Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

windows explorer hijack?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: windows explorer hijack?

Unread postby miguelvillafana » February 22nd, 2009, 8:31 pm

ok, I cleared up some memory, and ran ccleaner. The desktop's running a bit faster, but still no explorer--

Miguel V.

ps--here's report #1

OTViewIt logfile created on: 02/22/09 7:28:33 PM - Run 4
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\BELLA\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

479.53 Mb Total Physical Memory | 186.20 Mb Available Physical Memory | 38.83% Memory free
1.83 Gb Paging File | 1.54 Gb Available in Paging File | 84.19% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440;D:\pagefile.sys 750 1440;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.00 Gb Total Space | 4.53 Gb Free Space | 28.33% Space Free | Partition Type: NTFS
Drive D: | 58.56 Gb Total Space | 55.51 Gb Free Space | 94.80% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VALUED-CB7D4C82
Current User Name: BELLA
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2009/01/30 12:41:55 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2008/10/12 09:10:55 | 00,168,432 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
[2008/12/16 21:59:50 | 00,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
[2007/08/09 02:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
[2007/12/24 16:50:22 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
[2002/07/24 14:21:04 | 00,372,806 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
[2009/01/30 12:42:27 | 00,484,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
[2009/01/30 12:42:23 | 00,592,128 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
[2002/07/17 22:02:44 | 00,462,848 | ---- | M] () -- C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
[2009/01/30 12:41:44 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
[2002/07/18 23:27:26 | 00,045,056 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
[2002/07/18 23:27:26 | 00,045,056 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
[2002/07/24 21:55:16 | 00,581,632 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
[2002/07/24 21:55:16 | 00,581,632 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
[2009/01/30 12:42:25 | 00,687,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
[2008/04/13 19:12:37 | 00,135,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\taskmgr.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008/12/19 00:25:25 | 00,634,024 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
[2007/12/14 12:06:52 | 00,120,384 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
[2009/02/19 11:53:07 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\BELLA\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2009/01/30 12:41:44 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
[2009/01/30 12:41:55 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2008/10/12 09:10:55 | 00,168,432 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Running])
[2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/12/16 21:59:50 | 00,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv [Auto | Running])
[2002/07/16 07:16:00 | 00,061,440 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Stopped])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/08/09 02:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
[2007/12/24 16:50:22 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])
[2002/07/23 07:45:12 | 00,065,536 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV [On_Demand | Stopped])
[2002/07/24 14:21:04 | 00,372,806 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe -- (VAIOMediaPlatform-MusicServer-AppServer [Auto | Running])
[2002/07/18 23:27:26 | 00,045,056 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe -- (VAIOMediaPlatform-MusicServer-HTTP [Auto | Running])
[2002/07/24 21:55:16 | 00,581,632 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe -- (VAIOMediaPlatform-MusicServer-UPnP [Auto | Running])
[2002/07/17 22:02:44 | 00,462,848 | ---- | M] () -- C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe -- (VAIOMediaPlatform-PhotoServer-AppServer [Auto | Running])
[2002/07/18 23:27:26 | 00,045,056 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe -- (VAIOMediaPlatform-PhotoServer-HTTP [Auto | Running])
[2002/07/24 21:55:16 | 00,581,632 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe -- (VAIOMediaPlatform-PhotoServer-UPnP [Auto | Running])
[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[1999/09/10 06:06:00 | 00,025,244 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
[2008/12/26 23:45:02 | 00,006,656 | ---- | M] () -- C:\WINDOWS\system32\drivers\atmarpc.sys -- (Atmarpc [On_Demand | Stopped])
[2008/12/26 23:43:48 | 00,006,656 | ---- | M] () -- C:\WINDOWS\system32\drivers\audstub.sys -- (audstub [On_Demand | Running])
[2009/01/30 12:42:26 | 00,325,128 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
[2009/01/30 12:42:26 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
[2009/01/30 12:42:09 | 00,107,272 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX [System | Running])
[2000/12/05 18:18:02 | 00,003,952 | R--- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall [System | Running])
[2008/12/17 01:02:06 | 00,023,832 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService [On_Demand | Stopped])
[2007/01/19 11:46:10 | 00,049,920 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
[2007/01/19 11:46:10 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2007/01/19 11:46:12 | 00,021,568 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
[2008/04/13 13:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2002/07/20 11:22:30 | 00,815,819 | ---- | M] (Lucent Technologies) -- C:\WINDOWS\system32\drivers\LTSM.sys -- (LucentSoftModem [On_Demand | Running])
[2008/12/16 21:58:54 | 00,025,624 | ---- | M] () -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon [On_Demand | Running])
[2008/12/17 01:00:12 | 00,768,024 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS [On_Demand | Stopped])
[2008/12/17 01:01:20 | 00,041,752 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta [On_Demand | Stopped])
[2008/12/17 01:01:42 | 06,364,440 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC [On_Demand | Stopped])
[2008/01/06 11:13:28 | 00,002,560 | ---- | M] () -- C:\WINDOWS\system32\drivers\mchInjDrv.sys -- (mchInjDrv [System | Running])
[2002/07/16 07:16:00 | 00,981,466 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])
[2007/02/03 10:27:56 | 00,490,784 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LV561AV.SYS -- (PID_0928 [On_Demand | Stopped])
[2007/08/21 00:13:00 | 00,021,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\point32.sys -- (Point32 [On_Demand | Running])
[2001/08/18 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2002/04/18 04:02:00 | 00,016,288 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2008/02/25 11:54:56 | 00,105,088 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
[2002/06/13 14:37:16 | 00,045,568 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139 [On_Demand | Stopped])
[2002/07/24 20:56:18 | 00,205,696 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315 [On_Demand | Running])
[2002/05/22 18:11:08 | 00,027,392 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\SISAGP.SYS -- (sisagp [Boot | Running])
[2002/04/03 20:51:34 | 00,005,760 | ---- | M] () -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp [System | Running])
[2002/08/02 13:56:00 | 00,590,464 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\soma.sys -- (soma [On_Demand | Stopped])
[2002/07/03 19:50:36 | 00,031,586 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SonyWBMS.sys -- (SONYWBMS [On_Demand | Running])
[2004/05/18 10:23:04 | 00,025,749 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\system32\drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
[2007/08/01 22:47:26 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
[2008/04/13 14:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Stopped])
[2001/08/09 17:26:02 | 00,022,608 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\system32\drivers\wandrv.sys -- (wandrv [On_Demand | Stopped])
[2008/03/27 16:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
[2002/07/19 15:25:58 | 00,202,880 | ---- | M] (YAMAHA CORPORATION) -- C:\WINDOWS\system32\drivers\yacxgc.sys -- (WDM_YAMAHAAC97 [On_Demand | Running])
[2008/01/24 14:08:54 | 00,019,336 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum [On_Demand | Running])
[2008/01/24 14:09:04 | 00,028,168 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmFilter.sys -- (WmFilter [On_Demand | Stopped])
[2008/01/24 14:09:24 | 00,014,728 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid [On_Demand | Stopped])
[2008/01/24 14:09:34 | 00,048,904 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.yahoo.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://home.microsoft.com/access/autosearch.asp?p=%s

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (222407 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com
127.0.0.1 1001-search.info
127.0.0.1 www.1001-search.info
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 123topsearch.com
127.0.0.1 www.123topsearch.com
127.0.0.1 132.com
127.0.0.1 www.132.com
127.0.0.1 136136.net
127.0.0.1 www.136136.net
7806 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (HKLM) -- C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} (HKLM) -- C:\Program Files\blstoolbar\blstoolbar.dll ()
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (HKLM) -- C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll (Google Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}" (HKLM) -- C:\Program Files\blstoolbar\blstoolbar.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E}" (HKLM) -- C:\Program Files\blstoolbar\blstoolbar.dll ()
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
"ezShieldProtector for Px"=C:\WINDOWS\System32\ezSP_Px.exe (Easy Systems Japan Ltd.)
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" (Microsoft Corporation)
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide ()
"LTSMMSG"=LTSMMSG.exe (Lucent Technologies)
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize (Microsoft Corporation)
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
"SiS Tray"= File not found
"SiSUSBRG"=C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper (BellSouth)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" /AUTO (Piriform Ltd)
"Google Update"="C:\Documents and Settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
"Uniblue RegistryBooster 2"=C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S File not found

========== (O4) RunOnce Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"123"=C:\WINDOWS\DelToolbox.bat ()

========== (O4) Startup Folders ==========

[2000/10/11 18:08:00 | 00,113,664 | ---- | M] (Adobe Systems, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
[2004/11/04 19:28:24 | 00,258,048 | ---- | M] (Hewlett-Packard Co.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[2004/11/04 19:50:52 | 00,053,248 | ---- | M] (Hewlett-Packard Co.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
[2002/07/02 23:28:24 | 00,040,960 | ---- | M] (Sony Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
[2008/11/07 14:56:10 | 00,517,384 | ---- | M] (Leader Technologies/Logitech) -- C:\Documents and Settings\BELLA\Start Menu\Programs\Startup\Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=255

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&Yahoo! Search: File not found
Yahoo! &Dictionary: File not found
Yahoo! &Maps: File not found
Yahoo! &SMS: File not found

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 19:12:28 | 01,695,232 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/13 19:12:28 | 01,695,232 | -HS- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | -HS- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
33 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
: msn in My Computer
compuserve.com: * is out of zone range (5)
compuserve.com\objects: * is out of zone range (0)
kaspersky.com\www: http in My Computer
microsoft.com\*.update: http in My Computer
microsoft.com\*.update: https in Local intranet
microsoft.com\update: http in My Computer
microsoft.com\windowsupdate: http in My Computer
microsoft.com\www.update: http in My Computer
windowsupdate.com\download: http in My Computer
35 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{02CF1781-EA91-4FA5-A200-646E8241987C}: http://esupport.sony.com/VaioInfo.CAB -- VaioInfo.CMClass
{215B8138-A3CF-44C5-803F-8226143CFC0A}: http://housecall65.trendmicro.com/house ... hcImpl.cab -- Trend Micro ActiveX Scan Agent 6.6
{33564D57-0000-0010-8000-00AA00389B71}: http://download.microsoft.com/download/ ... mv9VCM.CAB -- Reg Error: Key does not exist or could not be opened.
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://update.microsoft.com/microsoftup ... 2459300968 -- MUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab -- Java Plug-in 1.6.0_04
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab -- Java Plug-in 1.6.0_07
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.
Yahoo! Pool 2: http://download2.games.yahoo.com/games/ ... poti_x.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{09A6116E-5382-4919-942D-8B7393CE205C} (Servers: | Description: )
{1064845E-C9AD-41D2-9159-26BFC68B0347} (Servers: | Description: 1394 Net Adapter)
{C0B22912-36BB-4A5F-AFBD-35A0691AB843} (Servers: | Description: Realtek RTL8139/810x Family Fast Ethernet NIC)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
avgrsstarter: "DllName" = avgrsstx.dll -- C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
klogon: "DllName" = Reg Error: Value DLLName does not exist or could not be read. -- File not found

========== IFEO "Debugger" Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
explorer.exe:"Debugger" = C:\Program Files\Microsoft Common\svchost.exe File not found

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2002/08/03 10:18:45 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34a7b89b-d1b8-11db-b822-00038a000011}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34a7b89b-d1b8-11db-b822-00038a000011}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2008/04/13 19:12:05 | 08,461,312 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34a7b89b-d1b8-11db-b822-00038a000011}\Shell\Explore\command]
""=H:\system.exe -- File not found


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34a7b89b-d1b8-11db-b822-00038a000011}\Shell\Open\command]
""=H:\system.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{66eab789-bccb-11dc-b84b-00e018b9eabc}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{66eab789-bccb-11dc-b84b-00e018b9eabc}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2008/04/13 19:12:05 | 08,461,312 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{66eab789-bccb-11dc-b84b-00e018b9eabc}\Shell\Explore\command]
""=I:\system.exe -- File not found


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{66eab789-bccb-11dc-b84b-00e018b9eabc}\Shell\Open\command]
""=I:\system.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/02/22 18:45:44 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\BELLA\Desktop\CCleaner.lnk
[2009/02/22 18:45:34 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/02/19 11:52:49 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\BELLA\Desktop\OTViewIt.exe
[2009/02/19 11:08:05 | 00,000,053 | ---- | C] () -- C:\WINDOWS\DelToolbox.bat
[2009/02/17 16:22:20 | 50,289,4592 | -HS- | C] () -- C:\hiberfil.sys
[2009/02/17 16:18:33 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/02/17 16:13:51 | 00,268,052 | ---- | C] () -- C:\Documents and Settings\BELLA\Desktop\Rooter.exe
[2009/02/17 13:37:21 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\BELLA\Desktop\gmer.zip
[2009/02/17 13:33:52 | 00,368,961 | ---- | C] () -- C:\Documents and Settings\BELLA\Desktop\dds.scr
[2009/02/11 19:15:43 | 00,204,496 | ---- | C] (Malwarebytes) -- C:\Documents and Settings\BELLA\Desktop\StartUpLite.exe
[2009/02/11 19:04:14 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\BELLA\Desktop\HijackThis.lnk
[2009/02/11 19:02:31 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\BELLA\Desktop\HJTInstall.exe
[2009/02/11 19:02:01 | 00,318,369 | ---- | C] () -- C:\Documents and Settings\BELLA\Desktop\HiJackThis.zip
[2009/01/30 12:58:08 | 00,000,114 | ---- | C] () -- C:\Documents and Settings\BELLA\My Documents\shellfix.reg
[2009/01/30 11:55:37 | 00,000,000 | ---D | C] -- C:\Program Files\USB Disk Win98 Driver
[2009/01/30 11:41:28 | 01,486,973 | ---- | C] () -- C:\Documents and Settings\BELLA\Desktop\Windows 98SE-ME Drivers for MW3847.zip
[2009/01/30 08:36:10 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/01/29 18:03:39 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.0.lnk
[2009/01/29 18:03:38 | 00,010,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/01/29 18:03:37 | 00,107,272 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/01/29 18:03:30 | 00,325,128 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/01/29 18:03:27 | 00,027,656 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/01/29 18:03:15 | 33,430,757 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/01/29 18:03:15 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/01/29 18:03:15 | 00,401,372 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/01/29 18:03:15 | 00,008,322 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/01/29 18:03:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/01/24 09:44:49 | 00,000,000 | ---D | C] -- C:\Program Files\MSECache
[2009/01/23 23:41:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\BELLA\Application Data\OpenOffice.org
[2009/01/23 20:17:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\BELLA\Local Settings\Application Data\Deployment

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/02/22 19:24:25 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/02/22 19:23:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/02/22 19:23:26 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/02/22 19:23:22 | 50,289,4592 | -HS- | M] () -- C:\hiberfil.sys
[2009/02/22 18:45:45 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\BELLA\Desktop\CCleaner.lnk
[2009/02/22 18:41:47 | 00,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B8726A76-E3AC-4D6F-8C87-A4358E07678D}.job
[2009/02/22 18:39:59 | 00,401,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/02/22 18:39:59 | 00,008,322 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/02/22 18:39:58 | 33,430,757 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/02/21 23:56:04 | 00,406,658 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/02/21 23:56:04 | 00,063,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/02/21 23:56:03 | 00,477,186 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/02/19 11:53:07 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\BELLA\Desktop\OTViewIt.exe
[2009/02/19 11:08:05 | 00,000,053 | ---- | M] () -- C:\WINDOWS\DelToolbox.bat
[2009/02/17 16:13:51 | 00,268,052 | ---- | M] () -- C:\Documents and Settings\BELLA\Desktop\Rooter.exe
[2009/02/17 13:37:49 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\BELLA\Desktop\gmer.zip
[2009/02/17 13:34:12 | 00,368,961 | ---- | M] () -- C:\Documents and Settings\BELLA\Desktop\dds.scr
[2009/02/12 18:29:12 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/02/11 19:15:43 | 00,204,496 | ---- | M] (Malwarebytes) -- C:\Documents and Settings\BELLA\Desktop\StartUpLite.exe
[2009/02/11 19:04:15 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\BELLA\Desktop\HijackThis.lnk
[2009/02/11 19:02:42 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\BELLA\Desktop\HJTInstall.exe
[2009/02/11 19:02:07 | 00,318,369 | ---- | M] () -- C:\Documents and Settings\BELLA\Desktop\HiJackThis.zip
[2009/02/03 18:21:12 | 21,244,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/01/30 17:28:05 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2009/01/30 17:28:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2009/01/30 12:58:32 | 00,000,114 | ---- | M] () -- C:\Documents and Settings\BELLA\My Documents\shellfix.reg
[2009/01/30 12:42:27 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/01/30 12:42:26 | 00,325,128 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/01/30 12:42:26 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/01/30 12:42:09 | 00,107,272 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/01/30 11:59:07 | 00,153,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/01/30 11:41:45 | 01,486,973 | ---- | M] () -- C:\Documents and Settings\BELLA\Desktop\Windows 98SE-ME Drivers for MW3847.zip
[2009/01/29 18:03:39 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.0.lnk
[2009/01/29 18:03:15 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/01/29 08:17:38 | 00,032,840 | ---- | M] () -- C:\Documents and Settings\BELLA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/01/26 09:00:00 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\rpc.job
[2009/01/25 20:40:19 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\BELLA\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
< End of report >
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm
Advertisement
Register to Remove

Re: windows explorer hijack?

Unread postby miguelvillafana » February 22nd, 2009, 8:32 pm

report #2:

OTViewIt Extras logfile created on: 02/22/09 7:28:33 PM - Run 4
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\BELLA\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

479.53 Mb Total Physical Memory | 186.20 Mb Available Physical Memory | 38.83% Memory free
1.83 Gb Paging File | 1.54 Gb Available in Paging File | 84.19% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440;D:\pagefile.sys 750 1440;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.00 Gb Total Space | 4.53 Gb Free Space | 28.33% Space Free | Partition Type: NTFS
Drive D: | 58.56 Gb Total Space | 55.51 Gb Free Space | 94.80% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VALUED-CB7D4C82
Current User Name: BELLA
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=0
"AntiVirusDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=1
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
File not found -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET
[2009/02/12 08:12:21 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox
[2003/05/30 16:13:08 | 04,218,880 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\DV Messenger\DV Messenger.exe:*:Enabled:Executable
[2008/09/14 03:20:48 | 00,094,208 | ---- | M] () -- C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player
[2008/10/04 19:22:53 | 00,214,536 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
File not found -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
[2007/01/19 12:49:28 | 04,670,968 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
File not found -- C:\Documents and Settings\BELLA\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player
[2009/01/12 19:17:50 | 03,782,128 | ---- | M] (Google) -- C:\Documents and Settings\BELLA\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin
[2009/01/12 18:10:32 | 00,083,440 | ---- | M] (Google) -- C:\Documents and Settings\BELLA\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin
[2008/11/07 14:31:38 | 21,633,320 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
[2009/01/30 12:41:44 | 00,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
[2009/01/30 12:38:12 | 01,032,984 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
[2008/04/13 19:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
[2009/01/30 12:42:05 | 00,079,128 | ---- | M] (AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG8\avgpp.dll (linkscanner:{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} (HKLM) [XPLPPFilter Class])
msdaipp: [HKLM - No CLSID value]
[2008/04/13 19:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]
[2008/04/13 19:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\msdaipp.dll msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2008/11/07 14:31:38 | 01,942,864 | R--- | M] (Skype Technologies) C:\Program Files\Common Files\Skype\Skype4COM.dll (skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} (HKLM) [IEProtocolHandler Class])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0125AA92-F44D-4DB3-8B98-2F14A7B9ACB1}"=Experience Vaio
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}"=Scan
"{0ED47137-C071-46CC-A243-E5E33271E10E}"=Windows Live Sign-in Assistant
"{117C01B5-9D68-4A15-85E2-A7CDFA82CEB9}"=OpenMG Secure Module 3.1
"{13515135-48BB-4184-8C1F-2FAE0138E200}"=TBS WMP Plug-in
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}"=ScannerCopy
"{17293791-C82E-476C-9997-9A0FF234A19B}"=HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}"=Fax
"{197A2B90-A998-4603-9B25-2B7D7CC0060E}"=Screenblast Sound Forge 1.0b
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}"=InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}"=Copy
"{1EB317D8-8945-4FD6-B37F-DF470317C6AB}"=VAIO Media 2.0
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}"=TrayApp
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}"=QuickTime
"{21CF3E6E-1659-433E-B6CE-165D793560DA}"=VAIO Grid Wallpaper
"{272EC8BA-5A08-4ea1-A189-684466A06B02}"=cp_dwShrek2Albums1
"{29F61465-428A-11D4-B646-00C04F790F76}"=DVgate
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}"=Unload
"{30642CE1-217B-40C0-92E2-6BF849599D9E}"=Network Smart Capture
"{3248F0A8-6813-11D6-A77B-00B0D0160040}"=Java(TM) 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java(TM) 6 Update 7
"{342C7C88-D335-4bc2-8CF1-281857629CE2}"=HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}"=HP Product Assistant
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}"=CueTour
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}"=ProductContext
"{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}"=Music Visualizer Library 1.4.00
"{3C67D8C0-F0EC-11D3-99D3-00C04FCCB775}"=VAIO Action Setup
"{3E908702-AF35-4611-9518-955DA24B7E07}"=Microsoft XML Parser and SDK
"{442BE28B-782B-4DC0-B490-E70A403B1C69}"=Readme
"{48BE827A-2D06-4804-90C3-4F2F8460F9D4}"=Support Actions WinXP
"{500CE39A-DC17-44EE-8EAD-E0416B16F0BC}"=ImageStation Tour
"{57E86046-AED3-4846-A177-E1BF064F75A2}"=Microsoft Tool Web Package:INUSE.EXE
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}"=Skype™ 3.8
"{5E8D588F-307C-4250-B622-26969027319A}"=PanoStandAlone
"{6060E6A1-5342-4D2B-8F66-B6D6E20BBD03}"=VAIO Help & Support
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}"=CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}"=PhotoGallery
"{655CB07D-C944-40BE-B93F-55957CAC7625}"=AiO_Scan
"{662E1348-3D8D-4BCE-B345-BF7EB40308FD}"=Screenblast ACID 2.0a
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}"=Destinations
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{6990A2BF-D1D2-11D3-81BC-00609789C908}"=Sony DV Shared Library
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}"=BufferChm
"{7128C69B-8F7E-4336-8698-3FD3CDD955EC}"=VAIO Media Installer 2.0
"{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}"=SonicStage 1.5.00
"{72275927-4241-46A7-A9C4-B86C6B256EB6}"=ImageStation Demo
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}"=cp_dwShrek2Cards1
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{761C9026-14F0-4352-8658-934558272404}"=VAIO Edit Components LE
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}"=HPSystemDiagnostics
"{802EF464-4992-42B3-8434-45151AD3C933}"=VAIO Serenus Wallpaper
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}"=SkinsHP1
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}"=AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}"=QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}"=Bonjour
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}"=DocProc
"{8C5FAD77-F678-4758-A296-C12F08D179E0}"=Microsoft IntelliPoint 6.2
"{8E1A8479-D871-4573-AA8C-90BF0338B242}"=VAIO Media Photo Server 2.0
"{90850409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Word Viewer 2003
"{92271486-E286-4CF1-AE6D-F889F83CBF84}"=Opera 9.61
"{924EB80F-C2BB-4B9F-8412-88BBA937393F}"=MobileMe Control Panel
"{937B232D-9776-471E-92BD-D424E514EF14}"=Logitech QuickCam
"{95120000-00AF-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}"=Microsoft Application Error Reporting
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}"=CP_AtenaShokunin1Config
"{AA14D661-8B7A-4A8F-B093-405C160178AF}"=VAIO Registration
"{AB85A4DB-357F-41B5-94A6-C9A4CBBD791B}"=DV Network Software
"{AC76BA86-7AD7-1033-7B44-A81300000003}"=Adobe Reader 8.1.3
"{AC76BA86-7AD7-5464-3428-800000000003}"=Spelling Dictionaries Support For Adobe Reader 8
"{ACEC9C3E-0100-4EBE-B298-35A2145828A0}"=VAIO Brezza Wallpaper
"{B279F2F1-3B2F-3A96-AC11-5743CD43DCCB}"=Google Talk Plugin
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{B911B811-BA3E-46D4-90F8-6F3338359651}"=Director
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}"=HP Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CDFCF124-115F-4976-8BF4-08C89187A146}"=WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}"=DocumentViewer
"{D0448678-1203-4158-A58F-B3D0B616BF9E}"=Sony Certificate PCH
"{D42B6F90-1084-4C9B-AF28-958926E6E32E}"=LP_Flash
"{D4A49B00-02F8-11D5-B64D-00C04F790F76}"=MovieShaker 3.3
"{DF0DD6E9-F673-4466-8353-70B50A506FD9}"=VAIO Media Platform 2.0
"{DF733005-0F40-11D6-9254-0000F460E7A9}"=VAIO Media Music Server 2.0
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}"=Apple Mobile Device Support
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}"=CreativeProjectsTemplates
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 1.0"=Adobe Photoshop Elements
"AVG8Uninstall"=AVG Free 8.0
"BellSouth"=BellSouth FastAccess DSL Help Center
"BellSouth Application Management"=BellSouth Application Management
"CCleaner"=CCleaner (remove only)
"FLV Player"=FLV Player 2.0, build 24
"FLV Player_is1"=FLV Player 2.2.4
"Free RAR Extract Frog 1.00"=Free RAR Extract Frog 1.00
"Google Updater"=Google Updater
"HijackThis"=HijackThis 2.0.2
"HP Photo & Imaging"=HP Image Zone 4.7
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}"=TBS WMP Plug-in
"InstallShield_{AA14D661-8B7A-4A8F-B093-405C160178AF}"=VAIO Registration
"InstallShield_{AB85A4DB-357F-41B5-94A6-C9A4CBBD791B}"=DV Network Software
"Lucent Technologies Soft Modem"=Lucent Technologies Soft Modem AMR
"lvdrivers_11.90"=Logitech QuickCam Driver Package
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Motion JPEG Software Decoder"=Motion JPEG Software Decoder
"Mozilla Firefox (3.0.6)"=Mozilla Firefox (3.0.6)
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA"=NVIDIA Windows 2000/XP Display Drivers
"RealPlayer 6.0"=RealPlayer
"SiS Compatible VGA V2.09a"=SiS Compatible VGA V2.09a
"SystemRequirementsLab"=System Requirements Lab
"VAIO Support"=VAIO Support
"VLC media player"=VLC media player 0.9.2
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1"=Xvid 1.1.3 final uninstall
"Yahoo! Internet Mail"=Yahoo! Internet Mail
"Yahoo! Messenger"=Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting"=GoToMeeting/GoToWebinar 3.0.0.198
"Octoshape add-in for Adobe Flash Player"=Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 02/19/09 11:28:43 AM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

Error - 02/19/09 12:41:06 PM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

Error - 02/19/09 1:41:14 PM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

Error - 02/19/09 2:41:15 PM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

Error - 02/19/09 3:41:15 PM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

Error - 02/19/09 4:41:13 PM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

Error - 02/21/09 11:55:38 PM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

Error - 02/22/09 1:53:40 AM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

Error - 02/22/09 2:53:42 AM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

Error - 02/22/09 7:36:35 PM | Computer Name = VALUED-CB7D4C82 | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 02/22/09 1:03:35 AM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 02/22/09 1:03:35 AM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 02/22/09 1:03:36 AM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 02/22/09 1:03:36 AM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 02/22/09 1:03:36 AM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 02/22/09 1:03:36 AM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 02/22/09 1:25:37 AM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 02/22/09 1:25:43 AM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Imapi

Error - 02/22/09 8:24:03 PM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 02/22/09 8:24:09 PM | Computer Name = VALUED-CB7D4C82 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Imapi


< End of report >
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby Carolyn » February 23rd, 2009, 10:50 am

Hello Miguel

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Image


  • Drag the setup package onto ComboFix.exe and drop it.


  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Image



  • At the next prompt, click 'Yes' to run the full ComboFix scan.


  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: windows explorer hijack?

Unread postby miguelvillafana » February 23rd, 2009, 4:26 pm

Hi Carolyn,

Thanks for the reply. I'm following your instructions; however, since some of your instructions assume a tray icon (e.g., windows explorer and/or start menu), it'll be interesting--

Back later,

Miguel V.
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby miguelvillafana » February 23rd, 2009, 4:38 pm

ok, the desktop did NOT detect the jump drive. I'll try to use a memory card.

This might take a while...

Miguel V.
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby miguelvillafana » February 23rd, 2009, 4:58 pm

ok, I copied the files to a sd card, inserted it into a printer, and somehow got the pc to recognize the card. I combined the files in the desktop, and the program immediately ran. I'm going to work right now, and will return this evening to see what happened---

I hope we're making some progress!

Miguel V.
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby miguelvillafana » February 23rd, 2009, 5:22 pm

Ok, I have a few minutes before leaving for work. First up, the combofix log--

Miguel V.

**********

ComboFix 09-02-21.01 - BELLA 2009-02-23 16:10:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.169 [GMT -5:00]
Running from: c:\documents and settings\BELLA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\BELLA\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users.\documents\settings\desktop.ini
c:\documents and settings\All Users\Application Data\vlc-0.9.4-win32.exe
c:\program files\INSTALL.LOG
c:\program files\Microsoft Common
c:\windows\system32\tmp.reg
c:\windows\system32\uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-22 18:45 . 2009-02-22 18:45 <DIR> d-------- c:\program files\CCleaner
2009-02-19 11:08 . 2009-02-19 11:08 53 --a------ c:\windows\DelToolbox.bat
2009-02-17 16:18 . 2009-02-17 16:20 <DIR> d-------- C:\Rooter$
2009-01-30 08:36 . 2009-02-17 12:31 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-29 18:03 . 2009-02-22 18:42 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-29 18:03 . 2009-01-30 12:42 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-29 18:03 . 2009-01-30 12:42 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-29 18:03 . 2009-01-30 12:42 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-24 09:44 . 2009-01-24 09:44 <DIR> d-------- c:\program files\MSECache
2009-01-23 23:41 . 2009-01-23 23:41 <DIR> d-------- c:\documents and settings\BELLA\Application Data\OpenOffice.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 18:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-22 05:04 --------- d-----w c:\program files\Common Files\Adobe
2009-02-22 04:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-22 04:35 --------- d-----w c:\program files\Sony
2009-02-22 04:16 --------- d-----w c:\program files\Common Files\Apple
2009-02-22 04:12 --------- d-----w c:\program files\Google
2009-02-22 04:08 --------- d-----w c:\program files\GRETECH
2009-01-30 22:28 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-01-30 22:28 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-01-30 17:42 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-30 16:39 --------- d-----w c:\documents and settings\BELLA\Application Data\Skype
2009-01-30 13:34 --------- d-----w c:\documents and settings\BELLA\Application Data\skypePM
2009-01-26 14:21 --------- d-----w c:\program files\QuickTime
2009-01-24 04:02 --------- d-----w c:\program files\Yahoo!
2009-01-24 04:01 --------- d-----w c:\program files\Logitech
2009-01-24 04:01 --------- d-----w c:\program files\Common Files\Logitech
2009-01-24 03:58 --------- d-----w c:\documents and settings\BELLA\Application Data\Sony
2009-01-24 03:39 --------- d-----w c:\documents and settings\BELLA\Application Data\MSN6
2009-01-17 13:11 --------- d-----w c:\program files\Common Files\logishrd
2009-01-17 13:00 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2009-01-15 19:57 --------- d-----w c:\documents and settings\BELLA\Application Data\Leadertech
2009-01-15 19:53 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2009-01-11 03:33 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-11 03:33 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-10 01:58 --------- d-----w c:\program files\Skype
2009-01-07 18:09 --------- d-----w c:\program files\Common Files\Skype
2009-01-07 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-27 04:45 6,656 ----a-w c:\windows\system32\drivers\atmarpc.sys
2008-12-27 04:43 6,656 ----a-w c:\windows\system32\drivers\audstub.sys
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-17 06:01 432,664 ----a-w c:\windows\system32\LVUI2RC.dll
2008-12-17 06:00 494,104 ----a-w c:\windows\system32\LVUI2.dll
2008-12-17 05:55 416,280 ----a-w c:\windows\system32\lvcodec2.dll
2008-12-17 05:55 195,096 ----a-w c:\windows\system32\lvci11901262.dll
2008-12-17 05:37 29,562 ----a-w c:\windows\system32\Repository.reg
2008-02-07 23:24 56,912 ----a-w c:\documents and settings\BELLA\g2mdlhlpx.exe
2007-07-18 21:10 374 ----a-w c:\documents and settings\BELLA\Application Data\internaldb6334.dat
2007-07-18 21:07 556 ----a-w c:\documents and settings\BELLA\Application Data\internaldb8467.dat
2007-07-18 21:07 18,432 ----a-w c:\documents and settings\BELLA\Application Data\internaldb41.dat
2007-07-15 07:09 8,192 --sha-w c:\program files\Thumbs.db
2008-05-07 22:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-01-20 1451248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"tgcmd"="c:\program files\Support.com\BellSouth\hcenter.exe" [2005-08-31 1277952]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-03 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-04 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 c:\windows\LTSMMSG.exe]

c:\documents and settings\BELLA\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-11-07 517384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-02 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-08-15 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 12:42 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 21:48 133104 c:\documents and settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\BELLA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\BELLA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-29 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-29 107272]
R1 mchInjDrv;madCodeHook DLL injection driver;c:\windows\system32\drivers\mchInjDrv.sys [2008-01-06 2560]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-29 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-08-03 815819]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34a7b89b-d1b8-11db-b822-00038a000011}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - H:\system.exe
\Shell\Open\command - H:\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66eab789-bccb-11dc-b84b-00e018b9eabc}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - I:\system.exe
\Shell\Open\command - I:\system.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-645757453-2619313026-2317538923-1006.job
- c:\documents and settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:48]

2007-02-03 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 19:12]

2007-02-03 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 19:12]

2009-01-26 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []

2009-02-23 c:\windows\Tasks\User_Feed_Synchronization-{B8726A76-E3AC-4D6F-8C87-A4358E07678D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-SiS Tray - (no file)
Notify-klogon - (no file)
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: kaspersky.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\BELLA\Application Data\Mozilla\Firefox\Profiles\ienyhy91.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\BELLA\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\BELLA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 16:12:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-23 16:17:13
ComboFix-quarantined-files.txt 2009-02-23 21:16:39

Pre-Run: 4,757,405,696 bytes free
Post-Run: 4,750,458,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

216 --- E O F --- 2009-02-12 02:07:57
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby miguelvillafana » February 23rd, 2009, 5:26 pm

next up, HJT--

Miguel V.

ps--do you think we're making progress?

**********

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:50 PM, on 2/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2459300968
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 9522 bytes
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby miguelvillafana » February 23rd, 2009, 5:27 pm

Now I have to run to work! I'll be back in a few hours--

Miguel V.
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby Carolyn » February 23rd, 2009, 7:22 pm

Hi Miguel,

ps--do you think we're making progress?


Yes, I think we are.

===================

Run a custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KILLALL::

File::
c:\windows\system32\system.exe
c:\windows\Tasks\Registration reminder 1.job
c:\windows\Tasks\Registration reminder 2.job
c:\windows\Tasks\rpc.job

Folder::
c:\program files\Winferno

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34a7b89b-d1b8-11db-b822-00038a000011}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66eab789-bccb-11dc-b84b-00e018b9eabc}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


===================

Please check to see if the computer is able to access the internet. If it is, please do the following:


Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

===================

Please post the following in your next reply:
  • The ComboFix log
  • The Kaspersky log
  • The contents of C:\QooBox\Add-Remove Programs.txt
  • A fresh HijackThis log
  • A description of how the computer is behaving. Does the desktop load correctly now?
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: windows explorer hijack?

Unread postby miguelvillafana » February 24th, 2009, 2:16 am

THE DESKTOP'S BACK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thanks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I love you guys!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11

Ok, still the followup work... I assume you wanted the combofix log from right after I merged the cfscript and combofix.exe. If not please let me know, but I assume that's what you wanted. I'll post the other logs shortly--

Miguel V.

**********

ComboFix 09-02-21.01 - BELLA 2009-02-24 0:43:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.170 [GMT -5:00]
Running from: c:\documents and settings\BELLA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\BELLA\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\system.exe
c:\windows\Tasks\Registration reminder 1.job
c:\windows\Tasks\Registration reminder 2.job
c:\windows\Tasks\rpc.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\Registration reminder 1.job
c:\windows\Tasks\Registration reminder 2.job
c:\windows\Tasks\rpc.job

.
((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-22 18:45 . 2009-02-22 18:45 <DIR> d-------- c:\program files\CCleaner
2009-02-19 11:08 . 2009-02-19 11:08 53 --a------ c:\windows\DelToolbox.bat
2009-02-17 16:18 . 2009-02-17 16:20 <DIR> d-------- C:\Rooter$
2009-01-30 08:36 . 2009-02-17 12:31 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-29 18:03 . 2009-02-23 22:11 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-29 18:03 . 2009-01-30 12:42 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-29 18:03 . 2009-01-30 12:42 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-29 18:03 . 2009-01-30 12:42 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-24 09:44 . 2009-01-24 09:44 <DIR> d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 18:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-22 05:04 --------- d-----w c:\program files\Common Files\Adobe
2009-02-22 04:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-22 04:35 --------- d-----w c:\program files\Sony
2009-02-22 04:16 --------- d-----w c:\program files\Common Files\Apple
2009-02-22 04:12 --------- d-----w c:\program files\Google
2009-02-22 04:08 --------- d-----w c:\program files\GRETECH
2009-01-30 22:28 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-01-30 22:28 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-01-30 17:42 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-30 16:39 --------- d-----w c:\documents and settings\BELLA\Application Data\Skype
2009-01-30 13:34 --------- d-----w c:\documents and settings\BELLA\Application Data\skypePM
2009-01-26 14:21 --------- d-----w c:\program files\QuickTime
2009-01-24 04:41 --------- d-----w c:\documents and settings\BELLA\Application Data\OpenOffice.org
2009-01-24 04:02 --------- d-----w c:\program files\Yahoo!
2009-01-24 04:01 --------- d-----w c:\program files\Logitech
2009-01-24 04:01 --------- d-----w c:\program files\Common Files\Logitech
2009-01-24 03:58 --------- d-----w c:\documents and settings\BELLA\Application Data\Sony
2009-01-24 03:39 --------- d-----w c:\documents and settings\BELLA\Application Data\MSN6
2009-01-17 13:11 --------- d-----w c:\program files\Common Files\logishrd
2009-01-17 13:00 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2009-01-15 19:57 --------- d-----w c:\documents and settings\BELLA\Application Data\Leadertech
2009-01-15 19:53 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2009-01-11 03:33 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-11 03:33 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-10 01:58 --------- d-----w c:\program files\Skype
2009-01-07 18:09 --------- d-----w c:\program files\Common Files\Skype
2009-01-07 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-27 04:45 6,656 ----a-w c:\windows\system32\drivers\atmarpc.sys
2008-12-27 04:43 6,656 ----a-w c:\windows\system32\drivers\audstub.sys
2008-02-07 23:24 56,912 ----a-w c:\documents and settings\BELLA\g2mdlhlpx.exe
2007-07-18 21:10 374 ----a-w c:\documents and settings\BELLA\Application Data\internaldb6334.dat
2007-07-18 21:07 556 ----a-w c:\documents and settings\BELLA\Application Data\internaldb8467.dat
2007-07-18 21:07 18,432 ----a-w c:\documents and settings\BELLA\Application Data\internaldb41.dat
2007-07-15 07:09 8,192 --sha-w c:\program files\Thumbs.db
2008-05-07 22:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-23_16.13.46.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-17 02:59:28 109,080 ----a-w c:\windows\temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-01-20 1451248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"tgcmd"="c:\program files\Support.com\BellSouth\hcenter.exe" [2005-08-31 1277952]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-03 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-04 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 c:\windows\LTSMMSG.exe]

c:\documents and settings\BELLA\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\QuickCam\eReg.exe [2008-11-07 517384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-02 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-08-15 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 12:42 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-02 21:48 133104 c:\documents and settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\BELLA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\BELLA\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-29 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-29 107272]
R1 mchInjDrv;madCodeHook DLL injection driver;c:\windows\system32\drivers\mchInjDrv.sys [2008-01-06 2560]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-29 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-08-03 815819]
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-645757453-2619313026-2317538923-1006.job
- c:\documents and settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:48]

2009-02-24 c:\windows\Tasks\User_Feed_Synchronization-{B8726A76-E3AC-4D6F-8C87-A4358E07678D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: kaspersky.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\BELLA\Application Data\Mozilla\Firefox\Profiles\ienyhy91.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 00:57:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Sony\VAIO Media Music Server\SSSvr.exe
c:\program files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-02-24 1:05:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 06:05:52
ComboFix2.txt 2009-02-23 21:17:14

Pre-Run: 4,725,968,896 bytes free
Post-Run: 4,729,368,576 bytes free

207 --- E O F --- 2009-02-12 02:07:57
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby miguelvillafana » February 24th, 2009, 8:16 am

uh oh.......................

After a looooooooooooooooooooooooooong time downloading the database, kaspersky says this desktop is still infected... Trojan-mailfinder?

By the way, Carolyn, I'm sorry for bitching off. Although I've come across as just a bit paranoid, my biggest concern of all is the fear of someone installing a back door or something like that on this machine...

Miguel V.

**********

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 24, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 24, 2009 06:02:43
Records in database: 1837072
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 59714
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:11:06


File name / Threat name / Threats count
C:\WINDOWS\system32\drivers\atmarpc.sys Infected: Trojan-Mailfinder.Win32.Agent.wd 1
C:\WINDOWS\system32\drivers\audstub.sys Infected: Trojan-Mailfinder.Win32.Agent.wd 1

The selected area was scanned.
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby miguelvillafana » February 24th, 2009, 8:17 am

Here we go, here's qoobox--

Miguel V.

**********

C:\QooBox\Add-Remove Programs.txt

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements
Adobe Reader 8.1.3
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
BellSouth Application Management
BellSouth FastAccess DSL Help Center
Bonjour
BufferChm
CCleaner (remove only)
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DocProc
DocumentViewer
DV Network Software
DVgate
Experience Vaio
Fax
FLV Player 2.0, build 24
FLV Player 2.2.4
Free RAR Extract Frog 1.00
Google Talk Plugin
Google Updater
GoToMeeting/GoToWebinar 3.0.0.198
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby miguelvillafana » February 24th, 2009, 9:09 am

Hi Carolyn,

Here we go (again). Here's a fresh hjt log--

Miguel V.

**********

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:16 AM, on 2/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Support.com\BellSouth\hcenter.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\BELLA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2459300968
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 10021 bytes
miguelvillafana
Regular Member
 
Posts: 126
Joined: January 5th, 2008, 8:01 pm

Re: windows explorer hijack?

Unread postby Carolyn » February 24th, 2009, 12:27 pm

By the way, Carolyn, I'm sorry for bitching off. Although I've come across as just a bit paranoid, my biggest concern of all is the fear of someone installing a back door or something like that on this machine...


No need to apologize Miquel. I share your concern. Let's upload one of the files that had been quarantined by ComboFix for scanning - it could be a backdoor threat. I think the files identified by Kaspersky may be false positives, but let's upload them as well to be certain.


Upload files for scanning
I'd like you to check a file/some files for malware.
c:\qoobox\quarantine\c\windows\system32\system.exe.vir
C:\WINDOWS\system32\drivers\atmarpc.sys
C:\WINDOWS\system32\drivers\audstub.sys

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.


=====================


Download and run Flash_Disinfector

Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone, mp3 player, and so on,
Please do so and allow the utility to clean up those drives as well.


=====================

Please post the results from VirusTotal/Jotti for my review.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 303 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware