Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

DNS redirects: jjh.exe suspected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

DNS redirects: jjh.exe suspected

Unread postby phbrown » June 2nd, 2010, 10:03 pm

Thanks in advance.

I have an HP desktop, running XP Pro (32 bit) operating system.

Searching for help on some topic, I clicked on what claimed to be a video to explain a fix. No video played, but I noticed that Jjh.exe and jcepia.exe files were running. I deleted Jjh.exe, but jcepia.exe couldn't be deleted; I renamed it jcepia.ex2. A Google search found a little info on jjh.exe, but nothing re jcepia.exe.

Many web site requests are redirected - seemingly randomly (the same site doesn't appear each time). Other sites just fail to load (using Firefox and IE browsers).

Here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:21:19 PM, on 6/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS.1\system32\E_S00RP2.EXE
C:\Norman\Bin\Zanda.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS.1\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS.1\system32\SearchIndexer.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\Norman\Bin\ZLH.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS.1\system32\RUNDLL32.EXE
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\drwtsn32.exe
C:\WINDOWS.1\system32\drwtsn32.exe
C:\WINDOWS.1\explorer.exe
C:\WINDOWS.1\system32\SearchProtocolHost.exe
C:\Documents and Settings\Paul.FAMILYROOM\My Documents\Downloads\HijackThis.exe
C:\Program Files\Mozilla Firefox\crashreporter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ldsblogs.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.1\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.1\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS.1\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS.1\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS.1\system32\GPhotos.scr/200
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 3216818375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2590144765
O17 - HKLM\System\CCS\Services\Tcpip\..\{6493629D-5BFB-4982-9C46-66EDC935EBEA}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD6F876C-9282-4D78-80C8-BAAA22823A07}: NameServer = 93.188.163.6,93.188.166.241
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.6,93.188.166.241
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.6,93.188.166.241
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.6,93.188.166.241
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS.1\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS.1\System32\browseui.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS.1\system32\E_S00RP2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Bin\Zanda.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6721 bytes


Here is the Uninstall_list.log:

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Advanced SystemCare 3
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics Duplicate File Finder
BotHunter
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon ScanGear Toolbox CS 2.2
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon ZoomBrowser EX Memory Card Utility
CCleaner
ConvertHelper 2.2
Coupon Printer for Windows
Data Fax SoftModem with SmartCP
Defraggler
Disk Space Fan 1.4.2.796
Driver Detective
DriverAgent by eSupport.com
EPSON Printer Software
FamilyInsight
Fast Video Converter 1.0
FotoSketcher - Version 1.9
Free Audio Editor
Freecorder 4.0 Application
Freecorder Toolbar
GenSmarts
Glary Registry Repair 3.2.0.828
Glary Utilities 2.17.0.776
Google Earth
GospeLink 2001
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
InfraRecorder
ISO Recorder
iTunes
Java(TM) 6 Update 14
Malwarebytes' Anti-Malware
MapSource
MapSource - MetroGuide USA v5
MapSource - US Topo v3.02
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Small Business
Microsoft Office PowerPoint Viewer 2003
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
MozBackup 1.4.9
Mozilla Firefox (3.6.3)
Mozilla Thunderbird (3.0.4)
Musicnotes Player V1.23.1 and Viewer
Norman Virus Control plus
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
OGA Notifier 2.0.0048.0
OverDrive Media Console
OverDrive Media Console
Personal Ancestral File 5
Picasa 3
PictureMover
Quicken 2008
QuickTime
Realtek High Definition Audio Driver
Sansa Media Converter
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Smart Defrag
SpeedFan (remove only)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SSC Service Utility v4.30
SyncBack
System Explorer 1.5
System Requirements Lab
Ubuntu
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
VC 9.0 Runtime
VC 9.0 Runtime
ViewSonic Windows XP Signed Files
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.2
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
XP Codec Pack
Yadis! Backup 1.9.3.30
ZoneAlarm
ZoneAlarm Spy Blocker

I'm at the limit of my knowledge. Help!
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia
Advertisement
Register to Remove

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 5th, 2010, 4:24 am

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


========================================================
Please PRINT the instructions below:


Fix HijackThis entries
  • Run HijackThis
  • Click on the do a system scan only button
  • Put a check beside all of the items listed below (if present):

    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD6F876C-9282-4D78-80C8-BAAA22823A07}: NameServer = 93.188.163.6,93.188.166.241
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.6,93.188.166.241
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.6,93.188.166.241
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.6,93.188.166.241
    O24 - Desktop Component 0: (no name) - (no file)

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.

REBOOT

If you have problems with your internet connection after running the fix:

  • Please go to Start -> Control Panel, and choose Network Connections.
  • Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
  • Under the Networking tab double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
  • Click OK twice, and restart your computer.


============================================


TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



random's system information tool (RSIT)

  • Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized)
  • Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)



WVCheck

Please download WVCheck by Artellos from Here and save it to your desktop.

  • Double click WVCheck.exe to run it.
  • As prompted, press enter on your keyboard to continue. The program can take a while depending on your hard drive space.
  • When the program is finished, notepad will open, copy the contents of the notepad file as a reply.
  • The log can be found on your desktop named WVCheck_Time_DD-MM-Year.txt




In your next reply:
  1. RSIT log.txt
  2. RSIT info.txt
  3. WVCheck log
  4. MBAM log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 5th, 2010, 11:38 am

Good to meet you. Thanks for your interest in helping poor souls like me. These are a lot of log lines!

I noted that my computer wouldn't let me reply to your message. I get a "the connection to the server was reset while the page was loading" message. Multiple times. Annoying, or a "feature" of the virus? I'm posting this from another computer.

On a related note, my operating system doesn't have System Restore. I think it is supposed to. Is there a way to fix this lack?



Logfile of random's system information tool 1.07 (written by random/random)
Run by Paul at 2010-06-05 09:24:26
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (15%) free of 76 GB
Total RAM: 1918 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:24:42 AM, on 6/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS.1\system32\E_S00RP2.EXE
C:\Norman\Bin\Zanda.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS.1\system32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\WINDOWS.1\system32\SearchIndexer.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Norman\Bin\ZLH.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS.1\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Paul.FAMILYROOM\Desktop\Computer Management\RSIT.exe
C:\Program Files\trend micro\Paul.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ldsblogs.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.1\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.1\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS.1\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS.1\system32\GPhotos.scr/200
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 3216818375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2590144765
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS.1\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS.1\System32\browseui.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS.1\system32\E_S00RP2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Bin\Zanda.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6354 bytes

======Scheduled tasks folder======

C:\WINDOWS.1\tasks\Ad-Aware Update (Daily 1).job
C:\WINDOWS.1\tasks\Ad-Aware Update (Daily 2).job
C:\WINDOWS.1\tasks\Ad-Aware Update (Daily 3).job
C:\WINDOWS.1\tasks\Ad-Aware Update (Daily 4).job
C:\WINDOWS.1\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS.1\tasks\AppleSoftwareUpdate.job
C:\WINDOWS.1\tasks\Defraggler Volume C Task.job
C:\WINDOWS.1\tasks\Driver Robot.job
C:\WINDOWS.1\tasks\DriverCure.job
C:\WINDOWS.1\tasks\GlaryInitialize.job
C:\WINDOWS.1\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1450960922-839522115-1003Core.job
C:\WINDOWS.1\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1450960922-839522115-1003UA.job
C:\WINDOWS.1\tasks\MSWD-c215ac63.job
C:\WINDOWS.1\tasks\MyDefrag v4.3.1 Daily.job
C:\WINDOWS.1\tasks\MyDefrag v4.3.1 Monthly.job
C:\WINDOWS.1\tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-1450960922-839522115-1003.job
C:\WINDOWS.1\tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-1450960922-839522115-1003.job
C:\WINDOWS.1\tasks\SmartDefrag.job
C:\WINDOWS.1\tasks\User_Feed_Synchronization-{42012659-AE36-42B0-BCCB-54C85675C520}.job
C:\WINDOWS.1\tasks\User_Feed_Synchronization-{634DB107-BEDF-4474-A814-4E082A23D8EE}.job
C:\WINDOWS.1\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
Freecorder Toolbar - C:\Program Files\Freecorder\tbFre1.dll [2010-05-24 2515552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{1392b8d2-5c05-419f-a8f6-b9f15a596612} - Freecorder Toolbar - C:\Program Files\Freecorder\tbFre1.dll [2010-05-24 2515552]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Norman ZANDA"=C:\Norman\Bin\ZLH.EXE [2007-08-09 183352]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
"NvCplDaemon"=C:\WINDOWS.1\system32\NvCpl.dll [2008-09-17 13574144]
"NvMediaCenter"=C:\WINDOWS.1\system32\NvMcTray.dll [2008-09-17 86016]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-04-04 36272]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-24 952768]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2010-05-31 323976]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"=C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2010-05-26 2346192]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
C:\Program Files\Freecorder\FLVSrvc.exe [2009-11-15 158752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M5T8QL3YW3]
C:\DOCUME~1\PAUL~1.FAM\LOCALS~1\Temp\Jjh.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS.1\System32\NvCpl.dll [2008-09-17 13574144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS.1\System32\NvMcTray.dll [2008-09-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-21 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yadis]
C:\Program Files\Codessentials\Yadis\Yadis.exe [2008-06-13 1687552]

C:\Documents and Settings\All Users.WINDOWS.1\Start Menu\Programs\Startup
AutorunsDisabled
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS.1\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.1\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoResolveSearch"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS.1\system32\spoolsv.exe"="C:\WINDOWS.1\system32\spoolsv.exe:*:Enabled:spoolsv.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-06-05 09:24:26 ----D---- C:\Program Files\trend micro
2010-06-05 09:24:25 ----D---- C:\rsit
2010-06-04 13:06:34 ----D---- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Hitman Pro
2010-06-04 13:06:33 ----D---- C:\Program Files\Hitman Pro 3.5
2010-06-04 07:42:43 ----A---- C:\WINDOWS.1\SchedLgU.Txt
2010-06-03 15:23:32 ----D---- C:\Program Files\MyDefrag v4.3.1
2010-06-03 15:23:32 ----A---- C:\WINDOWS.1\system32\MyDefragScreenSaver_v4.3.1.exe
2010-06-02 22:26:51 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\WinPatrol
2010-06-02 22:26:41 ----D---- C:\Program Files\BillP Studios
2010-06-02 11:14:33 ----D---- C:\!KillBox
2010-06-01 18:52:33 ----D---- C:\WINDOWS.1\Cache
2010-06-01 18:52:32 ----D---- C:\Program Files\Coupons
2010-05-13 13:15:52 ----D---- C:\Program Files\SSC Service Utility
2010-05-13 12:51:59 ----A---- C:\WINDOWS.1\system32\E_S00RP2.EXE

======List of files/folders modified in the last 1 months======

2010-06-05 09:24:42 ----D---- C:\WINDOWS.1\Prefetch
2010-06-05 09:24:26 ----RD---- C:\Program Files
2010-06-05 09:19:34 ----D---- C:\WINDOWS.1\Internet Logs
2010-06-05 09:17:12 ----D---- C:\Norman
2010-06-05 09:16:57 ----D---- C:\WINDOWS.1\Temp
2010-06-05 09:14:55 ----D---- C:\WINDOWS.1
2010-06-05 08:46:25 ----D---- C:\Program Files\Mozilla Thunderbird
2010-06-04 13:11:45 ----D---- C:\WINDOWS.1\system32\drivers
2010-06-04 12:57:04 ----D---- C:\WINDOWS.1\Registration
2010-06-04 10:28:48 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\vlc
2010-06-04 09:31:25 ----D---- C:\WINDOWS.1\system32
2010-06-04 09:31:25 ----D---- C:\WINDOWS.1\$regcmp$
2010-06-04 09:29:01 ----SD---- C:\WINDOWS.1\Tasks
2010-06-04 09:08:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-06-04 08:54:25 ----D---- C:\WINDOWS.1\system32\CatRoot2
2010-06-04 07:57:44 ----SHD---- C:\WINDOWS.1\Installer
2010-06-04 07:57:44 ----SHD---- C:\Config.Msi
2010-06-02 21:14:58 ----ASH---- C:\boot.ini
2010-06-02 21:14:58 ----A---- C:\WINDOWS.1\win.ini
2010-06-02 21:14:58 ----A---- C:\WINDOWS.1\system.ini
2010-06-02 21:14:57 ----D---- C:\WINDOWS.1\pss
2010-06-02 09:25:58 ----D---- C:\Program Files\Mozilla Firefox
2010-06-01 19:44:00 ----D---- C:\WINDOWS.1\Debug
2010-06-01 19:21:39 ----D---- C:\Program Files\CCleaner
2010-06-01 19:00:41 ----D---- C:\Documents and Settings
2010-06-01 07:33:45 ----D---- C:\Program Files\Microsoft Works
2010-06-01 07:33:33 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\GoodSync
2010-06-01 07:33:32 ----D---- C:\WINDOWS.1\system32\config
2010-06-01 07:33:28 ----D---- C:\WINDOWS.1\repair
2010-06-01 07:33:26 ----SD---- C:\WINDOWS.1\Downloaded Program Files
2010-06-01 07:33:26 ----D---- C:\Program Files\Quicken
2010-06-01 07:33:26 ----D---- C:\Program Files\HijackThis
2010-06-01 07:33:26 ----D---- C:\Program Files\Free Audio Editor
2010-06-01 07:33:26 ----D---- C:\Program Files\Eusing Free Registry Cleaner
2010-06-01 07:33:26 ----D---- C:\Program Files\Creative Element Power Tools
2010-06-01 07:33:25 ----RD---- C:\LDSCL
2010-06-01 07:33:25 ----D---- C:\Temp
2010-06-01 07:33:25 ----D---- C:\QUICKENW
2010-06-01 07:32:45 ----D---- C:\Program Files\GenSmarts
2010-06-01 07:32:45 ----D---- C:\Program Files\GARtrip
2010-06-01 07:32:45 ----D---- C:\piano_files
2010-05-31 15:47:23 ----D---- C:\Program Files\Karen's Power Tools
2010-05-28 07:38:03 ----D---- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\IObit
2010-05-26 03:00:36 ----HD---- C:\WINDOWS.1\inf
2010-05-25 17:44:32 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\CameraWindowDC
2010-05-24 21:38:28 ----D---- C:\CanoScan_N650U_N656U_CSUv571a
2010-05-17 20:44:01 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\dvdcss
2010-05-13 03:00:57 ----RSHDC---- C:\WINDOWS.1\system32\dllcache
2010-05-13 03:00:57 ----D---- C:\Program Files\Outlook Express
2010-05-12 04:57:28 ----HD---- C:\WINDOWS.1\$hf_mig$
2010-05-08 21:55:29 ----D---- C:\Program Files\Defraggler

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS.1\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 vsdatant;vsdatant; C:\WINDOWS.1\System32\vsdatant.sys [2009-02-16 353672]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS.1\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 Ndiskio;Ndiskio; \??\C:\Norman\Nse\bin\NDISKIO.SYS []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS.1\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS.1\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS.1\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DP;HSF_DP; C:\WINDOWS.1\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS.1\system32\DRIVERS\HSFHWBS2.sys [2004-12-15 220928]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS.1\system32\drivers\RtkHDAud.sys [2009-02-11 5028352]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS.1\system32\drivers\mbamswissarmy.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS.1\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS.1\System32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 NVENETFD;NVIDIA nForce 10/100 Mbps Ethernet ; C:\WINDOWS.1\System32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS.1\System32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS.1\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS.1\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS.1\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS.1\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS.1\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 winachsf;winachsf; C:\WINDOWS.1\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver; \??\C:\WINDOWS.1\system32\drivers\hitmanpro35.sys []
S3 nm;Network Monitor Driver; C:\WINDOWS.1\System32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 NvcMFlt;NvcMFlt; C:\WINDOWS.1\system32\DRIVERS\nvcw32mf.sys [2008-02-11 19512]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS.1\system32\DRIVERS\TVICHW32.SYS []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS.1\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS.1\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS.1\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS.1\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS.1\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 ASPI32;ASPI32; C:\WINDOWS.1\system32\drivers\ASPI32.sys [2004-07-20 16512]
S4 CH341SER;CH341SER; C:\WINDOWS.1\System32\Drivers\CH341SER.SYS [2006-10-25 36080]
S4 giveio;giveio; C:\WINDOWS.1\system32\giveio.sys [1996-04-03 5248]
S4 IntelIde;IntelIde; C:\WINDOWS.1\system32\drivers\IntelIde.sys []
S4 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS []
S4 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 EPSON_PM_RPCV2_02;EPSON V3 Service2(02); C:\WINDOWS.1\system32\E_S00RP2.EXE [2000-05-16 60416]
R2 EPSONStatusAgent2;EPSON Printer Status Agent2; C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [2001-08-09 90112]
R2 Norman ZANDA;Norman ZANDA; C:\Norman\Bin\Zanda.exe [2007-08-09 322616]
R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2006-07-13 131131]
R2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2006-07-13 65599]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS.1\system32\nvsvc32.exe [2008-09-17 163908]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
R2 WSearch;Windows Search; C:\WINDOWS.1\system32\SearchIndexer.exe [2008-05-26 439808]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS.1\system32\svchost.exe [2008-04-13 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS.1\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS.1\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS.1\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-22 136120]
S3 idsvc;Windows CardSpace; C:\WINDOWS.1\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 nvcoas;Norman Virus Control on-access component; C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 179256]
S3 NVCScheduler;Norman Virus Control Scheduler; C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 146488]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2006-04-03 20543]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2006-01-05 163840]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-21 152984]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS.1\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-06-05 09:24:45

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS.1\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS.1\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS.1\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.3.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Advanced SystemCare 3-->"C:\Program Files\IObit\Advanced SystemCare 3\unins000.exe"
AnswerWorks 5.0 English Runtime-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}\setup.exe" -l0x9 -uninst -removeonly
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Auslogics Duplicate File Finder-->"C:\Program Files\Auslogics\Auslogics Duplicate File Finder\unins000.exe"
BotHunter-->MsiExec.exe /X{4CB2511D-A074-40E0-A5ED-A875EBBDDF49}
Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon G.726 WMP-Decoder-->"C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MOV Decoder-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\Canon MOV Decoder132\CanonMOVDecoderUnInstall.ini"
Canon MOV Encoder-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\Canon MOV Encoder\CanonMOVEncoderUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon ScanGear Toolbox CS 2.2-->C:\WINDOWS.1\IsUninst.exe -f"C:\Program Files\Canon\ScanGear Toolbox CS\Uninst.isu" -c"C:\Program Files\Canon\ScanGear Toolbox CS\uninst.dll"
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Utilities CameraWindow DC-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDC\Uninst.ini"
Canon Utilities CameraWindow-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\Uninst.ini"
Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch-->"C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon ZoomBrowser EX Memory Card Utility-->"C:\Program Files\Common Files\Canon\UIW\1.5.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX MCU\Uninst.ini"
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
ConvertHelper 2.2-->"C:\Program Files\ConvertHelper\unins000.exe"
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Data Fax SoftModem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -IAsu200Ck.inf
Defraggler-->"C:\Program Files\Defraggler\uninst.exe"
Disk Space Fan 1.4.2.796-->"C:\Program Files\DiskSpaceFan\Disk Space Fan\unins000.exe"
Driver Detective-->C:\Program Files\InstallShield Installation Information\{621C02EA-AAFF-4026-A903-165D59529A16}\setup.exe -runfromtemp -l0x0409
DriverAgent by eSupport.com-->"C:\Documents and Settings\Paul.FAMILYROOM\Local Settings\Application Data\eSupport.com\unins000.exe"
EPSON Printer Software-->C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
FamilyInsight-->C:\Program Files\Ohana Software\FamilyInsight\uninstall.exe
Fast Video Converter 1.0-->"C:\Program Files\DVDFAST\Fast_Video_Converter\unins000.exe"
FotoSketcher - Version 1.9-->"C:\Program Files\FotoSketcher\unins000.exe"
Free Audio Editor-->C:\PROGRA~1\FREEAU~1\UNWISE.EXE C:\PROGRA~1\FREEAU~1\INSTALL.LOG
Freecorder 4.0 Application-->"C:\WINDOWS.1\Freecorder\uninstall.exe" "/U:C:\Program Files\Freecorder\Uninstall\uninstall.xml"
Freecorder Toolbar-->C:\PROGRA~1\Freecorder\UNWISE.EXE /U C:\PROGRA~1\Freecorder\INSTALL.LOG
GenSmarts-->"C:\Program Files\GenSmarts\unins000.exe"
Glary Registry Repair 3.2.0.828-->"C:\Program Files\Glary Registry Repair\unins000.exe"
Glary Utilities 2.17.0.776-->"C:\Program Files\Glary Utilities\unins000.exe"
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
GospeLink 2001-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01D01D87-9272-47F0-A8A0-E8F1D682AE30}\SETUP.EXE"
Hitman Pro 3.5-->"C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS.1\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS.1\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
ImgBurn-->"C:\Program Files\ImgBurn\uninstall.exe"
InfraRecorder-->C:\Program Files\InfraRecorder\uninstall.exe
ISO Recorder-->MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21}
iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}
Java(TM) 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapSource - MetroGuide USA v5-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{123E3792-565C-4DC8-A68A-BBB12C41B390} /l1033
MapSource - US Topo v3.02-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD4203ED-7683-435E-B436-C299773A9936}\setup.exe" -l0x9 AddRemove
MapSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}\Setup.exe" -l0x9 AddRemove
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS.1\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office 2000 Small Business-->MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft Office PowerPoint Viewer 2003-->MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft VC9 runtime libraries-->MsiExec.exe /I{C4124E95-5061-4776-8D5D-E3D931C778E1}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS.1\INF\DECCHECK.inf,Uninstall
MozBackup 1.4.9-->C:\Program Files\MozBackup\Uninstall.exe
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (3.0.4)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
Musicnotes Player V1.23.1 and Viewer-->"C:\Program Files\Musicnotes\Player\unins000.exe"
MyDefrag v4.3.1-->"C:\Program Files\MyDefrag v4.3.1\unins000.exe"
Norman Virus Control plus-->C:\Norman\NVC\BIN\DelNVC5.exe
NVIDIA Drivers-->C:\WINDOWS.1\system32\nvuninst.exe UninstallGUI
NVIDIA ForceWare Network Access Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
OverDrive Media Console-->MsiExec.exe /I{34D6EED8-7650-4E1C-BC26-F5B2DDE185C6}
OverDrive Media Console-->MsiExec.exe /I{59FD743D-A699-449E-8197-BD2899DAD69A}
Personal Ancestral File 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D94A8E22-DF2B-4107-9E51-608A60A7671D}\Setup.exe"
Picasa 3-->"C:\Program Files\Picasa2\Uninstall.exe"
PictureMover-->MsiExec.exe /X{98BAC573-DBE2-49de-9A23-597CFD95E474}
Quicken 2008-->MsiExec.exe /X{3B0F52AC-EF5C-4831-B221-06C782E41280}
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m -nrg2709
Sansa Media Converter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2A0F8F4-CE50-4857-A21C-3061682B2E87}\Setup.exe" -l0x9
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS.1\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS.1\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS.1\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS.1\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS.1\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS.1\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS.1\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS.1\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS.1\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS.1\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS.1\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS.1\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS.1\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Smart Defrag-->"C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SSC Service Utility v4.30-->"C:\Program Files\SSC Service Utility\unins000.exe"
SyncBack-->"C:\Program Files\2BrightSparks\SyncBack\unins000.exe"
System Explorer 1.5-->"C:\Program Files\System Explorer\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Ubuntu-->C:\ubuntu\uninstall-wubi.exe
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS.1\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS.1\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB972636)-->"C:\WINDOWS.1\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS.1\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS.1\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS.1\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
ViewSonic Windows XP Signed Files-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC47C7A5-BE63-11D5-B7C9-005004566E4D}\Setup.exe" -l0x9
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS.1\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VLC media player 1.0.2-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Internet Explorer 8-->"C:\WINDOWS.1\ie8\spuninst\spuninst.exe"
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
WinPatrol-->C:\PROGRA~1\BillP Studios\WinPatrol\Setup.exe /remove /q0
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XP Codec Pack-->C:\Program Files\XP Codec Pack\Uninstall.exe
Yadis! Backup 1.9.3.30-->"C:\Program Files\Codessentials\Yadis\unins000.exe"
ZoneAlarm Spy Blocker-->rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Security center information======

FW: ZoneAlarm Firewall

======System event log======

Computer Name: FAMILYROOM
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001BFC23663E. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 4455
Source Name: Dhcp
Time Written: 20100410214032.000000-240
Event Type: warning
User:

Computer Name: FAMILYROOM
Event Code: 8032
Message: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{DD6F876C-9282-4D78-80C8-BAAA22823A07}.
The backup browser is stopping.

Record Number: 4211
Source Name: BROWSER
Time Written: 20100410213024.000000-240
Event Type: error
User:

Computer Name: FAMILYROOM
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\HOME-8D2257268B on the network \Device\NetBT_Tcpip_{DD6F876C-9282-4D78-80C8-BAAA22823A07}.
The data is the error code.

Record Number: 4174
Source Name: BROWSER
Time Written: 20100410212656.000000-240
Event Type: warning
User:

Computer Name: FAMILYROOM
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 4126
Source Name: Tcpip
Time Written: 20100410212412.000000-240
Event Type: warning
User:

Computer Name: FAMILYROOM
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001BFC23663E. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 4102
Source Name: Dhcp
Time Written: 20100410211028.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: FAMILYROOM
Event Code: 1
Message:
Record Number: 53281
Source Name: nview_info
Time Written: 20100211154709.000000-300
Event Type: error
User:

Computer Name: FAMILYROOM
Event Code: 1
Message:
Record Number: 53280
Source Name: nview_info
Time Written: 20100211154709.000000-300
Event Type: error
User:

Computer Name: FAMILYROOM
Event Code: 1
Message:
Record Number: 53279
Source Name: nview_info
Time Written: 20100211154709.000000-300
Event Type: error
User:

Computer Name: FAMILYROOM
Event Code: 1
Message:
Record Number: 53278
Source Name: nview_info
Time Written: 20100211154709.000000-300
Event Type: error
User:

Computer Name: FAMILYROOM
Event Code: 1
Message:
Record Number: 53277
Source Name: nview_info
Time Written: 20100211154709.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"JAVA_HOME"=C:\Program Files\Java\jre6
"NpmLib"=C:\Norman\Bin
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%NpmLib%;%JAVA_HOME%\bin;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=6b01
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"tvdumpflags"=8
"windir"=%SystemRoot%
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4168

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/5/2010 9:36:24 AM
mbam-log-2010-06-05 (09-36-24).txt

Scan type: Quick scan
Objects scanned: 241516
Time elapsed: 15 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Windows Validation Check
Log Created On: 0927_05-06-2010
------------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 3
Windows Mode: Normal


WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Download updates and install them automatically.
------------------------------
Last Success Time for Update Detection: 2010-05-31 18:51:39
Last Success Time for Update Download: 2010-05-25 17:45:15
Last Success Time for Update Installation: 2010-05-26 07:00:38


WVCheck's File Dump
-------------------
WVCheck found no known bad files.


WVCheck's Missing File Check
-------------------
WVCheck found no missing Windows files.


WVCheck's MBAM Quarantine Check
-------------------
There were no bad files quarantined by MBAM.


WVCheck's HOSTS File Check
-------------------
WVCheck found no bad lines in the hosts file.


-------- End of File, program close at 0936_05-06-2010 --------
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 5th, 2010, 2:49 pm

Another couple of data points for you. When I do a Google search, if I click on the hyperlink result, then I'll be redirected. If, instead, I cut the result url at the bottom of each result, and paste into my address - whatever it is called at the top of my page - space, then I get to the proper web site.

Plus, I'm getting random additional tabs coming up, advertising stuff.
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 6th, 2010, 12:16 pm

TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop. (Zip/UnZip Tutorial)
  • Next double-click the tdsskiller Folder on your desktop.
  • Double click tdsskiller.exe to run the tool.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.3.0.0_20.04.2010_15.31.43_log.txt.
  • Please post the contents in your next reply
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 6th, 2010, 2:20 pm

14:05:54:468 2364 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
14:05:54:468 2364 ================================================================================
14:05:54:468 2364 SystemInfo:

14:05:54:468 2364 OS Version: 5.1.2600 ServicePack: 3.0
14:05:54:468 2364 Product type: Workstation
14:05:54:468 2364 ComputerName: FAMILYROOM
14:05:54:468 2364 UserName: Paul
14:05:54:468 2364 Windows directory: C:\WINDOWS.1
14:05:54:468 2364 Processor architecture: Intel x86
14:05:54:468 2364 Number of processors: 2
14:05:54:468 2364 Page size: 0x1000
14:05:54:468 2364 Boot type: Normal boot
14:05:54:468 2364 ================================================================================
14:05:54:750 2364 Initialize success
14:05:54:750 2364
14:05:54:750 2364 Scanning Services ...
14:05:55:312 2364 Raw services enum returned 336 services
14:05:55:328 2364
14:05:55:328 2364 Scanning Drivers ...
14:05:56:468 2364 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS.1\system32\DRIVERS\ACPI.sys
14:05:56:656 2364 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS.1\system32\drivers\ACPIEC.sys
14:05:56:843 2364 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS.1\system32\drivers\aec.sys
14:05:57:015 2364 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS.1\System32\drivers\afd.sys
14:05:57:328 2364 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS.1\system32\DRIVERS\AmdPPM.sys
14:05:57:531 2364 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS.1\system32\DRIVERS\arp1394.sys
14:05:57:921 2364 ASPI32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS.1\system32\drivers\ASPI32.sys
14:05:58:062 2364 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS.1\system32\DRIVERS\asyncmac.sys
14:05:58:250 2364 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS.1\system32\DRIVERS\atapi.sys
14:05:58:437 2364 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS.1\system32\DRIVERS\atmarpc.sys
14:05:58:890 2364 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS.1\system32\DRIVERS\audstub.sys
14:05:59:421 2364 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS.1\system32\drivers\cbidf2k.sys
14:06:00:671 2364 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS.1\system32\drivers\Cdaudio.sys
14:06:01:468 2364 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS.1\system32\drivers\Cdfs.sys
14:06:02:156 2364 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS.1\system32\DRIVERS\cdrom.sys
14:06:02:765 2364 CH341SER (0d5c83f8dac15cbe0765d1247d2c8f17) C:\WINDOWS.1\system32\Drivers\CH341SER.SYS
14:06:03:281 2364 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS.1\system32\DRIVERS\disk.sys
14:06:03:484 2364 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS.1\system32\drivers\dmboot.sys
14:06:03:718 2364 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS.1\system32\drivers\dmio.sys
14:06:03:875 2364 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS.1\system32\drivers\dmload.sys
14:06:04:062 2364 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS.1\system32\drivers\DMusic.sys
14:06:04:250 2364 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS.1\system32\drivers\drmkaud.sys
14:06:04:421 2364 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS.1\system32\drivers\Fastfat.sys
14:06:04:593 2364 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS.1\system32\drivers\Fdc.sys
14:06:04:937 2364 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS.1\system32\drivers\Fips.sys
14:06:05:109 2364 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS.1\system32\drivers\Flpydisk.sys
14:06:05:281 2364 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS.1\system32\drivers\fltmgr.sys
14:06:05:437 2364 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS.1\system32\drivers\Fs_Rec.sys
14:06:05:609 2364 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS.1\system32\DRIVERS\ftdisk.sys
14:06:05:796 2364 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS.1\system32\DRIVERS\GEARAspiWDM.sys
14:06:05:953 2364 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS.1\system32\giveio.sys
14:06:06:156 2364 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS.1\system32\DRIVERS\msgpc.sys
14:06:06:328 2364 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS.1\system32\DRIVERS\HDAudBus.sys
14:06:06:484 2364 hitmanpro35 (d7e05e0173719b66bb108f3d97e49a6a) C:\WINDOWS.1\system32\drivers\hitmanpro35.sys
14:06:06:890 2364 HSFHWBS2 (5df616addb75c1ad36c1f9e4de0f7654) C:\WINDOWS.1\system32\DRIVERS\HSFHWBS2.sys
14:06:07:125 2364 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b) C:\WINDOWS.1\system32\DRIVERS\HSF_DP.sys
14:06:07:359 2364 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS.1\system32\Drivers\HTTP.sys
14:06:07:609 2364 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS.1\system32\DRIVERS\i8042prt.sys
14:06:07:781 2364 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS.1\system32\DRIVERS\imapi.sys
14:06:08:265 2364 IntcAzAudAddService (14b48553be78472d2bd3a518658a1710) C:\WINDOWS.1\system32\drivers\RtkHDAud.sys
14:06:08:484 2364 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS.1\system32\drivers\ip6fw.sys
14:06:08:671 2364 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS.1\system32\DRIVERS\ipfltdrv.sys
14:06:08:843 2364 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS.1\system32\DRIVERS\ipinip.sys
14:06:09:015 2364 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS.1\system32\DRIVERS\ipnat.sys
14:06:09:203 2364 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS.1\system32\DRIVERS\ipsec.sys
14:06:09:359 2364 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS.1\system32\DRIVERS\irenum.sys
14:06:09:531 2364 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS.1\system32\DRIVERS\isapnp.sys
14:06:09:703 2364 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS.1\system32\DRIVERS\kbdclass.sys
14:06:09:875 2364 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS.1\system32\drivers\klmd.sys
14:06:10:031 2364 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS.1\system32\drivers\kmixer.sys
14:06:10:234 2364 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS.1\system32\drivers\KSecDD.sys
14:06:10:484 2364 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS.1\system32\DRIVERS\mdmxsdk.sys
14:06:10:750 2364 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS.1\system32\drivers\mnmdd.sys
14:06:11:015 2364 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS.1\system32\drivers\Modem.sys
14:06:11:203 2364 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS.1\system32\DRIVERS\mouclass.sys
14:06:11:375 2364 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS.1\system32\drivers\MountMgr.sys
14:06:11:718 2364 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
14:06:11:828 2364 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
14:06:12:093 2364 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS.1\system32\DRIVERS\mrxdav.sys
14:06:12:296 2364 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS.1\system32\DRIVERS\mrxsmb.sys
14:06:12:484 2364 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS.1\system32\drivers\Msfs.sys
14:06:12:671 2364 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS.1\system32\drivers\MSKSSRV.sys
14:06:12:828 2364 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS.1\system32\drivers\MSPCLOCK.sys
14:06:13:125 2364 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS.1\system32\drivers\MSPQM.sys
14:06:13:312 2364 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS.1\system32\DRIVERS\mssmbios.sys
14:06:13:468 2364 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS.1\system32\drivers\Mup.sys
14:06:13:640 2364 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS.1\system32\drivers\NDIS.sys
14:06:13:781 2364 Ndiskio (ed5a8017bd77020c536173c981b147ed) C:\Norman\Nse\bin\NDISKIO.SYS
14:06:13:906 2364 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS.1\system32\DRIVERS\ndistapi.sys
14:06:14:218 2364 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS.1\system32\DRIVERS\ndisuio.sys
14:06:14:390 2364 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS.1\system32\DRIVERS\ndiswan.sys
14:06:14:656 2364 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS.1\system32\drivers\NDProxy.sys
14:06:14:828 2364 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS.1\system32\DRIVERS\netbios.sys
14:06:15:015 2364 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS.1\system32\DRIVERS\netbt.sys
14:06:15:187 2364 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS.1\system32\DRIVERS\nic1394.sys
14:06:15:359 2364 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS.1\system32\DRIVERS\NMnt.sys
14:06:15:687 2364 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS.1\system32\drivers\Npfs.sys
14:06:15:875 2364 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS.1\system32\drivers\Ntfs.sys
14:06:16:078 2364 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS.1\system32\drivers\Null.sys
14:06:16:593 2364 nv (70cb8915895ccb92ddf23ce890c4f5be) C:\WINDOWS.1\system32\DRIVERS\nv4_mini.sys
14:06:17:437 2364 nvata (947c4a0e7b25bcecc3b40f0f1070378b) C:\WINDOWS.1\system32\DRIVERS\nvata.sys
14:06:17:609 2364 NvcMFlt (4afb59742cff2886dafc2445ce65e8a3) C:\WINDOWS.1\system32\DRIVERS\nvcw32mf.sys
14:06:17:843 2364 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS.1\system32\DRIVERS\NVENETFD.sys
14:06:18:015 2364 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS.1\system32\DRIVERS\nvnetbus.sys
14:06:18:640 2364 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS.1\system32\DRIVERS\nwlnkflt.sys
14:06:18:937 2364 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS.1\system32\DRIVERS\nwlnkfwd.sys
14:06:19:156 2364 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS.1\system32\DRIVERS\ohci1394.sys
14:06:19:328 2364 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS.1\system32\drivers\Parport.sys
14:06:19:515 2364 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS.1\system32\drivers\PartMgr.sys
14:06:19:687 2364 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS.1\system32\drivers\ParVdm.sys
14:06:19:843 2364 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS.1\system32\DRIVERS\pci.sys
14:06:20:031 2364 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS.1\system32\DRIVERS\pciide.sys
14:06:20:203 2364 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS.1\system32\drivers\Pcmcia.sys
14:06:20:562 2364 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS.1\system32\DRIVERS\raspptp.sys
14:06:21:000 2364 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS.1\system32\DRIVERS\processr.sys
14:06:21:187 2364 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS.1\system32\DRIVERS\psched.sys
14:06:21:343 2364 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS.1\system32\DRIVERS\ptilink.sys
14:06:21:687 2364 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS.1\system32\DRIVERS\rasacd.sys
14:06:21:859 2364 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS.1\system32\DRIVERS\rasl2tp.sys
14:06:22:046 2364 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS.1\system32\DRIVERS\raspppoe.sys
14:06:22:218 2364 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS.1\system32\DRIVERS\raspti.sys
14:06:22:390 2364 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS.1\system32\DRIVERS\rdbss.sys
14:06:22:546 2364 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS.1\system32\DRIVERS\RDPCDD.sys
14:06:22:843 2364 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS.1\system32\DRIVERS\rdpdr.sys
14:06:23:015 2364 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS.1\system32\drivers\RDPWD.sys
14:06:23:187 2364 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS.1\system32\DRIVERS\redbook.sys
14:06:23:343 2364 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS.1\system32\DRIVERS\secdrv.sys
14:06:23:500 2364 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS.1\system32\drivers\Serial.sys
14:06:23:671 2364 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS.1\system32\drivers\Sfloppy.sys
14:06:23:906 2364 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS.1\system32\speedfan.sys
14:06:24:140 2364 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS.1\system32\drivers\splitter.sys
14:06:24:343 2364 srescan (bb1cc49b817d2551eb321f4a9afb7d8c) C:\WINDOWS.1\system32\ZoneLabs\srescan.sys
14:06:24:515 2364 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS.1\system32\DRIVERS\srv.sys
14:06:24:921 2364 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS.1\system32\DRIVERS\swenum.sys
14:06:25:093 2364 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS.1\system32\drivers\swmidi.sys
14:06:25:390 2364 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS.1\system32\drivers\sysaudio.sys
14:06:25:578 2364 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS.1\system32\DRIVERS\tcpip.sys
14:06:25:781 2364 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS.1\system32\drivers\TDPIPE.sys
14:06:25:953 2364 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS.1\system32\drivers\TDTCP.sys
14:06:26:140 2364 TermDD (88155247177638048422893737429d9e) C:\WINDOWS.1\system32\DRIVERS\termdd.sys
14:06:26:312 2364 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS.1\system32\DRIVERS\TVICHW32.SYS
14:06:26:468 2364 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS.1\system32\drivers\Udfs.sys
14:06:26:859 2364 UnlockerDriver5 (4847639d852763ee39415c929470f672) C:\Program Files\Unlocker\UnlockerDriver5.sys
14:06:27:046 2364 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS.1\system32\DRIVERS\update.sys
14:06:27:250 2364 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS.1\system32\drivers\usbaudio.sys
14:06:27:406 2364 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS.1\system32\DRIVERS\usbccgp.sys
14:06:27:562 2364 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS.1\system32\DRIVERS\usbehci.sys
14:06:27:734 2364 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS.1\system32\DRIVERS\usbhub.sys
14:06:27:906 2364 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS.1\system32\DRIVERS\usbohci.sys
14:06:28:093 2364 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS.1\system32\DRIVERS\usbprint.sys
14:06:28:250 2364 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS.1\system32\DRIVERS\usbscan.sys
14:06:28:406 2364 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS.1\system32\DRIVERS\USBSTOR.SYS
14:06:28:578 2364 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS.1\System32\drivers\vga.sys
14:06:28:890 2364 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS.1\system32\drivers\VolSnap.sys
14:06:29:062 2364 vsdatant (13a225a31f8d64a395373e9434d2d1ab) C:\WINDOWS.1\system32\vsdatant.sys
14:06:29:250 2364 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS.1\system32\DRIVERS\wanarp.sys
14:06:29:468 2364 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS.1\system32\drivers\wdmaud.sys
14:06:29:765 2364 winachsf (473ee64c368ce2eed110376c11960259) C:\WINDOWS.1\system32\DRIVERS\HSF_CNXT.sys
14:06:29:968 2364 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS.1\system32\DRIVERS\wpdusb.sys
14:06:30:125 2364 WudfPf (b4c4e1ebcb605562d6b918f4aa046835) C:\WINDOWS.1\system32\DRIVERS\WudfPf.sys
14:06:30:125 2364 Suspicious file (Forged): C:\WINDOWS.1\system32\DRIVERS\WudfPf.sys. Real md5: b4c4e1ebcb605562d6b918f4aa046835, Fake md5: f15feafffbb3644ccc80c5da584e6311
14:06:30:125 2364 File "C:\WINDOWS.1\system32\DRIVERS\WudfPf.sys" infected by TDSS rootkit ... 14:06:31:250 2364 Backup copy found, using it..
14:06:31:265 2364 will be cured on next reboot
14:06:31:421 2364 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS.1\system32\DRIVERS\wudfrd.sys
14:06:31:437 2364 Reboot required for cure complete..
14:06:32:171 2364 Cure on reboot scheduled successfully
14:06:32:171 2364
14:06:32:171 2364 Completed
14:06:32:171 2364
14:06:32:171 2364 Results:
14:06:32:171 2364 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:06:32:171 2364 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:06:32:171 2364
14:06:32:171 2364 KLMD(ARK) unloaded successfully
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 6th, 2010, 2:38 pm

Hi


MBR Rootkit Detector

Please download MBR.exe by GMER
Be sure to download it to the root of your drive, e.g. C:\MBR.exe


Once the download has finished, click Start > Run. Copy and paste the contents of the codebox below into the run box (Do Not include Code:), then click OK :
Code: Select all
CMD /C \mbr -t >Log.txt&Log.txt&del Log.txt

A log will be generated, Post the contents in your next reply.



TFC

    You should still have this on your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 6th, 2010, 7:57 pm

MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

ESET log:

C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe a variant of Win32/Adware.ADON application
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application
J:\C\Documents and Settings\Paul.FAMILYROOM\My Documents\Downloads\DriverRobot_Setup.exe Win32/Adware.DriverRobot application
J:\Genealogy\C\Documents and Settings\Paul.FAMILYROOM\Desktop\UBCD4WinV320.exe multiple threats
Operating memory a variant of Win32/Toolbar.MyWebSearch application
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 7th, 2010, 2:51 pm

Good - the redirects should have stopped. I'd like you to update MBAM and run it again - make sure you do update it first.


TFC

    This should still be on your desktop.
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



Re-run - RSIT (Random's System Information Tool)
You should still have this program on your desktop.

  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
    RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
  • Please post ONLY the "log.txt", file contents in your next reply.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 7th, 2010, 4:08 pm

MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4176

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/7/2010 3:58:05 PM
mbam-log-2010-05-07 (15-58-05).txt

Scan type: Quick scan
Objects scanned: 241535
Time elapsed: 11 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS.1\Tasks\MSWD-c215ac63.job (Trojan.DNSChanger) -> Quarantined and deleted successfully.


RSIT log:

Logfile of random's system information tool 1.07 (written by random/random)
Run by Paul at 2010-05-07 16:02:33
Microsoft Windows XP Professional Service Pack 3
System drive C: has 14 GB (18%) free of 76 GB
Total RAM: 1918 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:02:58 PM, on 5/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS.1\system32\E_S00RP2.EXE
C:\Norman\Bin\Zanda.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS.1\system32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\SearchIndexer.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\Norman\Bin\ZLH.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS.1\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Documents and Settings\Paul.FAMILYROOM\Desktop\Computer Management\RSIT.exe
C:\Program Files\trend micro\Paul.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ldsblogs.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.1\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.1\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS.1\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS.1\system32\GPhotos.scr/200
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 3216818375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2590144765
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS.1\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS.1\System32\browseui.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS.1\system32\E_S00RP2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Bin\Zanda.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6539 bytes

======Scheduled tasks folder======

C:\WINDOWS.1\tasks\Ad-Aware Update (Daily 1).job
C:\WINDOWS.1\tasks\Ad-Aware Update (Daily 2).job
C:\WINDOWS.1\tasks\Ad-Aware Update (Daily 3).job
C:\WINDOWS.1\tasks\Ad-Aware Update (Daily 4).job
C:\WINDOWS.1\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS.1\tasks\AppleSoftwareUpdate.job
C:\WINDOWS.1\tasks\ConfigExec.job
C:\WINDOWS.1\tasks\DataUpload.job
C:\WINDOWS.1\tasks\Defraggler Volume C Task.job
C:\WINDOWS.1\tasks\Driver Robot.job
C:\WINDOWS.1\tasks\DriverCure.job
C:\WINDOWS.1\tasks\GlaryInitialize.job
C:\WINDOWS.1\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1450960922-839522115-1003Core.job
C:\WINDOWS.1\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1450960922-839522115-1003UA.job
C:\WINDOWS.1\tasks\MyDefrag v4.3.1 Daily.job
C:\WINDOWS.1\tasks\MyDefrag v4.3.1 Monthly.job
C:\WINDOWS.1\tasks\RealUpgradeLogonTaskS-1-5-21-1659004503-1450960922-839522115-1003.job
C:\WINDOWS.1\tasks\RealUpgradeScheduledTaskS-1-5-21-1659004503-1450960922-839522115-1003.job
C:\WINDOWS.1\tasks\SmartDefrag.job
C:\WINDOWS.1\tasks\User_Feed_Synchronization-{42012659-AE36-42B0-BCCB-54C85675C520}.job
C:\WINDOWS.1\tasks\User_Feed_Synchronization-{634DB107-BEDF-4474-A814-4E082A23D8EE}.job
C:\WINDOWS.1\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
Freecorder Toolbar - C:\Program Files\Freecorder\tbFre1.dll [2010-05-24 2515552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{1392b8d2-5c05-419f-a8f6-b9f15a596612} - Freecorder Toolbar - C:\Program Files\Freecorder\tbFre1.dll [2010-05-24 2515552]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Norman ZANDA"=C:\Norman\Bin\ZLH.EXE [2007-08-09 183352]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-02-16 981384]
"NvCplDaemon"=C:\WINDOWS.1\system32\NvCpl.dll [2008-09-17 13574144]
"NvMediaCenter"=C:\WINDOWS.1\system32\NvMcTray.dll [2008-09-17 86016]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-04-04 36272]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-24 952768]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2010-05-31 323976]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"=C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe [2010-05-26 2346192]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
C:\Program Files\Freecorder\FLVSrvc.exe [2009-11-15 158752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M5T8QL3YW3]
C:\DOCUME~1\PAUL~1.FAM\LOCALS~1\Temp\Jjh.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS.1\System32\NvCpl.dll [2008-09-17 13574144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS.1\System32\NvMcTray.dll [2008-09-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-21 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yadis]
C:\Program Files\Codessentials\Yadis\Yadis.exe [2008-06-13 1687552]

C:\Documents and Settings\All Users.WINDOWS.1\Start Menu\Programs\Startup
AutorunsDisabled
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS.1\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS.1\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoResolveSearch"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS.1\system32\spoolsv.exe"="C:\WINDOWS.1\system32\spoolsv.exe:*:Enabled:spoolsv.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-06-05 09:24:26 ----D---- C:\Program Files\trend micro
2010-06-05 09:24:25 ----D---- C:\rsit
2010-06-04 13:06:34 ----D---- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Hitman Pro
2010-06-04 13:06:33 ----D---- C:\Program Files\Hitman Pro 3.5
2010-06-04 07:42:43 ----A---- C:\WINDOWS.1\SchedLgU.Txt
2010-06-03 15:23:32 ----D---- C:\Program Files\MyDefrag v4.3.1
2010-06-03 15:23:32 ----A---- C:\WINDOWS.1\system32\MyDefragScreenSaver_v4.3.1.exe
2010-06-02 22:26:51 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\WinPatrol
2010-06-02 22:26:41 ----D---- C:\Program Files\BillP Studios
2010-06-02 11:14:33 ----D---- C:\!KillBox
2010-06-01 18:52:33 ----D---- C:\WINDOWS.1\Cache
2010-06-01 18:52:32 ----D---- C:\Program Files\Coupons
2010-05-13 13:15:52 ----D---- C:\Program Files\SSC Service Utility
2010-05-13 12:51:59 ----A---- C:\WINDOWS.1\system32\E_S00RP2.EXE
2010-05-06 15:48:41 ----D---- C:\Program Files\ESET
2010-05-06 14:50:37 ----A---- C:\mbr.exe
2010-05-06 14:05:54 ----A---- C:\TDSSKiller.2.3.2.0_06.05.2010_14.05.54_log.txt
2010-05-05 17:35:13 ----D---- C:\WINDOWS.1\ERDNT
2010-05-05 17:34:47 ----D---- C:\Program Files\ERUNT
2010-05-05 16:43:11 ----D---- C:\WINDOWS.1\MATS
2010-05-05 16:43:10 ----D---- C:\Program Files\Microsoft Fix it Center
2010-05-05 16:41:33 ----D---- C:\WINDOWS.1\system32\windowspowershell
2010-05-05 16:41:30 ----HDC---- C:\WINDOWS.1\$NtUninstallKB926139-v2$
2010-04-12 03:00:37 ----D---- C:\WINDOWS.1\system32\KB905474
2010-04-11 07:26:08 ----D---- C:\ubuntu

======List of files/folders modified in the last 1 months======

2010-06-04 12:57:04 ----D---- C:\WINDOWS.1\Registration
2010-06-04 10:28:48 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\vlc
2010-06-04 09:31:25 ----D---- C:\WINDOWS.1\$regcmp$
2010-06-04 09:08:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-06-02 21:14:58 ----ASH---- C:\boot.ini
2010-06-02 21:14:58 ----A---- C:\WINDOWS.1\win.ini
2010-06-02 21:14:58 ----A---- C:\WINDOWS.1\system.ini
2010-06-02 21:14:57 ----D---- C:\WINDOWS.1\pss
2010-06-01 19:44:00 ----D---- C:\WINDOWS.1\Debug
2010-06-01 19:21:39 ----D---- C:\Program Files\CCleaner
2010-06-01 19:00:41 ----D---- C:\Documents and Settings
2010-06-01 07:33:45 ----D---- C:\Program Files\Microsoft Works
2010-06-01 07:33:33 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\GoodSync
2010-06-01 07:33:28 ----D---- C:\WINDOWS.1\repair
2010-06-01 07:33:26 ----SD---- C:\WINDOWS.1\Downloaded Program Files
2010-06-01 07:33:26 ----D---- C:\Program Files\Quicken
2010-06-01 07:33:26 ----D---- C:\Program Files\HijackThis
2010-06-01 07:33:26 ----D---- C:\Program Files\Free Audio Editor
2010-06-01 07:33:26 ----D---- C:\Program Files\Eusing Free Registry Cleaner
2010-06-01 07:33:26 ----D---- C:\Program Files\Creative Element Power Tools
2010-06-01 07:33:25 ----RD---- C:\LDSCL
2010-06-01 07:33:25 ----D---- C:\Temp
2010-06-01 07:33:25 ----D---- C:\QUICKENW
2010-06-01 07:32:45 ----D---- C:\Program Files\GenSmarts
2010-06-01 07:32:45 ----D---- C:\Program Files\GARtrip
2010-06-01 07:32:45 ----D---- C:\piano_files
2010-05-31 15:47:23 ----D---- C:\Program Files\Karen's Power Tools
2010-05-28 07:38:03 ----D---- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\IObit
2010-05-25 17:44:32 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\CameraWindowDC
2010-05-24 21:38:28 ----D---- C:\CanoScan_N650U_N656U_CSUv571a
2010-05-17 20:44:01 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\dvdcss
2010-05-13 03:00:57 ----RSHDC---- C:\WINDOWS.1\system32\dllcache
2010-05-13 03:00:57 ----D---- C:\Program Files\Outlook Express
2010-05-12 04:57:28 ----HD---- C:\WINDOWS.1\$hf_mig$
2010-05-08 21:55:29 ----D---- C:\Program Files\Defraggler
2010-05-07 16:01:31 ----D---- C:\Norman
2010-05-07 16:01:17 ----D---- C:\WINDOWS.1\Temp
2010-05-07 16:00:08 ----D---- C:\WINDOWS.1\system32\drivers
2010-05-07 15:59:19 ----D---- C:\WINDOWS.1\Internet Logs
2010-05-07 15:59:14 ----D---- C:\WINDOWS.1\java
2010-05-07 15:58:05 ----SD---- C:\WINDOWS.1\Tasks
2010-05-07 10:09:06 ----D---- C:\WINDOWS.1\system32\CatRoot2
2010-05-07 10:09:06 ----D---- C:\WINDOWS.1\Prefetch
2010-05-06 15:53:01 ----D---- C:\Program Files\Mozilla Thunderbird
2010-05-06 15:48:41 ----RD---- C:\Program Files
2010-05-06 13:57:01 ----D---- C:\WINDOWS.1
2010-05-06 11:52:02 ----SHD---- C:\WINDOWS.1\Installer
2010-05-06 11:52:02 ----SHD---- C:\Config.Msi
2010-05-05 22:01:26 ----D---- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Spybot - Search & Destroy
2010-05-05 17:33:50 ----SHD---- C:\RECYCLER
2010-05-05 16:53:33 ----RSD---- C:\WINDOWS.1\assembly
2010-05-05 16:53:33 ----D---- C:\WINDOWS.1\Microsoft.NET
2010-05-05 16:43:18 ----D---- C:\WINDOWS.1\AppPatch
2010-05-05 16:41:53 ----HD---- C:\WINDOWS.1\inf
2010-05-05 16:41:38 ----D---- C:\WINDOWS.1\system32\config
2010-05-05 16:41:33 ----D---- C:\WINDOWS.1\system32
2010-05-05 16:14:47 ----D---- C:\Program Files\Mozilla Firefox
2010-04-30 14:51:06 ----A---- C:\WINDOWS.1\system32\MRT.exe
2010-04-21 09:28:50 ----N---- C:\WINDOWS.1\system32\tzchange.exe
2010-04-14 08:10:05 ----D---- C:\WINDOWS.1\ie8updates
2010-04-11 07:34:15 ----D---- C:\Program Files\Common Files\Real
2010-04-11 07:33:43 ----D---- C:\Program Files\Real
2010-04-11 07:32:37 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\Real
2010-04-11 07:27:56 ----D---- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Viewpoint
2010-04-11 07:27:53 ----D---- C:\Program Files\Viewpoint
2010-04-10 20:39:00 ----D---- C:\Documents and Settings\Paul.FAMILYROOM\Application Data\CBS Interactive
2010-04-10 20:38:49 ----D---- C:\UBCD4Win
2010-04-10 20:31:17 ----D---- C:\Program Files\Avant Browser
2010-04-10 20:21:57 ----D---- C:\Program Files\Free Music Zilla
2010-04-10 20:18:53 ----D---- C:\WINDOWS.1\system32\ias
2010-04-10 00:00:00 ----D---- C:\Program Files\SpeedFan

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS.1\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 vsdatant;vsdatant; C:\WINDOWS.1\System32\vsdatant.sys [2009-02-16 353672]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS.1\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 Ndiskio;Ndiskio; \??\C:\Norman\Nse\bin\NDISKIO.SYS []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS.1\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS.1\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS.1\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DP;HSF_DP; C:\WINDOWS.1\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS.1\system32\DRIVERS\HSFHWBS2.sys [2004-12-15 220928]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS.1\system32\drivers\RtkHDAud.sys [2009-02-11 5028352]
R3 NIC1394;1394 Net Driver; C:\WINDOWS.1\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS.1\System32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 NVENETFD;NVIDIA nForce 10/100 Mbps Ethernet ; C:\WINDOWS.1\System32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS.1\System32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS.1\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS.1\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS.1\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS.1\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS.1\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 winachsf;winachsf; C:\WINDOWS.1\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver; \??\C:\WINDOWS.1\system32\drivers\hitmanpro35.sys []
S3 nm;Network Monitor Driver; C:\WINDOWS.1\System32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 NvcMFlt;NvcMFlt; C:\WINDOWS.1\system32\DRIVERS\nvcw32mf.sys [2008-02-11 19512]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS.1\system32\DRIVERS\TVICHW32.SYS []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS.1\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS.1\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS.1\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS.1\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS.1\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 ASPI32;ASPI32; C:\WINDOWS.1\system32\drivers\ASPI32.sys [2004-07-20 16512]
S4 CH341SER;CH341SER; C:\WINDOWS.1\System32\Drivers\CH341SER.SYS [2006-10-25 36080]
S4 giveio;giveio; C:\WINDOWS.1\system32\giveio.sys [1996-04-03 5248]
S4 IntelIde;IntelIde; C:\WINDOWS.1\system32\drivers\IntelIde.sys []
S4 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS []
S4 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 EPSON_PM_RPCV2_02;EPSON V3 Service2(02); C:\WINDOWS.1\system32\E_S00RP2.EXE [2000-05-16 60416]
R2 EPSONStatusAgent2;EPSON Printer Status Agent2; C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [2001-08-09 90112]
R2 Norman ZANDA;Norman ZANDA; C:\Norman\Bin\Zanda.exe [2007-08-09 322616]
R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2006-07-13 131131]
R2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2006-07-13 65599]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS.1\system32\nvsvc32.exe [2008-09-17 163908]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
R2 WSearch;Windows Search; C:\WINDOWS.1\system32\SearchIndexer.exe [2008-05-26 439808]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS.1\system32\svchost.exe [2008-04-13 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS.1\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS.1\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS.1\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-22 136120]
S3 idsvc;Windows CardSpace; C:\WINDOWS.1\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MatSvc;Microsoft Automated Troubleshooting Service; C:\Program Files\Microsoft Fix it Center\Matsvc.exe [2010-04-10 266544]
S3 nvcoas;Norman Virus Control on-access component; C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 179256]
S3 NVCScheduler;Norman Virus Control Scheduler; C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 146488]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2006-04-03 20543]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2006-01-05 163840]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-21 152984]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS.1\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 7th, 2010, 4:32 pm

Hi

We need to temporarily disable winPatrol as below.

How are things running?



Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 20.

  • Go to Sun Java
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • In the Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u20-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    Java(TM) 6 Update 14
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.



Backup the Registry:

Modifying the Registry can create unforseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.(System registry & Current user registry)
  • Click on OK
  • When the Question pop-up appears click on Yes to create the folder.
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.



Disable WinPatrol

  • Locate the WinPatrol Image icon in the system tray and right-click it and select Options...
  • In the list near the bottom of the window, uncheck Automatically run WinPatrol when computer starts.
  • Close WinPatrol Window
  • Right-click Image in System Tray and select Exit Program



Fix HijackThis entries
  • Run HijackThis
  • Click on the do a system scan only button
  • Put a check beside all of the items listed below (if present):

    O24 - Desktop Component 0: (no name) - (no file)

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.



OTM

Download OTM by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Paste the following code under the Image area. Do not include the word Code.
    Code: Select all
    :Files
    C:\Program Files\Unlocker\eBay_shortcuts_1016.exe
    J:\C\Documents and Settings\Paul.FAMILYROOM\My Documents\Downloads\DriverRobot_Setup.exe
    J:\Genealogy\C\Documents and Settings\Paul.FAMILYROOM\Desktop\UBCD4WinV320.exe
    
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M5T8QL3YW3]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=dword:00000001
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
    

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 7th, 2010, 5:22 pm

running much better. no more redirects or popup tabs. google chrome working again, too.

thanks!

From looking at the other postings on this board, it appears that this is a new virus/rootkit/whatever attack on a lot of machines. True, or just my perception?

All processes killed
========== FILES ==========
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe moved successfully.
J:\C\Documents and Settings\Paul.FAMILYROOM\My Documents\Downloads\DriverRobot_Setup.exe moved successfully.
J:\Genealogy\C\Documents and Settings\Paul.FAMILYROOM\Desktop\UBCD4WinV320.exe moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M5T8QL3YW3\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\\"HonorAutoRunSetting"|dword:00000001 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Admin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.FAMILYROOM
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: ADMINI~1~FAM

User: All Users

User: All Users.WINDOWS.1

User: All Users.WINDOWS2

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS.1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kathryn
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Kathryn Brown
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Nola 08 01Jan_20090909-1537

User: Nola 08 05May_20090909-1538

User: Nola 08 08Aug _20090909-1539

User: Nola 08 08Aug _20090909-1543

User: Nola 08 11Nov_20090909-1540

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Paul Brown

User: Paul.FAMILYROOM
->Temp folder emptied: 441306 bytes
->Temporary Internet Files folder emptied: 5345967 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 30060537 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 434 bytes

User: PAUL~1~FAM

User: Qucumba
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 256 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 34.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06072010_170958
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 7th, 2010, 5:24 pm

I just ran HijackThis again, and found that
O24 - Desktop Component 0: (no name) - (no file)
had returned. A problem?
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 7th, 2010, 5:48 pm

No, not a problem as such. It's a setting that can be hijacked by malware to display fake "you're infected" warnings as your desktop wallpaper. It can be used legitimately but yours looks orphaned (no file).

Go to Start > Run and copy/paste the following command into the Run box and click OK:

cmd /c regedit.exe /e "%userprofile%\Desktop\look.txt" "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0"

A black command prompt windows will open and close. It will create a file called look.txt on your desktop - post the contents of that file.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 7th, 2010, 7:14 pm

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=""
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,78,01,00,00,26,01,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,01,00,00,00
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 322 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware