 00:56 239,616 --------- c:\windows\system32\wstrenderer.ax
2009-03-09 01:02 . 2004-08-04 00:56 164,352 --------- c:\windows\system32\wstpager.ax
2009-03-09 01:02 . 2004-08-04 00:56 96,768 -----c--- c:\windows\system32\dllcache\dpcdll.dll
2009-03-09 01:02 . 2004-08-04 00:56 53,248 --------- c:\windows\system32\vbicodec.ax
2009-03-09 01:02 . 2004-08-03 23:08 40,832 --------- c:\windows\system32\drivers\irbus.sys
2009-03-09 01:02 . 2004-08-04 00:56 32,768 --------- c:\windows\system32\asr_pfu.exe
2009-03-09 01:02 . 2004-08-03 22:59 12,800 --------- c:\windows\system32\spiisupd.exe
2009-03-09 01:02 . 2004-08-03 22:59 9,728 --------- c:\windows\system32\comsdupd.exe
2009-03-09 00:59 . 2009-03-09 00:59 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-09 00:56 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-03-09 00:55 . 2004-07-17 11:40 19,528 --a------ c:\windows\002364_.tmp
2009-03-09 00:55 . 2004-08-03 22:42 15,872 --a------ c:\windows\system32\spupdsvc.exe
2009-03-09 00:52 . 2009-03-09 00:52 <DIR> d-------- c:\windows\EHome
2009-03-09 00:23 . 2009-03-09 00:23 <DIR> d-------- c:\program files\SiS7018
2009-03-09 00:16 . 2002-08-30 09:50 381,696 --a------ c:\windows\system32\drivers\sis7018.sys
2009-03-09 00:10 . 2009-03-09 00:10 <DIR> d-------- c:\documents and settings\john.JOHN-N4EBF8PJUN\WINDOWS
2009-03-09 00:10 . 1998-01-23 12:22 304,128 --a------ c:\windows\IsUninst.exe
2009-03-08 22:58 . 2009-03-08 22:58 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\CyberLink
2009-03-08 22:38 . 2009-03-08 22:38 <DIR> d---s---- c:\documents and settings\john.JOHN-N4EBF8PJUN\UserData
2009-03-08 14:02 . 2009-03-08 14:02 <DIR> d---s---- c:\documents and settings\john\UserData
2009-03-08 13:39 . 2009-03-08 13:40 <DIR> d--hs---- c:\documents and settings\All Users\DRM
2009-03-08 08:30 . 2009-03-08 13:37 <DIR> dr------- c:\documents and settings\All Users\Documents

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 15:11 --------- d-----w c:\program files\InstallShield Installation Information
2009-03-09 04:06 --------- d-----w c:\program files\LView Pro 20
2009-03-09 04:01 --------- d-----w c:\program files\Common Files\Ahead
2009-03-09 04:01 --------- d-----w c:\program files\Ahead
2009-03-09 03:58 --------- d-----w c:\program files\CyberLink
2009-03-09 03:57 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-08 18:41 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-05-10 23395880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-07-07 1232946]
"blspcloader"="c:\program files\ATT Internet Tools\blsloader.exe" [2009-03-09 103776]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-23 1932568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-23 14:03 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-23 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-23 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-23 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-23 298264]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2009-03-09 18864]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-09 33752]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
FF - ProfilePath - c:\documents and settings\john.JOHN-N4EBF8PJUN\Application Data\Mozilla\Firefox\Profiles\ifx5z1f3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 17:57:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-25 17:58:34
ComboFix-quarantined-files.txt 2009-03-25 22:58:28

Pre-Run: 69,953,994,752 bytes free
Post-Run: 70,071,574,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

209Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:20 PM, on 3/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATT Internet Tools\blsloader.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{288A443B-C939-44B1-B502-CE87B81E9228}: NameServer = 85.255.112.121,85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.121,85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\..\{288A443B-C939-44B1-B502-CE87B81E9228}: NameServer = 85.255.112.121,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.121,85.255.112.123
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 4589 bytes
jcecil
Banned Member
 
Posts: 15
Joined: March 21st, 2009, 10:39 pm

Re: posting logfile second attempt part 2

Unread postby jcecil » March 25th, 2009, 8:40 pm

I seem to have run out of room. Here is the other requested file.Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player 11
AT&T Pop-Up Catcher
ATT-RemoteControl
AVG 8.5
getPlus(R) for Adobe
GOM Player
HijackThis 2.0.2
hp photosmart printer series (Remove only)
InCD
IrfanView (remove only)
LView Pro Full Version
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
News Rover -- Usenet newsreader
PowerDVD
Prism Video Converter
SiS Audio Driver
Skype™ 3.2
VLC media player 0.9.8a
Windows XP Service Pack 2
WinRAR archiver
jcecil
Banned Member
 
Posts: 15
Joined: March 21st, 2009, 10:39 pm

Re: posting logfile second attempt

Unread postby Dakeyras » March 26th, 2009, 8:56 am

Hi :)

Computer appears to work fine, now. I did a couple of searches, clicked on links and went directly to them, no doubleclick stuff. I went to AT&T and changed my phone service bundle to stop long-distance service. When I did, the security suite was disabled, so I uninstalled it and got AVG.

OK that is fine but we do still have some malware related issues to address to but that is secondary for the moment as we need to rectify something else.

Your AVG Anti-Virus application is reporting it is out of date, please check for any updates and apply them. Though if you installed this with the default settings it should automatically check itself and download/install also when a internet connection is active.

Also, when I tried to download security updates for windows, the hijacker wouldn't let me. It would start, then would say "connection to server unexpectedly terminated". It seems to work now, however this is an unregistered version of XP and they won't give me any updates unless I register. I don't know what to do.

Not a problem and we will address this shortly :thumbup:

I seem to have run out of room. Here is the other requested file

That is fine, I do have a suggestion if I may, regardless the actual size of any log I request in the future. Just post them all individually as this should then make it that more easier for your good self.

Next:

Lets activate your copy of Windows XP shall we: Activate and register Windows XP <-- This Microsoft website page explains exactly what you need to do and provides a pictorial guide also.

Now if you have any problems activating windows online there is another method that can be used as follows:

How to activate Windows XP by phone:

  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Activate Windows.
  • Or, click the Windows Activation icon in the notification area.
  • Click Yes, I want to telephone a customer service representative to active Windows now.
  • Click Read the Windows Product Activation Privacy Statement, click Back, and then click Next.
  • Follow the steps in the Activate Windows by phone dialog box, and then click Next.
    Note The number appears now and differs based on the location that you select.
  • When activation is completed and you receive the following message, click OK.
You have successfully activated your copy of Windows.

This Microsoft website page explains the aforementioned also.

Next:

  • Please download this application from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file and post it in your next reply.

Next:

When completed the above DO NOT download/install any Microsoft Windows Security Updates OK. As this will actually hinder the malware removal process. You may do so when I give the all clear.

Next:

Now please post back the following in the order asked for:

  • How is you computer performing now?
  • Any problems encountered and or further symptoms?
  • MGADiag Log.
  • A new HijackThis Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: posting logfile second attempt

Unread postby jcecil » March 26th, 2009, 2:48 pm

Seems to be working OK, no new symtoms or problems. AVG updated itself. Here is a logfile.Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-P6YMB-G2T6Y-D27X8
Windows Product Key Hash: 73bE7lOhwYB7A7yJ3REk5uog5W4=
Windows Product ID: 55274-645-5919031-23998
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {49BD26D4-7953-4A40-B0C1-9A132BFF3C9D}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{49BD26D4-7953-4A40-B0C1-9A132BFF3C9D}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-D27X8</PKey><PID>55274-645-5919031-23998</PID><PIDType>1</PIDType><SID>S-1-5-21-2052111302-1177238915-1417001333</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO., LTD</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="3"/><Date>20020425000000.000000+000</Date></BIOS><HWID>659437070184A05F</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1D510:Micro Electronics Inc|1D510:Micro Electronics Incorporated
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
jcecil
Banned Member
 
Posts: 15
Joined: March 21st, 2009, 10:39 pm

Re: posting logfile second attempt

Unread postby jcecil » March 26th, 2009, 2:51 pm

Here is the other logfile.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:11 PM, on 3/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8026927953
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 3975 bytes
jcecil
Banned Member
 
Posts: 15
Joined: March 21st, 2009, 10:39 pm

Re: posting logfile second attempt

Unread postby Dakeyras » March 26th, 2009, 5:17 pm

Hi :)

It appears the Product Key for your Operating System is suspect. Lets see if we can address this issue before proceeding with any further Anti-Malware procedures as this is of paramount importance.

Could you tell me please where did you purchase the computer and did it come preinstalled with Windows XP? Or do you have a Genuine Installation XP CD-ROM at all?

Also could you check physically on your computer for a Certificate of Authenticity and in any other locations described on the Microsoft COA page please.

Inform myself the answer to all of the above in your next reply please, thank you.

Windows Product Key Update Tool:

Please go here and download the aforementioned to your desktop.

Follow the pictorial instructions on the page to run the tool.

Note: You may be required to activate windows again.

Validate Windows:

Navigate to this page and on the left hand side within the Validate Now box click on the Validate Windows tab. This process should not take long.

Next:

  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file and post it in your next reply.

Next:

Please download Rooter.exe to your desktop.

  • Then double-click it to start the tool.
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt.
  • Post the contents of Rooter.txt in your next reply.

Next:

When completed the above DO NOT download/install any Microsoft Windows Security Updates OK. As this will actually hinder the malware removal process. You may do so when I give the all clear.

Now please post back the following in the order asked for:

  • Answers to my various questions.
  • Any problems encountered and or further symptoms?
  • Rooter Log.
  • A new MGADiag Log.
  • A new HijackThis Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: posting logfile second attempt

Unread postby jcecil » March 26th, 2009, 9:30 pm

requested log 1Microsoft Windows XP Professional (5.1.2600) Service Pack 2

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:76308 Mo/Free:369 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [Removable] (Total:0 Mo/Free:0 Mo)

Thu 03/26/2009|20:05

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
---------- C:\Program Files\Ahead\InCD\InCDsrv.exe
---------- C:\PROGRA~1\AVG\AVG8\avgemc.exe
---------- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
---------- C:\Program Files\AVG\AVG8\avgcsrvx.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\explorer.exe
---------- C:\Program Files\Messenger\msmsgs.exe
---------- C:\PROGRA~1\AVG\AVG8\avgnsx.exe
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.121,85.255.112.123
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\..\{288A443B-C939-44B1-B502-CE87B81E9228}]
NameServer REG_SZ 85.255.112.121,85.255.112.123
==> WAREOUT <==

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Thu 03/26/2009|20:05

----------------------\\ Scan completed at 20:05
jcecil
Banned Member
 
Posts: 15
Joined: March 21st, 2009, 10:39 pm

Re: posting logfile second attempt

Unread postby jcecil » March 26th, 2009, 9:33 pm

requested log 2Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-P6YMB-G2T6Y-D27X8
Windows Product Key Hash: 73bE7lOhwYB7A7yJ3REk5uog5W4=
Windows Product ID: 55274-645-5919031-23998
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {49BD26D4-7953-4A40-B0C1-9A132BFF3C9D}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{49BD26D4-7953-4A40-B0C1-9A132BFF3C9D}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-D27X8</PKey><PID>55274-645-5919031-23998</PID><PIDType>1</PIDType><SID>S-1-5-21-2052111302-1177238915-1417001333</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO., LTD</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="3"/><Date>20020425000000.000000+000</Date></BIOS><HWID>659437070184A05F</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1D510:Micro Electronics Inc|1D510:Micro Electronics Incorporated
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
jcecil
Banned Member
 
Posts: 15
Joined: March 21st, 2009, 10:39 pm

Re: posting logfile second attempt

Unread postby jcecil » March 26th, 2009, 9:36 pm

requested log 3Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:27 PM, on 3/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8026927953
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 3975 bytes
jcecil
Banned Member
 
Posts: 15
Joined: March 21st, 2009, 10:39 pm

Re: posting logfile second attempt

Unread postby Dakeyras » March 27th, 2009, 4:49 am

Hi :)

Did you attempt to run the Windows Product Key Update Tool/Validate Windows or not? As it stands from my point of view the Operating System on your computer is deemed illegal.

If I may bring your attention to the below from: Malware Removal Forum Guidelines and Rules:
Any time the helper detects that you may have illegal software on your machine, that helper may stop assisting you immediately until you can demonstrate that you have rectified the situation. We will not support fixing machines with pirated or otherwise illegal software.

Did you check physically on your computer for a Certificate of Authenticity and in any other locations described on the Microsoft COA page?

I suggest you answer these questions and my others in a prior post concerning your computer, because otherwise I will be withdrawing my assistance based upon the grounds a illegal Operating System is in use.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: posting logfile second attempt

Unread postby Dakeyras » March 28th, 2009, 8:12 am

Hi :)

Just some further information for you good self concerning the validity of your Operating System. You may or not have been actually aware that the Volume License Key has been canceled by Microsoft and I have no way of telling myself how this situation arose. The best advise I can give you is to purchase a new License Key from either the computer manufacturer and or Microsoft themselves.

Another alternative is to take your computer to a reputable IT Repair Centre and explain the situation. As it stands your computer is still infected with malware and because of the suspect validity of the Operating System no critical updates can ever be installed. In affect the system will always be prone to reinfection because of this situation and considered a extreme liability security wise when used on-line.

So unfortunately I will have to withdraw my assistance in adherence of this forums guidelines as mentioned in a prior post.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware