Mourning the loss of our friend, WhitPhil.
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
access audio black screen blue screen boot bsod connection crash dell desktop driver drivers dvd email error excel firefox hard drive hardware hdmi hijackthis internet itunes keyboard laptop malware monitor network networking outlook problem ram recovery router screen slow sound spyware tdlwsp.dll trojan vba video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Task Manager and other programs not opening (In Progress)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Page 1 of 3 1 23
 
Thread Tools
leahpea's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: Nov 2009
Location: Richmond, VA
Experience: Intermediate
06-Nov-2009, 01:03 AM #1
Task Manager and other programs not opening
I am fairly certain that I have a virus or some such nonsense. Unfortunately, Adaware is one of the programs that won't open. I haven't tried to open everything but not being able to access task manager is wrong enough.
Since this has started I have restarted a few times and downloaded Sophos antivirus which found some things but the problem is still there. I ran hijack this and will post the log if you like. Thanks!
Register for free to hide this ad!
flavallee's Avatar
Computer Specs
Trusted Advisor with 23,500 posts.
  
Join Date: May 2002
Location: Hillsborough county, Florida
Experience: Advanced
06-Nov-2009, 10:46 AM #2
If you have the current version of HijackThis(2.0.2) and not an older version, close all open windows, then run a scan and then copy-and-paste the entire log here.

----------------------------------------------------------------

If you're referring to Lavasoft Ad-Aware, get rid of it. I'll direct you to more user-friendly and better free anti-malware/anti-spyware programs.

----------------------------------------------------------------
leahpea's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: Nov 2009
Location: Richmond, VA
Experience: Intermediate
06-Nov-2009, 09:09 PM #3
re: Task Manager and other programs not opening
worth mentioning- links from google searches are being redirected to spam sites. I have deleted all cookies, etc. but no change. I went through my programs and the C drive and found some bad files but deleting them did nothing. Since I cannot access task manager I cannot see any hidden apps running.
Here's the log info:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:15 PM, on 11/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\AGI\core\3.1\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 88.198.198.204 google.ae
O1 - Hosts: 88.198.198.204 google.as
O1 - Hosts: 88.198.198.204 google.at
O1 - Hosts: 88.198.198.204 google.az
O1 - Hosts: 88.198.198.204 google.ba
O1 - Hosts: 88.198.198.204 google.be
O1 - Hosts: 88.198.198.204 google.bg
O1 - Hosts: 88.198.198.204 google.bs
O1 - Hosts: 88.198.198.204 google.ca
O1 - Hosts: 88.198.198.204 google.cd
O1 - Hosts: 88.198.198.204 google.com.gh
O1 - Hosts: 88.198.198.204 google.com.hk
O1 - Hosts: 88.198.198.204 google.com.jm
O1 - Hosts: 88.198.198.204 google.com.mx
O1 - Hosts: 88.198.198.204 google.com.my
O1 - Hosts: 88.198.198.204 google.com.na
O1 - Hosts: 88.198.198.204 google.com.nf
O1 - Hosts: 88.198.198.204 google.com.ng
O1 - Hosts: 88.198.198.204 google.ch
O1 - Hosts: 88.198.198.204 google.com.np
O1 - Hosts: 88.198.198.204 google.com.pr
O1 - Hosts: 88.198.198.204 google.com.qa
O1 - Hosts: 88.198.198.204 google.com.sg
O1 - Hosts: 88.198.198.204 google.com.tj
O1 - Hosts: 88.198.198.204 google.com.tw
O1 - Hosts: 88.198.198.204 google.dj
O1 - Hosts: 88.198.198.204 google.de
O1 - Hosts: 88.198.198.204 google.dk
O1 - Hosts: 88.198.198.204 google.dm
O1 - Hosts: 88.198.198.204 google.ee
O1 - Hosts: 88.198.198.204 google.fi
O1 - Hosts: 88.198.198.204 google.fm
O1 - Hosts: 88.198.198.204 google.fr
O1 - Hosts: 88.198.198.204 google.ge
O1 - Hosts: 88.198.198.204 google.gg
O1 - Hosts: 88.198.198.204 google.gm
O1 - Hosts: 88.198.198.204 google.gr
O1 - Hosts: 88.198.198.204 google.ht
O1 - Hosts: 88.198.198.204 google.ie
O1 - Hosts: 88.198.198.204 google.im
O1 - Hosts: 88.198.198.204 google.in
O1 - Hosts: 88.198.198.204 google.it
O1 - Hosts: 88.198.198.204 google.ki
O1 - Hosts: 88.198.198.204 google.la
O1 - Hosts: 88.198.198.204 google.li
O1 - Hosts: 88.198.198.204 google.lv
O1 - Hosts: 88.198.198.204 google.ma
O1 - Hosts: 88.198.198.204 google.ms
O1 - Hosts: 88.198.198.204 google.mu
O1 - Hosts: 88.198.198.204 google.mw
O1 - Hosts: 88.198.198.204 google.nl
O1 - Hosts: 88.198.198.204 google.no
O1 - Hosts: 88.198.198.204 google.nr
O1 - Hosts: 88.198.198.204 google.nu
O1 - Hosts: 88.198.198.204 google.pl
O1 - Hosts: 88.198.198.204 google.pn
O1 - Hosts: 88.198.198.204 google.pt
O1 - Hosts: 88.198.198.204 google.ro
O1 - Hosts: 88.198.198.204 google.ru
O1 - Hosts: 88.198.198.204 google.rw
O1 - Hosts: 88.198.198.204 google.sc
O1 - Hosts: 88.198.198.204 google.se
O1 - Hosts: 88.198.198.204 google.sh
O1 - Hosts: 88.198.198.204 google.si
O1 - Hosts: 88.198.198.204 google.sm
O1 - Hosts: 88.198.198.204 google.sn
O1 - Hosts: 88.198.198.204 google.st
O1 - Hosts: 88.198.198.204 google.tl
O1 - Hosts: 88.198.198.204 google.tm
O1 - Hosts: 88.198.198.204 google.tt
O1 - Hosts: 88.198.198.204 google.us
O1 - Hosts: 88.198.198.204 google.vu
O1 - Hosts: 88.198.198.204 google.ws
O1 - Hosts: 88.198.198.204 google.co.ck
O1 - Hosts: 88.198.198.204 google.co.id
O1 - Hosts: 88.198.198.204 google.co.il
O1 - Hosts: 88.198.198.204 google.co.in
O1 - Hosts: 88.198.198.204 google.co.jp
O1 - Hosts: 88.198.198.204 google.co.kr
O1 - Hosts: 88.198.198.204 google.co.ls
O1 - Hosts: 88.198.198.204 google.co.ma
O1 - Hosts: 88.198.198.204 google.co.nz
O1 - Hosts: 88.198.198.204 google.co.tz
O1 - Hosts: 88.198.198.204 google.co.ug
O1 - Hosts: 88.198.198.204 google.co.uk
O1 - Hosts: 88.198.198.204 google.co.za
O1 - Hosts: 88.198.198.204 google.co.zm
O1 - Hosts: 88.198.198.204 google.com
O2 - BHO: agcore.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\3.1.5.7613\Launcher.exe
O4 - Global Startup: Ad-Aware.lnk = C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1250647406125
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\3.1\AGCoreService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 13283 bytes
flavallee's Avatar
Computer Specs
Trusted Advisor with 23,500 posts.
  
Join Date: May 2002
Location: Hillsborough county, Florida
Experience: Advanced
07-Nov-2009, 07:50 AM #4
leahpea:

Go here and download HostsXpert 4.3.

Just download and save it for now and don't do anything with it yet.

You need assistance from a malware expert, so I've reported your thread to the "Malware Removal & HijackThis Logs" section.

---------------------------------------------------------------
dvk01's Avatar
Moderator with 27,648 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
07-Nov-2009, 08:13 AM #5
If you have previously or already installed Combofix, delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
leahpea's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: Nov 2009
Location: Richmond, VA
Experience: Intermediate
08-Nov-2009, 04:50 PM #6
re: Task Manager and other programs not opening
ComboFix:
ComboFix 09-11-08.02 - Leah 11/08/2009 16:38.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.807 [GMT -5:00]
Running from: c:\documents and settings\Leah\Desktop\ComboFix.exe
AV: Windows Enterprise Suite *On-access scanning enabled* (Updated) {62A1206B-1F31-4048-B0B3-2A93BF7D6C6E}
FW: Windows Enterprise Suite *enabled* {6D7078B9-2C1C-449F-B18F-4162C44F6435}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Leah\My Documents\ZbThumbnail.info
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\recycler\NPROTECT

.
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-06 22:23 . 2009-11-07 20:54 -------- d-----w- c:\windows\ie8updates
2009-11-06 19:35 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-06 19:35 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-06 19:35 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-06 19:35 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-11-06 19:35 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-06 19:35 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-11-06 06:27 . 2009-11-06 06:27 -------- d-sh--w- c:\documents and settings\Leah\IECompatCache
2009-11-06 06:27 . 2009-11-06 06:27 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-06 06:27 . 2009-11-06 06:27 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-06 06:27 . 2009-11-06 06:27 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-06 06:27 . 2009-11-06 06:27 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-06 06:27 . 2009-11-06 06:27 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-06 06:26 . 2009-11-06 06:26 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-06 06:26 . 2009-11-06 06:26 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-06 06:26 . 2009-11-06 06:26 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-06 06:26 . 2009-11-06 06:26 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-06 06:26 . 2009-11-06 06:26 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-06 06:25 . 2009-11-06 06:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-06 06:25 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-06 06:25 . 2009-11-06 06:25 -------- d-----w- c:\program files\Lavasoft
2009-11-06 05:09 . 2009-11-06 05:09 127872 ----a-w- c:\documents and settings\Leah\Application Data\Move Networks\uninstall.exe
2009-11-06 05:09 . 2009-11-06 05:12 -------- d-----w- c:\documents and settings\Leah\Application Data\Move Networks
2009-11-06 05:06 . 2009-11-06 05:06 -------- d-sh--w- c:\documents and settings\Leah\PrivacIE
2009-11-06 05:06 . 2009-11-06 05:06 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-06 05:02 . 2009-11-06 05:02 -------- d-sh--w- c:\documents and settings\Leah\IETldCache
2009-11-06 04:57 . 2009-11-06 04:58 -------- dc-h--w- c:\windows\ie8
2009-11-05 05:04 . 2009-11-05 05:04 -------- d--h--w- c:\windows\PIF
2009-11-05 03:39 . 2009-11-05 03:39 -------- d-----w- c:\documents and settings\Leah\Local Settings\Application Data\Sophos
2009-11-05 03:18 . 2009-11-08 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-11-04 22:33 . 2009-11-04 22:34 -------- d-sh--w- c:\documents and settings\Leah\Application Data\Windows Enterprise Suite
2009-11-04 22:33 . 2009-11-04 22:33 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WESSys
2009-11-04 22:33 . 2009-10-29 19:30 457720 ----a-w- c:\documents and settings\All Users\Application Data\7079b28\sqlite3.dll
2009-11-04 22:33 . 2009-10-29 19:30 722424 ----a-w- c:\documents and settings\All Users\Application Data\7079b28\mozcrt19.dll
2009-11-04 22:33 . 2009-11-05 23:11 -------- d-sh--w- c:\documents and settings\All Users\Application Data\7079b28
2009-10-31 23:52 . 2009-10-31 23:52 -------- d-----w- c:\program files\iPod
2009-10-31 23:52 . 2009-10-31 23:54 -------- d-----w- c:\program files\iTunes
2009-10-31 23:46 . 2009-10-31 23:46 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-21 05:34 . 2009-09-01 17:09 65536 ----a-w- c:\documents and settings\Leah\Application Data\Mozilla\Firefox\Profiles\ny74jk0f.default\extensions\{51ef49d2-624b-4194-8b97-1c468e9b0efe}\components\Engine.dll
2009-10-21 03:40 . 2009-10-21 03:40 152576 ----a-w- c:\documents and settings\Leah\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-20 03:36 . 2009-10-20 03:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 21:24 . 2009-08-18 23:42 -------- d-----w- c:\documents and settings\Leah\Application Data\uTorrent
2009-11-06 22:40 . 2009-08-19 01:59 1 ----a-w- c:\documents and settings\Leah\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-06 06:25 . 2009-08-19 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-06 05:09 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Leah\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-11-05 03:52 . 2009-08-18 09:49 75400 ----a-w- c:\documents and settings\Leah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 02:17 . 2009-08-19 03:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-05 02:17 . 2009-08-19 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-02 22:41 . 2009-08-21 02:13 -------- d-----w- c:\documents and settings\Leah\Application Data\LimeWire
2009-10-31 23:52 . 2009-08-18 18:09 -------- d-----w- c:\program files\Common Files\Apple
2009-10-30 02:29 . 2009-08-19 03:43 -------- d-----w- c:\documents and settings\Leah\Application Data\Symantec
2009-10-28 04:45 . 2009-08-18 20:35 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-22 02:27 . 2006-07-17 21:23 -------- d-----w- c:\program files\Google
2009-10-21 05:12 . 2009-08-18 23:55 -------- d-----w- c:\program files\LimeWire
2009-10-21 03:41 . 2006-07-17 21:53 -------- d-----w- c:\program files\Java
2009-10-20 02:19 . 2009-08-24 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-20 02:12 . 2006-07-17 22:14 -------- d-----w- c:\program files\Microsoft Works
2009-10-13 19:35 . 2009-08-28 10:24 -------- d-----w- c:\documents and settings\Leah\Application Data\vlc
2009-10-13 19:33 . 2009-08-28 10:03 -------- d-----w- c:\documents and settings\Leah\Application Data\dvdcss
2009-10-11 00:20 . 2009-08-19 01:44 -------- d-----w- c:\program files\VLC Media Player
2009-10-05 15:41 . 2009-10-05 15:41 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-09-23 19:25 . 2009-09-22 08:17 -------- d-----w- c:\program files\Windows Desktop Search
2009-09-23 12:55 . 2009-11-06 06:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 09:03 . 2009-08-18 23:58 -------- d-----w- c:\documents and settings\Leah\Application Data\Temp
2009-09-22 09:01 . 2009-09-22 09:01 -------- d-----w- c:\documents and settings\Leah\Application Data\Windows Search
2009-09-22 08:32 . 2009-09-22 08:30 -------- d-----w- c:\program files\Microsoft
2009-09-22 08:31 . 2009-09-22 08:29 -------- d-----w- c:\program files\Windows Live
2009-09-22 08:31 . 2009-09-22 08:31 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-09-22 08:30 . 2009-09-22 08:30 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-09-22 08:29 . 2009-09-22 08:29 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-22 08:18 . 2009-09-22 08:18 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-22 08:18 . 2009-09-22 08:18 -------- d-----w- c:\documents and settings\Leah\Application Data\Windows Desktop Search
2009-09-22 08:00 . 2006-07-17 22:22 -------- d-----w- c:\program files\Common Files\Real
2009-09-22 08:00 . 2009-09-22 08:00 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-11 14:18 . 2006-07-17 18:24 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 10:30 . 2009-09-11 10:30 61568 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 10:29 . 2009-08-18 18:10 -------- d-----w- c:\documents and settings\Leah\Application Data\Apple Computer
2009-09-11 10:17 . 2009-09-11 10:16 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 10:15 . 2009-09-11 10:14 -------- d-----w- c:\program files\QuickTime
2009-09-11 10:09 . 2009-09-11 10:08 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-04 21:03 . 2006-07-17 18:24 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 08:53 . 2009-08-31 08:48 38208 ----a-w- c:\documents and settings\LocalService\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-08-29 08:08 . 2006-07-17 18:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 23:42 . 2009-08-18 18:09 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-08-18 18:09 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2006-07-17 18:25 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab
2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-08-19 02:31 . 2006-07-17 18:53 77607 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-19 02:00 . 2009-08-19 02:00 686080 ----a-w- c:\documents and settings\Leah\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\3B.tmp_\sun-pdfimport(2).oxt\pdfimport.uno.dll
2009-08-19 02:00 . 2009-08-19 02:00 568832 ----a-w- c:\documents and settings\Leah\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\3B.tmp_\sun-pdfimport(2).oxt\msvcp90.dll
2009-08-19 02:00 . 2009-08-19 02:00 655872 ----a-w- c:\documents and settings\Leah\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\3B.tmp_\sun-pdfimport(2).oxt\msvcr90.dll
2009-08-19 02:00 . 2009-08-19 02:00 583168 ----a-w- c:\documents and settings\Leah\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\3B.tmp_\sun-pdfimport(2).oxt\xpdfimport.exe
2009-08-19 02:00 . 2009-08-19 02:00 224768 ----a-w- c:\documents and settings\Leah\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\3B.tmp_\sun-pdfimport(2).oxt\msvcm90.dll
2009-08-19 01:30 . 2009-08-19 01:30 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-18 20:32 . 2009-08-18 20:32 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-18 17:56 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-18 17:48 . 2009-08-18 17:48 152576 ----a-w- c:\documents and settings\Leah\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-18 09:50 . 2009-08-18 09:49 127 ----a-w- c:\documents and settings\Leah\Local Settings\Application Data\fusioncache.dat
2009-08-18 09:47 . 2009-08-18 09:47 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 19:40 . 2009-08-31 16:32 43008 ----a-w- c:\documents and settings\Leah\Application Data\Mozilla\Firefox\Profiles\ny74jk0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-08-13 19:39 . 2009-08-31 16:32 340480 ----a-w- c:\documents and settings\Leah\Application Data\Mozilla\Firefox\Profiles\ny74jk0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-08-13 19:39 . 2009-08-31 16:32 346112 ----a-w- c:\documents and settings\Leah\Application Data\Mozilla\Firefox\Profiles\ny74jk0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 15:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\Leah\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\3.1.5.7613\Launcher.exe [2009-8-18 157000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ad-Aware.lnk - c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe [2009-10-2 1638104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Leah^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Leah\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/6/2009 1:28 AM 64288]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\3.1\AGCoreService.exe [8/18/2009 6:58 PM 20480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [3/30/2009 3:28 PM 1533808]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 06:26]

2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Leah\Application Data\Mozilla\Firefox\Profiles\ny74jk0f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=
FF - component: c:\documents and settings\Leah\Application Data\Mozilla\Firefox\Profiles\ny74jk0f.default\extensions\{51ef49d2-624b-4194-8b97-1c468e9b0efe}\components\Engine.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrec ordext.dll
FF - plugin: c:\documents and settings\Leah\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\VLC Media Player\npvlc.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 16:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys spkg.sys hal.dll >>UNKNOWN [0x8A40A938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF7978B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF7978B40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-08 16:45
ComboFix-quarantined-files.txt 2009-11-08 21:44

Pre-Run: 5,288,280,064 bytes free
Post-Run: 5,258,637,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 780643281680AFF798CF4ABD0F9A9505
leahpea's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: Nov 2009
Location: Richmond, VA
Experience: Intermediate
08-Nov-2009, 04:51 PM #7
HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:21 PM, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\core\3.1\AGCoreService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 88.198.198.204 google.ae
O1 - Hosts: 88.198.198.204 google.as
O1 - Hosts: 88.198.198.204 google.at
O1 - Hosts: 88.198.198.204 google.az
O1 - Hosts: 88.198.198.204 google.ba
O1 - Hosts: 88.198.198.204 google.be
O1 - Hosts: 88.198.198.204 google.bg
O1 - Hosts: 88.198.198.204 google.bs
O1 - Hosts: 88.198.198.204 google.ca
O1 - Hosts: 88.198.198.204 google.cd
O1 - Hosts: 88.198.198.204 google.com.gh
O1 - Hosts: 88.198.198.204 google.com.hk
O1 - Hosts: 88.198.198.204 google.com.jm
O1 - Hosts: 88.198.198.204 google.com.mx
O1 - Hosts: 88.198.198.204 google.com.my
O1 - Hosts: 88.198.198.204 google.com.na
O1 - Hosts: 88.198.198.204 google.com.nf
O1 - Hosts: 88.198.198.204 google.com.ng
O1 - Hosts: 88.198.198.204 google.ch
O1 - Hosts: 88.198.198.204 google.com.np
O1 - Hosts: 88.198.198.204 google.com.pr
O1 - Hosts: 88.198.198.204 google.com.qa
O1 - Hosts: 88.198.198.204 google.com.sg
O1 - Hosts: 88.198.198.204 google.com.tj
O1 - Hosts: 88.198.198.204 google.com.tw
O1 - Hosts: 88.198.198.204 google.dj
O1 - Hosts: 88.198.198.204 google.de
O1 - Hosts: 88.198.198.204 google.dk
O1 - Hosts: 88.198.198.204 google.dm
O1 - Hosts: 88.198.198.204 google.ee
O1 - Hosts: 88.198.198.204 google.fi
O1 - Hosts: 88.198.198.204 google.fm
O1 - Hosts: 88.198.198.204 google.fr
O1 - Hosts: 88.198.198.204 google.ge
O1 - Hosts: 88.198.198.204 google.gg
O1 - Hosts: 88.198.198.204 google.gm
O1 - Hosts: 88.198.198.204 google.gr
O1 - Hosts: 88.198.198.204 google.ht
O1 - Hosts: 88.198.198.204 google.ie
O1 - Hosts: 88.198.198.204 google.im
O1 - Hosts: 88.198.198.204 google.in
O1 - Hosts: 88.198.198.204 google.it
O1 - Hosts: 88.198.198.204 google.ki
O1 - Hosts: 88.198.198.204 google.la
O1 - Hosts: 88.198.198.204 google.li
O1 - Hosts: 88.198.198.204 google.lv
O1 - Hosts: 88.198.198.204 google.ma
O1 - Hosts: 88.198.198.204 google.ms
O1 - Hosts: 88.198.198.204 google.mu
O1 - Hosts: 88.198.198.204 google.mw
O1 - Hosts: 88.198.198.204 google.nl
O1 - Hosts: 88.198.198.204 google.no
O1 - Hosts: 88.198.198.204 google.nr
O1 - Hosts: 88.198.198.204 google.nu
O1 - Hosts: 88.198.198.204 google.pl
O1 - Hosts: 88.198.198.204 google.pn
O1 - Hosts: 88.198.198.204 google.pt
O1 - Hosts: 88.198.198.204 google.ro
O1 - Hosts: 88.198.198.204 google.ru
O1 - Hosts: 88.198.198.204 google.rw
O1 - Hosts: 88.198.198.204 google.sc
O1 - Hosts: 88.198.198.204 google.se
O1 - Hosts: 88.198.198.204 google.sh
O1 - Hosts: 88.198.198.204 google.si
O1 - Hosts: 88.198.198.204 google.sm
O1 - Hosts: 88.198.198.204 google.sn
O1 - Hosts: 88.198.198.204 google.st
O1 - Hosts: 88.198.198.204 google.tl
O1 - Hosts: 88.198.198.204 google.tm
O1 - Hosts: 88.198.198.204 google.tt
O1 - Hosts: 88.198.198.204 google.us
O1 - Hosts: 88.198.198.204 google.vu
O1 - Hosts: 88.198.198.204 google.ws
O1 - Hosts: 88.198.198.204 google.co.ck
O1 - Hosts: 88.198.198.204 google.co.id
O1 - Hosts: 88.198.198.204 google.co.il
O1 - Hosts: 88.198.198.204 google.co.in
O1 - Hosts: 88.198.198.204 google.co.jp
O1 - Hosts: 88.198.198.204 google.co.kr
O1 - Hosts: 88.198.198.204 google.co.ls
O1 - Hosts: 88.198.198.204 google.co.ma
O1 - Hosts: 88.198.198.204 google.co.nz
O1 - Hosts: 88.198.198.204 google.co.tz
O1 - Hosts: 88.198.198.204 google.co.ug
O1 - Hosts: 88.198.198.204 google.co.uk
O1 - Hosts: 88.198.198.204 google.co.za
O1 - Hosts: 88.198.198.204 google.co.zm
O1 - Hosts: 88.198.198.204 google.com
O2 - BHO: agcore.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\3.1.5.7613\Launcher.exe
O4 - Global Startup: Ad-Aware.lnk = C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1250647406125
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\3.1\AGCoreService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 11659 bytes
dvk01's Avatar
Moderator with 27,648 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
08-Nov-2009, 06:00 PM #8
Download the HostsXpert - Hosts File Manager.
  • Unzip HostsXpert - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

and then reboot

tell us how it is and any problems still remaining
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
leahpea's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: Nov 2009
Location: Richmond, VA
Experience: Intermediate
08-Nov-2009, 08:25 PM #9
re: Task Manager and other programs not opening
it gives me this error and exits:

cannot crate file c:\windows\system32\drivers\etc\hosts
leahpea's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: Nov 2009
Location: Richmond, VA
Experience: Intermediate
09-Nov-2009, 01:04 AM #10
whatever I did made it so I can open all my stuff now. yay! however, I am being redirected to spam sites when I click on search engine links. I have tried with google and yahoo but no difference.
dvk01's Avatar
Moderator with 27,648 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
09-Nov-2009, 04:11 AM #11
right click the host expert & select run as admin
then that should allow you to sort out hosts

once taht is done

let us know if you are still being diverted, if se or if it still won't create teh host file we can deal with it another way
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
leahpea's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: Nov 2009
Location: Richmond, VA
Experience: Intermediate
09-Nov-2009, 03:45 PM #12
I don't know what you mean by hosts... and my account is administrator
dvk01's Avatar
Moderator with 27,648 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
09-Nov-2009, 04:16 PM #13
It doesn't matter taht yiour account is admin

right click teh host expert shortcut in start menu or icon on desktop & selet run as administarator

then follw the instructions about using hostexpert I gave before

taht elevates host expert to give it admin powers to alter the host file taht is couldn't get access to to fix
taht is why you are being diverted,

All the O1 entries in the HJT log are from the hosts file & they are diverting you & there will be alot more that HJT doesn't show that will be fixed
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
flavallee's Avatar
Computer Specs
Trusted Advisor with 23,500 posts.
  
Join Date: May 2002
Location: Hillsborough county, Florida
Experience: Advanced
09-Nov-2009, 04:26 PM #14
leahpea:

What DVK01 wants you to do is right-click HostsXpert.exe, then left-click "Run As Administator" in the drop-down menu that appears, then follow his previous instructions.

--------------------------------------------------------------
leahpea's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: Nov 2009
Location: Richmond, VA
Experience: Intermediate
09-Nov-2009, 04:29 PM #15
I'm saying there is no administrator account, only me. there is no "run as administrator" option.
Reply Bookmark and Share
Page 1 of 3 1 23

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 07:06 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.