Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

bloodhound exploit 196

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

bloodhound exploit 196

Unread postby dgonthefly » July 19th, 2009, 8:22 am

hello - I'm REALLY frustrated by this. I've tried the symantec instrucions and read some in this forum. Would appreciate any help. Thanks in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:08 AM, on 7/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\sttray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Windows\explorer.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vt.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\Windows\System32\TwcToolbarBho.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\Windows\System32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/Fac ... der4_5.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8754 bytes
dgonthefly
Active Member
 
Posts: 9
Joined: July 19th, 2009, 8:15 am
Advertisement
Register to Remove

Re: bloodhound exploit 196

Unread postby MWR 3 day Mod » July 22nd, 2009, 3:17 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: bloodhound exploit 196

Unread postby Dakeyras » July 23rd, 2009, 4:27 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hi dgonthefly and welcome to Malware Removal :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Vista Advice:

All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.

The Operating System(Vista aka Windows 6) in use comes with a inbuilt utility called User Access Control(UAC) when prompted by this with anything I ask you to do carry out please select the option Allow.

Scan with Rooter:

Please download Rooter.exe to your desktop.

  • Right-click on Rooter.exe and select Run as Administrator to start the application.
  • Now click on the Scan button.
  • When the scan is completed a text file called Rooter.txt will appear on your desktop, post the contents in your next reply.
  • Now click on Close button to exit Rooter.

Note: The logfile can also be located within this folder Rooter$ at the root of your installed Hard-Drive. EG: C:\Rooter$

Scan with RSIT:

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
Make sure that RSIT.exe is on the your Desktop before running the application!
  • Right click on RSIT.exe and select Run as Administrator to start RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any further symptoms and or problems encountered?
  • Rooter Log.
  • Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: bloodhound exploit 196

Unread postby dgonthefly » July 23rd, 2009, 8:13 pm

How is you computer performing now, any further symptoms and or problems encountered?
I have recieved two quarantine warnings from Symantec (Bloodhound exploit 196) was quarantined. That IS better, usually they come rather quickly and by the end of the day can number in the hindreds or more.

Rooter Log. (In next post)


Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply (In next two posts)
dgonthefly
Active Member
 
Posts: 9
Joined: July 19th, 2009, 8:15 am

Re: bloodhound exploit 196

Unread postby dgonthefly » July 23rd, 2009, 8:14 pm

ooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6001) Service Pack 1
[32_bits] - x86 Family 6 Model 14 Stepping 12, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 7.0.6001.18000
Mozilla Firefox 3.0.8 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:99 Go - Free:56 Go )
D:\ [Fixed-NTFS] .. ( Total:9 Go - Free:5 Go )
E:\ [CD_Rom]
.
Scan : 20:00.02
Path : C:\Users\Alyssa\Desktop\Rooter.exe
User : Alyssa ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (420)
______ C:\Windows\system32\csrss.exe (560)
______ C:\Windows\system32\wininit.exe (604)
______ C:\Windows\system32\csrss.exe (616)
______ C:\Windows\system32\services.exe (648)
______ C:\Windows\system32\lsass.exe (660)
______ C:\Windows\system32\lsm.exe (672)
______ C:\Windows\system32\winlogon.exe (776)
______ C:\Windows\system32\svchost.exe (852)
______ C:\Windows\system32\svchost.exe (912)
______ C:\Windows\System32\svchost.exe (956)
______ C:\Windows\System32\svchost.exe (1048)
______ C:\Windows\System32\svchost.exe (1112)
______ C:\Windows\system32\svchost.exe (1132)
Locked audiodg.exe (1220)
______ C:\Windows\system32\SLsvc.exe (1260)
______ C:\Windows\system32\svchost.exe (1296)
______ C:\Windows\system32\svchost.exe (1396)
______ C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (1568)
______ C:\Windows\System32\WLTRYSVC.EXE (1632)
______ C:\Windows\System32\bcmwltry.exe (1704)
______ C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (1716)
______ C:\Windows\system32\Dwm.exe (1984)
______ C:\Windows\Explorer.EXE (2036)
______ C:\Windows\System32\spoolsv.exe (1008)
______ C:\Program Files\Windows Defender\MSASCui.exe (1208)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (1364)
______ C:\Windows\System32\hkcmd.exe (1440)
______ C:\Windows\System32\igfxpers.exe (1520)
______ C:\Windows\System32\WLTRAY.EXE (1160)
______ C:\Windows\system32\taskeng.exe (836)
______ C:\Windows\system32\svchost.exe (1564)
______ C:\Program Files\iTunes\iTunesHelper.exe (1792)
______ C:\Program Files\Common Files\Symantec Shared\ccApp.exe (2156)
______ C:\Program Files\Symantec AntiVirus\VPTray.exe (2200)
______ C:\Windows\sttray.exe (2244)
______ C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (2312)
______ C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE (2332)
______ C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (2356)
______ C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe (2388)
______ C:\Program Files\Digital Line Detect\DLG.exe (2404)
______ C:\Program Files\Dell\QuickSet\quickset.exe (2420)
______ C:\Program Files\Bonjour\mDNSResponder.exe (2940)
______ C:\Program Files\Symantec AntiVirus\DefWatch.exe (2980)
______ C:\Windows\system32\svchost.exe (3200)
______ C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (3384)
______ C:\Windows\system32\svchost.exe (3560)
______ C:\Program Files\Symantec AntiVirus\Rtvscan.exe (3620)
______ C:\Program Files\Viewpoint\Common\ViewpointService.exe (3688)
______ C:\Windows\System32\svchost.exe (3740)
______ C:\Windows\system32\SearchIndexer.exe (3772)
______ C:\Windows\system32\DRIVERS\xaudio.exe (3796)
______ C:\Program Files\iPod\bin\iPodService.exe (2724)
______ C:\Windows\system32\wbem\wmiprvse.exe (2872)
______ C:\Program Files\Symantec AntiVirus\SavUI.exe (2440)
______ C:\Windows\system32\taskeng.exe (1152)
______ C:\Windows\system32\taskeng.exe (3708)
______ C:\Program Files\Windows Media Player\wmpnetwk.exe (1908)
______ C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe (4236)
______ C:\QUICKENW\QW.EXE (6076)
______ C:\Windows\system32\wuauclt.exe (4748)
______ C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE (5544)
______ C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (4928)
______ C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE (5724)
______ C:\Program Files\SlimBrowser\sbrowser.exe (2772)
______ C:\Windows\system32\SearchProtocolHost.exe (3844)
______ C:\Windows\system32\SearchFilterHost.exe (5452)
______ C:\Users\Alyssa\Desktop\Rooter.exe (5016)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:57544704)
\Device\Harddisk0\Partition2 (Start_Offset:57671680 | Length:10737418240)
\Device\Harddisk0\Partition3 --[ MBR ]-- (Start_Offset:10795089920 | Length:107090018304)
\Device\Harddisk0\Partition0 (Start_Offset:117885108224 | Length:2147483648)
\Device\Harddisk0\Partition4 (Start_Offset:117886156800 | Length:2146435072)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 20:00.11
.
C:\Rooter$\Rooter_1.txt - (23/07/2009 | 20:00.12)
dgonthefly
Active Member
 
Posts: 9
Joined: July 19th, 2009, 8:15 am

Re: bloodhound exploit 196

Unread postby dgonthefly » July 23rd, 2009, 8:15 pm

info.txt logfile of random's system information tool 1.06 2009-07-23 20:05:14

======Uninstall list======

-->"C:\Program Files\Dell Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\Dell Games\Blackhawk Striker 2\Uninstall.exe"
-->"C:\Program Files\Dell Games\Blasterball 3\Uninstall.exe"
-->"C:\Program Files\Dell Games\Chuzzle Deluxe\Uninstall.exe"
-->"C:\Program Files\Dell Games\Dell Game Console\Uninstall.exe"
-->"C:\Program Files\Dell Games\Dell Media Center Game Console\Uninstall.exe"
-->"C:\Program Files\Dell Games\FATE\Uninstall.exe"
-->"C:\Program Files\Dell Games\JEOPARDY\Uninstall.exe"
-->"C:\Program Files\Dell Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\Dell Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\Dell Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\Dell Games\SCRABBLE\Uninstall.exe"
-->C:\PROGRA~1\RUCKUS~1\UNWISE.EXE /a C:\PROGRA~1\RUCKUS~1\INSTALL.LOG
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
AIM 6-->C:\Program Files\AIM6\uninst.exe
Banctec Service Agreement-->MsiExec.exe /X{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}
Bonjour Core for Windows-->MsiExec.exe /I{56DF5C9E-6392-46D3-B366-297B14E1DAAF}
Canon IJ Network Scan Utility-->C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSU.EXE
Canon IJ Network Tool-->C:\Program Files\Canon\Canon IJ Network Tool\CNMNUU.exe
Canon iP4200-->C:\Windows\system32\CNMCP78.exe "-PRINTERNAMECanon iP4200" "-HELPERDLLC:\ProgramData\CanonBJ\IJPrinter\CNMWindows\Canon iP4200 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Canon MP Navigator EX 2.0-->"C:\Program Files\Canon\MP Navigator EX 2.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 2.0\uninst.ini
Canon MP620 series MP Drivers-->"C:\Windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP620_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP620_series /L0x0009
Canon MP620 series User Registration-->C:\Program Files\Canon\IJEREG\MP620 series\UNINST.EXE
Canon PhotoRecord-->MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon Setup Utility 2.0-->"C:\Program Files\Canon\Canon Setup Utility 2.0\Maint.exe" /Uninstall C:\Program Files\Canon\Canon Setup Utility 2.0\uninst.ini
Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
Conexant HDA D110 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -IDellHDAz.inf
Corel Paint Shop Pro Photo XI-->MsiExec.exe /I{93A1B09E-BAFA-4628-A5B6-921CB026955A}
DAO 3.5-->C:\Windows\IsUninst.exe -f"C:\Program Files\Intuit\DAO 3.5\Uninst.isu"
Dell Games-->"C:\Program Files\Dell Games\Uninstall.exe"
Dell Support Center-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell System Customization Wizard-->MsiExec.exe /I{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
Easy-WebPrint-->C:\Windows\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Electronic Listening Guides-->MsiExec.exe /I{EC6771C2-52AF-4CEB-B636-EF718035D339}
FrostWire 4.18.0-->C:\Program Files\FrostWire\Uninstall.exe
Games, Music, & Photos Launcher-->MsiExec.exe /I{3E25E350-949F-4DB7-8288-2A60E018B4C1}
Goombah Partner COM Server-->MsiExec.exe /I{EBBE2FB2-FBED-44F6-B95F-230AB5A65B28}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Internet Service Offers Launcher-->MsiExec.exe /I{CCFF1E13-77A2-4032-8B12-7566982A27DF}
iTunes-->MsiExec.exe /I{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LiveUpdate 3.2 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Materials of Music Interactive-->C:\PROGRA~1\ENJOYM~1\MATERI~1\UNWISE.EXE C:\PROGRA~1\ENJOYM~1\MATERI~1\INSTALL.LOG
MediaDirect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\Setup.exe" -l0x9 -cluninstall
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Move Networks Media Player for Internet Explorer-->C:\Users\Alyssa\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (3.0.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
OutlookAddinSetup-->MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
PrimoPDF -- brought to you by Nitro PDF Software-->"C:\Program Files\Nitro PDF\PrimoPDF\uninstaller.exe"
Product Documentation Launcher-->MsiExec.exe /I{89CEAE14-DD0F-448E-9554-15781EC9DB24}
Quicken Basic 2000-->C:\Windows\IsUninst.exe -fC:\QUICKENW\Uninst.isu
QuickSet-->MsiExec.exe /I{7F0C4457-8E64-491B-8D7B-991504365D1E}
QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD DE-->MsiExec.exe /I{D639085F-4B6E-4105-9F37-A0DBB023E2FB}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Ruckus Player-->C:\PROGRA~1\RUCKUS~1\UNWISE.EXE C:\PROGRA~1\RUCKUS~1\INSTALL.LOG
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SlimBrowser (remove only)-->"C:\Program Files\SlimBrowser\uninst.exe"
Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Symantec AntiVirus-->MsiExec.exe /I{7C9E6E52-EB11-44DB-A761-82D5D873A8D9}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The Weather Channel Desktop 6-->C:\Program Files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
The Weather Channel Toolbar-->C:\PROGRA~1\THEWEA~2\UNWISE.EXE C:\PROGRA~1\THEWEA~2\twcINSTALL.LOG
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
User's Guides-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
VideoLAN VLC media player 0.8.6d-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WinPatrol 2009-->C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0

======Security center information======

AV: Symantec AntiVirus
AS: Symantec AntiVirus
AS: Windows Defender

======System event log======

Computer Name: Alyssa-PC
Event Code: 7
Message: The speed of processor 1 is being limited by system firmware. The processor has been in this reduced performance state for 4 seconds since the last report.
Record Number: 128410
Source Name: Microsoft-Windows-Kernel-Processor-Power
Time Written: 20090722174553.725000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Alyssa-PC
Event Code: 7
Message: The speed of processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 4 seconds since the last report.
Record Number: 128411
Source Name: Microsoft-Windows-Kernel-Processor-Power
Time Written: 20090722174553.733000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Alyssa-PC
Event Code: 36
Message: The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.
Record Number: 128467
Source Name: Microsoft-Windows-Time-Service
Time Written: 20090723113802.000000-000
Event Type: Warning
User:

Computer Name: Alyssa-PC
Event Code: 7
Message: The speed of processor 1 is being limited by system firmware. The processor has been in this reduced performance state for 9298 seconds since the last report.
Record Number: 128502
Source Name: Microsoft-Windows-Kernel-Processor-Power
Time Written: 20090723174548.784000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Alyssa-PC
Event Code: 7
Message: The speed of processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 9298 seconds since the last report.
Record Number: 128503
Source Name: Microsoft-Windows-Kernel-Processor-Power
Time Written: 20090723174548.792000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: Alyssa-PC
Event Code: 46
Message:

Security Risk Found!Risk: Bloodhound.Exploit.196 in File: C:\Users\Alyssa\AppData\Local\Temp\DWHB3F7.tmp by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.


Record Number: 228957
Source Name: Symantec AntiVirus
Time Written: 20090724000612.000000-000
Event Type: Error
User:

Computer Name: Alyssa-PC
Event Code: 5
Message:

Risk Found!Risk: Bloodhound.Exploit.196 in File: C:\Users\Alyssa\AppData\Local\Temp\DWHB3F7.tmp by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.


Record Number: 228958
Source Name: Symantec AntiVirus
Time Written: 20090724000612.000000-000
Event Type: Error
User:

Computer Name: Alyssa-PC
Event Code: 51
Message:

Security Risk Found!Risk: Bloodhound.Exploit.196 in File: C:\Users\Alyssa\AppData\Local\Temp\DWHB3F7.tmp by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.


Record Number: 228959
Source Name: Symantec AntiVirus
Time Written: 20090724000612.000000-000
Event Type: Error
User:

Computer Name: Alyssa-PC
Event Code: 46
Message:

Security Risk Found!Risk: Bloodhound.Exploit.196 in File: C:\Users\Alyssa\AppData\Local\Temp\DWH6D86.tmp by: Defwatch scan. Action: Clean failed. Action Description: The file was left unchanged.


Record Number: 228960
Source Name: Symantec AntiVirus
Time Written: 20090724000629.000000-000
Event Type: Error
User:

Computer Name: Alyssa-PC
Event Code: 51
Message:

Security Risk Found!Risk: Bloodhound.Exploit.196 in File: C:\Users\Alyssa\AppData\Local\Temp\DWH6D86.tmp by: Defwatch scan. Action: Clean failed. Action Description: The file was left unchanged.


Record Number: 228961
Source Name: Symantec AntiVirus
Time Written: 20090724000630.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Alyssa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 59407
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090724000509.959000-000
Event Type: Audit Failure
User:

Computer Name: Alyssa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 59408
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090724000510.019000-000
Event Type: Audit Failure
User:

Computer Name: Alyssa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 59409
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090724000510.081000-000
Event Type: Audit Failure
User:

Computer Name: Alyssa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 59410
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090724000510.141000-000
Event Type: Audit Failure
User:

Computer Name: Alyssa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Record Number: 59411
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090724000510.202000-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 12, GenuineIntel
"PROCESSOR_REVISION"=0e0c
"NUMBER_OF_PROCESSORS"=2
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip

-----------------EOF-----------------
dgonthefly
Active Member
 
Posts: 9
Joined: July 19th, 2009, 8:15 am

Re: bloodhound exploit 196

Unread postby dgonthefly » July 23rd, 2009, 8:16 pm

Logfile of random's system information tool 1.06 (written by random/random)
Run by Alyssa at 2009-07-23 20:04:46
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 58 GB (57%) free of 102 GB
Total RAM: 2038 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:11 PM, on 7/23/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\sttray.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\QUICKENW\QW.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Users\Alyssa\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Alyssa.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vt.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\Windows\System32\TwcToolbarBho.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\Windows\System32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/Fac ... der4_5.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8834 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - c:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-05-20 501384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA1F9DDB-E605-4ba6-81D4-E427DEE012AD}]
TwcToolbarBhoApp Class - C:\Windows\System32\TwcToolbarBho.dll [2008-07-22 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2007-03-16 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504]
{2E5E800E-6AC0-411E-940A-369530A35E43} - The Weather Channel Toolbar - C:\Windows\System32\TwcToolbarIe7.dll [2008-07-22 327680]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-11-17 815104]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2006-11-15 98304]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2006-11-15 106496]
"Persistence"=C:\Windows\system32\igfxpers.exe [2006-11-15 81920]
"Broadcom Wireless Manager UI"=C:\Windows\system32\WLTRAY.exe [2006-11-27 1540096]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-10-03 81920]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2007-06-28 270648]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-22 107112]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-11-28 134808]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]
"SigmatelSysTrayApp"=C:\Windows\sttray.exe [2007-02-08 303104]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2008-03-10 689488]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2008-03-17 1848648]
"IJNetworkScanUtility"=C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE [2007-05-21 124512]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-06-01 341312]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"DW6"=C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [2009-02-11 801904]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-11-15 212992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskmgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9989b785-15f0-11dd-8085-0015c57abdd3}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======File associations======

.js - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-07-23 20:04:46 ----D---- C:\rsit
2009-07-23 20:00:12 ----D---- C:\Rooter$
2009-07-19 08:18:45 ----D---- C:\Program Files\Trend Micro
2009-07-19 08:06:47 ----D---- C:\Users\Alyssa\AppData\Roaming\WinPatrol
2009-07-19 08:06:41 ----D---- C:\Program Files\BillP Studios
2009-07-19 07:45:15 ----D---- C:\Users\Alyssa\AppData\Roaming\Malwarebytes
2009-07-19 07:45:06 ----D---- C:\ProgramData\Malwarebytes
2009-07-19 07:45:06 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-18 21:29:27 ----A---- C:\Windows\ntbtlog.txt
2009-07-18 21:00:16 ----D---- C:\Program Files\Common Files\CANON
2009-07-18 20:56:22 ----HD---- C:\Windows\system32\CanonIJ Uninstaller Information
2009-07-18 20:54:20 ----A---- C:\Windows\system32\CNMLM9D.DLL
2009-07-18 20:54:08 ----A---- C:\Windows\system32\CNC620O.DLL
2009-07-18 20:54:08 ----A---- C:\Windows\system32\CNC620L.DLL
2009-07-18 20:54:08 ----A---- C:\Windows\system32\CNC620I.DLL
2009-07-18 20:54:07 ----A---- C:\Windows\system32\CNC620C.DLL
2009-07-18 20:53:55 ----HD---- C:\Program Files\CanonBJ
2009-07-18 20:53:42 ----A---- C:\Windows\system32\CNMNPUI.DLL
2009-07-18 20:53:41 ----A---- C:\Windows\system32\CNMNPPM.DLL
2009-07-14 22:01:37 ----A---- C:\Windows\system32\t2embed.dll
2009-07-14 22:01:36 ----A---- C:\Windows\system32\fontsub.dll
2009-07-14 22:01:36 ----A---- C:\Windows\system32\dciman32.dll
2009-07-14 22:01:36 ----A---- C:\Windows\system32\atmfd.dll

======List of files/folders modified in the last 1 months======

2009-07-23 20:05:10 ----D---- C:\Windows\Temp
2009-07-23 20:05:06 ----D---- C:\Users\Alyssa\AppData\Roaming\SlimBrowser
2009-07-23 20:04:59 ----D---- C:\Windows\Prefetch
2009-07-23 11:09:52 ----SHD---- C:\System Volume Information
2009-07-19 08:18:45 ----RD---- C:\Program Files
2009-07-19 08:05:01 ----D---- C:\Program Files\Graboid
2009-07-19 07:45:08 ----D---- C:\Windows\system32\drivers
2009-07-19 07:45:06 ----HD---- C:\ProgramData
2009-07-18 21:40:51 ----D---- C:\Windows
2009-07-18 21:25:02 ----SHD---- C:\Windows\Installer
2009-07-18 21:24:51 ----D---- C:\Windows\System32
2009-07-18 21:23:38 ----D---- C:\Windows\winsxs
2009-07-18 21:23:14 ----D---- C:\ProgramData\Adobe
2009-07-18 21:13:51 ----D---- C:\Program Files\Canon
2009-07-18 21:07:52 ----D---- C:\Windows\twain_32
2009-07-18 21:04:03 ----D---- C:\Windows\inf
2009-07-18 21:04:03 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-07-18 21:01:14 ----RSD---- C:\Windows\Media
2009-07-18 21:00:16 ----D---- C:\Program Files\Common Files
2009-07-18 20:56:19 ----D---- C:\Windows\system32\catroot
2009-07-18 20:55:23 ----D---- C:\Windows\system32\catroot2
2009-07-17 17:39:33 ----D---- C:\QUICKENW
2009-07-15 00:04:31 ----D---- C:\Program Files\Windows Mail
2009-07-13 10:40:12 ----D---- C:\MDT
2009-07-07 11:10:56 ----A---- C:\Windows\system32\mrt.exe
2009-07-05 21:44:36 ----D---- C:\Users\Alyssa\AppData\Roaming\FrostWire
2009-07-05 20:05:11 ----D---- C:\Program Files\FrostWire

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2009-02-25 371248]
R1 ElRawDisk;ElRawDisk; \??\C:\Windows\system32\drivers\elrawdsk.sys [2008-09-03 12800]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [2006-10-06 406672]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [2006-11-22 25448]
R1 SYMTDI;SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [2006-10-26 185744]
R2 dsunidrv;dsunidrv; \??\C:\Program Files\DellSupport\Drivers\dsunidrv.sys [2006-08-17 7424]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-11-11 12672]
R2 mrtRate;mrtRate; C:\Windows\system32\drivers\mrtRate.sys [1999-08-12 34916]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2006-11-20 32256]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2006-11-20 43520]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-20 37376]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-11 8192]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-27 534016]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2007-03-12 45568]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
R3 GEARAspiWDM;GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-11-11 986624]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-11-11 206848]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-11-15 1473024]
R3 NAVENG;NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090723.003\NAVENG.SYS [2009-07-14 87888]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090723.003\NAVEX15.SYS [2009-07-14 875728]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-19 88576]
R3 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [2006-11-22 247144]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-02-08 647680]
R3 StillCam;Still Serial Digital Camera Driver; C:\Windows\system32\DRIVERS\serscan.sys [2008-01-19 9216]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2007-08-12 109744]
R3 SYMREDRV;SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [2006-10-26 26384]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2006-11-17 179256]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-11-11 659968]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [2006-10-05 4736]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-02 200704]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [2006-11-22 274328]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-10-11 611664]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-11-28 30872]
R2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-11-28 1962136]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\Windows\System32\WLTRYSVC.EXE [2006-11-27 24064]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-11-11 386560]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-06-28 501048]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2006-11-07 70656]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-10-31 2541248]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]

-----------------EOF-----------------
dgonthefly
Active Member
 
Posts: 9
Joined: July 19th, 2009, 8:15 am

Re: bloodhound exploit 196

Unread postby dgonthefly » July 23rd, 2009, 8:16 pm

Hopefully I've followed the directions correctly, THANKS!
dgonthefly
Active Member
 
Posts: 9
Joined: July 19th, 2009, 8:15 am

Re: bloodhound exploit 196

Unread postby Dakeyras » July 24th, 2009, 4:33 am

Hi :)

Hopefully I've followed the directions correctly, THANKS!
Absolutely fine and you're welcome!

OK just take your time with the below and at any time you encounter a problem and or do not understand something, just stop what you are doing and inform myself straight away please :thumbup:

Viewpoint Software Advice:

This is just to make you aware of the nature of the aforementioned applications. Though not exactly classed as malware they do have some undersirible characteristics. However there is not point uninstalling as the AIM application you have installed, next time used will download/install the aforementioned again with out your knowledge.
Isn't that nice of AOL and their applications :roll:

Next:

If I may bring your attention to the below:

P2P (peer to peer) file sharing programmes must be removed.

So I will be asking to to uninstall FrostWire shortly as per forum policy.

Older Adobe and Java installations pose a security risk and a back-door for malware to reinfect a system. We will update both in due course.

Next:

Now please go to Start >> Control Panel >> Programs and Features and remove the following (if present):

Adobe Reader 8.1.5
FrostWire 4.18.0
Java(TM) SE Runtime Environment 6


To do so click once on each of the below and click on Uninstall/Change and follow the prompts.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Right click on erunt-setup and select Run as Administrator toInstall ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Next:

Please download OTM to your Desktop.

  • Right-click OTM and select Run as Administrator to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):
Code: Select all
:Processes
Explorer.EXE

:Files
C:\Users\Alyssa\AppData\Roaming\FrostWire
C:\Program Files\FrostWire
C:\Users\Alyssa\AppData\Local\Temp\DWHB3F7.tmp
C:\Users\Alyssa\AppData\Local\Temp\DWHB3F7.tmp
C:\Users\Alyssa\AppData\Local\Temp\DWH6D86.tmp
C:\Users\Alyssa\AppData\Local\Temp\DWH6D86.tmp

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
[-HKEY_CLASSES_ROOT\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}]
[-HKEY_CLASSES_ROOT\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]
[-HKEY_CLASSES_ROOT\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]

:Commands
[EmptyTemp]
[Start Explorer]
[Reboot]
  • Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM and select Run As Administrator

  • Launch the application, Check for Updates >> Perform a Quick Scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next:

Please delete this folder:

C:\RSIT

Next:

Make sure that RSIT.exe is still on your Desktop before running the application!

  • Right-click on RSIT.exe and select Run as Administrator to start RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any further symptoms and or problems encountered?
  • OTM Log.
  • Malwarebytes' Anti-Malware Log.
  • A new set of RSIT logs. <-- Post them individually please, IE: one Log per post/reply.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: bloodhound exploit 196

Unread postby dgonthefly » July 24th, 2009, 8:18 am

Ok I made it through the steps, but have run into a problem twice while running OTM. Windows reports that the program has stopped working. (It HAD been running for a LONG time.) It seems like it's happening between the [empty temp] step and the [start explorer] step if I understand what I'm seeing.

So I've stopped doing anything for now.
dgonthefly
Active Member
 
Posts: 9
Joined: July 19th, 2009, 8:15 am

Re: bloodhound exploit 196

Unread postby Dakeyras » July 24th, 2009, 9:30 am

Hi :)

OK, reboot(restart) your computer. Then use this OTM custom script instead please:

Code: Select all
:Files
C:\Users\Alyssa\AppData\Roaming\FrostWire
C:\Program Files\FrostWire
C:\Users\Alyssa\AppData\Local\Temp\DWH6D86.tmp
C:\Users\Alyssa\AppData\Local\Temp\DWH6D86.tmp

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
[-HKEY_CLASSES_ROOT\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}]
[-HKEY_CLASSES_ROOT\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]
[-HKEY_CLASSES_ROOT\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]

:Commands
[EmptyTemp]
[Reboot]
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: bloodhound exploit 196

Unread postby dgonthefly » July 25th, 2009, 8:25 am

Well, I've tried it a number of times more with the same result. I've decided I will re-install the OS and reformat the drive. (that's something I was considering anyway since the computer is running slowly). I'm hopeful that will resolve this problem.

Thanks SO MUCH for making an effort to help me out.

Since I've uninstalled Adobe and Java runtime environment, I assume I should load those back with the most current versions?

Any other advice you would offer? (Aside from Frostwire - this is my daughter's computer and we've talked about THAT)

Thanks!
dgonthefly
Active Member
 
Posts: 9
Joined: July 19th, 2009, 8:15 am

Re: bloodhound exploit 196

Unread postby Dakeyras » July 25th, 2009, 5:15 pm

Hi :)

Sorry for the delay replying, had a hectic day.

Well, I've tried it a number of times more with the same result. I've decided I will re-install the OS and reformat the drive. (that's something I was considering anyway since the computer is running slowly). I'm hopeful that will resolve this problem.

Thanks SO MUCH for making an effort to help me out.
Thank you for the update and you are welcome!

A reformat and reinstallation of the Windows operating system will have rectified all problems of a malware nature we were dealing with.

Since I've uninstalled Adobe and Java runtime environment, I assume I should load those back with the most current versions?
If you so wish aye. Follow the below on how to exactly:

New Adobe Reader Installation:

  • Go here and click on AdbeRdr910_en_US.exe to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

New Java Installation:

  • Click here to visit Java's website.
  • Scroll down to Java SE Runtime Environment (JRE) 6 Update 14. Click on Download.
  • Select Windows from the drop-down list for Platform.
  • Select Multi-language from the drop-down list for Language.
  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  • Click on jre-6u14-windows-i586-p.exe link to download it and save this to a convenient location.
  • Double click on jre-6u14-windows-i586-p.exe to install Java.

Any other advice you would offer? (Aside from Frostwire - this is my daughter's computer and we've talked about THAT)
By all means I do have and aye do discourage your daughter from installing any other P2P application.

Reformat and Reinstallation Advice:

  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    Here are some free Anti Virus programs which I recommend to use:
    • Antivir PersonalEditionClassic
      • Free anti-virus software for Windows.
      • Detects and removes more than 50,000 viruses. Free support.
    • avast! 4 Home Edition
        • Anti-virus program for Windows.
        • The home edition is freeware for noncommercial users.
    • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
      Here are some free Firewalls which I recommend to use:
      (Use only one, and disable your Windows Firewall)
    Note: Only ever have installed/use one Anti-Virus application and Software Firewall. Otherwise a system conflict will occur and this also lessens overall online protection!
  • Keep your system updated-Microsoft releases patches for Windows and other products regularly:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Malwarebytes' Anti-Malware - Download it from here
    The tutorial on how to use MBAM is located here
  • Install WinPatrol - Download it from here
    You can find information about how WinPatrol works here
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    Download it from here
    The tutorial on how to use Spyware Blaster is located here
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for your daughters computer becoming infected again will reduce dramatically. Any questions feel free to ask OK!
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: bloodhound exploit 196

Unread postby Gary R » July 27th, 2009, 1:11 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware