Virus has removed desktop, start menu items, hidden data files, etc.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

babushka

Thread Starter
Joined
Jun 7, 2007
Messages
67
Hi,
I am writing on behalf of my friend b/c I already have an account here. A couple of days ago she was on her laptop when numerous pop ups started filling up her screen, the kind that makes one think "virus". The pop ups looked like system messages about some critical error with some hardware component, she can't remember. So I suggested that she go into Safe Mode and run her Avast and SuperAntiSpyware scanners to see what they pick up. Avast found one infected file, a music file that she deleted afterwards, and SAS found 34 items, mostly cookies and 4 trojans. She deleted/quarantined those afterwards too. Oddly, no log file was created by SAS after that scan like it usually does so I can't list the items they found. Also, SAS always fails when updating definitions now.
When she booted up normally, her computer was in a depressing state after the attack. The desktop was empty and unresponsive, i.e., you couldn't right-click, the Recycle Bin was gone. I tried to add icons back on but nothing appears. You can change the wallpaper and that's it. The start menu was bare too, everything had to be manually restored like the links to Control Panel, Run, etc., and all the shortcuts in the All Programs menu. However, I can't restore the Accessories folder with all it's system tools (System Restore!!!) and stuff. The Task Manager was disabled but I fixed that after looking for a solution online. She was panicking when it seemed as if all her data files were deleted, but it turned out it was just hidden. Once I selected the option to show hidden files and folders in Folder Options all her data files reappeared, albeit with washed-out icons. We did see this one Antivirus_10_2_Downloader.exe file in her Documents folder that looked suspicious. It has an icon with a white lightning bolt in a blue circle. My friend remembers seeing a similar icon in the tray area of the taskbar when the pop ups came, except with a red circle. The icon kept popping up a balloon message about some critical error warning like those pop ups. She deleted that executable, but it's till in the Bin.
We wanted to back up her data files to DVDs (she didn't want to possibly infect her external drives) but the system couldn't move the files onto the disc for burning. So, here are the log files:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:43:42 PM, on 12/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17103)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zinio\ZinioReader.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66028
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66028
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66028
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66028
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [Biomenu] "C:\Program Files\Protector Suite QL\menusw.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FNFPDoJienHIJQ.exe] C:\Documents and Settings\All Users\Application Data\FNFPDoJienHIJQ.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: EvernoteClipper.lnk = C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
O8 - Extra context menu item: Add to Evernote 4.0 - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Filter hijack: text/html - {1616b7a2-f623-42ad-8fe4-0ee55e87cd45} - C:\WINDOWS\default32.dll
O20 - AppInit_DLLs: lsaczh.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TP AutoConnect Service (TPAutoConnSvc) - ThinPrint GmbH - C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe

--
End of file - 11864 bytes
 

babushka

Thread Starter
Joined
Jun 7, 2007
Messages
67
Oh, forgot to mention that I am posting because I just wanted to make sure her system was completely clean. Also, meant to add this log file, too.

Much thanks for any help!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_26
Run by User at 0:28:47 on 2011-12-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.542 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zinio\ZinioReader.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66028
uInternet Settings,ProxyOverride = *.local
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=66028
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Zinio DLM] c:\program files\zinio\ZinioReader.exe /autostart
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [VMware Tools] c:\program files\vmware\vmware tools\VMwareTray.exe
mRun: [VMware User Process] c:\program files\vmware\vmware tools\VMwareUser.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [Biomenu] "c:\program files\protector suite ql\menusw.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Device Detector] DevDetect.exe -autorun
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FNFPDoJienHIJQ.exe] c:\documents and settings\all users\application data\FNFPDoJienHIJQ.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxps://www.dotphoto.com/ImageUploader4.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
Filter: text/html - {1616b7a2-f623-42ad-8fe4-0ee55e87cd45} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - fusstub.dll
Notify: TPSvc - TPSvc.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: lsaczh.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Notification Packages = scecli fusstub
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\zro31ehi.default\
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2007-7-14 17968]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-10 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-5-27 314456]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-8 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-27 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-18 44768]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-22 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-22 33024]
R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [2007-7-14 101552]
R2 VMMEMCTL;VMware server memory controller;c:\program files\vmware\vmware tools\drivers\memctl\vmmemctl.sys [2007-5-1 15664]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-5-9 36352]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-8-13 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-8-13 226304]
S2 VMTools;VMware Tools Service;c:\program files\vmware\vmware tools\VMwareService.exe [2007-5-1 252720]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2007-8-13 20160]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\vmware\vmware tools\TPAutoConnSvc.exe [2007-5-1 294912]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2007-7-14 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2007-7-14 63024]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2007-7-14 34992]
.
=============== Created Last 30 ================
.
2011-12-11 03:36:11 388096 ----a-r- c:\documents and settings\user\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-11 03:36:10 -------- d-----w- c:\program files\Trend Micro
2011-12-11 00:25:45 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-11 00:09:00 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-11-13 21:30:25 -------- d-----r- c:\program files\Skype
.
==================== Find3M ====================
.
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 0:29:35.59 ===============
 

kevinf80

Malware Specialist
Joined
Mar 21, 2006
Messages
11,383
First Name
Kevin
Do the following :-

Step 1

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate by tapping Enter
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Step 2

download the following program to your desktop:

Unhide tool

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
Please be patient as this may take several minutes to run, it will scan and fix all Hard drives on your system. You will see a new window with the drive being processed, typically C:\ as below:



Changing as the next drive is processed as below (if required):



You will get a success alert at the end.



Re-boot and see if your files are present.

Kevin
 

babushka

Thread Starter
Joined
Jun 7, 2007
Messages
67
Thank you so much for responding. Yes, all the hidden files and links are now present. I forgot to check but does that Unhide program also make visible the system files that should be hidden, too?

Here's the report:

RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Scan -- Date : 12/14/2011 20:05:56

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤
[SUSP PATH] HKLM\[...]\Run : FNFPDoJienHIJQ.exe (C:\Documents and Settings\All Users\Application Data\FNFPDoJienHIJQ.exe) -> FOUND
[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] 6976d2c3b9cc79c87ee20c28af200037
[BSP] 67fe857cc56254cc155246b815937034 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 63 | Size: 6448 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 12594960 | Size: 113582 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
 

kevinf80

Malware Specialist
Joined
Mar 21, 2006
Messages
11,383
First Name
Kevin
Unhideme does not show system files, do the following:

Step 1

Quit all running programs and run RogueKiller once again.

  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate by tapping Enter
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Step 2

Download aswMBR from Here
If it asks to update during the process please allow this to happen.

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below



    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
  • Once the scan finishes click Save log to save the log to your Desktop.


  • Copy and paste the contents of aswMBR.txt back here for review
  • You will also notice another file created on the desktop named MBR.dat. Right-click that file and select Send To and then Compressed (zipped) file. Attach that zipped file to your next reply as well.

Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Let me see the following:

  • Log from RogueKiller
  • Log from aswMBR, also attach MBR.zip to reply
  • Log from Malwarebytes

Also give an update on current issues/concerns and how the system is responding..

Kevin
 

babushka

Thread Starter
Joined
Jun 7, 2007
Messages
67
The 3 programs scanned fine, and I will post the logs, however Malwarebytes wanted to update but when it tried I got this error message instead.



Still scanned anyways.

The system seems to be running fine. I see this System Fix shortcut on the Desktop, and maybe the exe is somewhere on the computer. I googled it and it appears to be a virus. I think I should remove it, in addition to other junk and update her outdated software, but maybe I'll wait until your response.

Here are the logs:

RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: User [Admin rights]
Mode: Remove -- Date : 12/15/2011 20:21:25

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[SUSP PATH] HKLM\[...]\Run : FNFPDoJienHIJQ.exe (C:\Documents and Settings\All Users\Application Data\FNFPDoJienHIJQ.exe) -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] 6976d2c3b9cc79c87ee20c28af200037
[BSP] 67fe857cc56254cc155246b815937034 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 63 | Size: 6448 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 12594960 | Size: 113582 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
___________________________________________________________________________

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-15 20:24:44
-----------------------------
20:24:44.765 OS Version: Windows 5.1.2600 Service Pack 3
20:24:44.765 Number of processors: 2 586 0xE08
20:24:44.765 ComputerName: PRO UserName:
20:24:45.796 Initialize success
20:24:45.906 AVAST engine defs: 11121001
20:24:59.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
20:24:59.218 Disk 0 Vendor: ST9120821AS 3.14 Size: 114473MB BusType: 3
20:24:59.218 Disk 1 \Device\Harddisk1\DR3 -> \Device\000000a9
20:24:59.218 Disk 1 Vendor: ( Size: 114473MB BusType: 0
20:24:59.218 Disk 2 \Device\Harddisk2\DR4 -> \Device\000000aa
20:24:59.218 Disk 2 Vendor: ( Size: 114473MB BusType: 0
20:25:01.250 Disk 0 MBR read successfully
20:25:01.250 Disk 0 MBR scan
20:25:01.250 Disk 0 Windows XP default MBR code
20:25:01.250 Disk 0 scanning sectors +234436545
20:25:01.359 Disk 0 scanning C:\WINDOWS\system32\drivers
20:25:18.171 Service scanning
20:25:19.546 Modules scanning
20:25:26.359 Disk 0 trace - called modules:
20:25:26.390 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:25:26.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ecaab8]
20:25:26.406 3 CLASSPNP.SYS[f75b0fd7] -> nt!IofCallDriver -> \Device\00000092[0x86f5f9e8]
20:25:26.421 5 ACPI.sys[f7447620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f5e940]
20:25:26.781 AVAST engine scan C:\WINDOWS
20:25:44.406 AVAST engine scan C:\WINDOWS\system32
20:27:20.031 AVAST engine scan C:\WINDOWS\system32\drivers
20:27:34.781 AVAST engine scan C:\Documents and Settings\User
20:55:48.890 AVAST engine scan C:\Documents and Settings\All Users
20:57:50.953 Scan finished successfully
20:58:17.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
20:58:17.609 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"
___________________________________________________________________________

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/15/2011 9:20:05 PM
mbam-log-2011-12-15 (21-20-05).txt

Scan type: Quick scan
Objects scanned: 178477
Time elapsed: 15 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 

Attachments

kevinf80

Malware Specialist
Joined
Mar 21, 2006
Messages
11,383
First Name
Kevin
What error message did you get of Malwarebytes? the data base is way outdated. Try and update again then run another quick scan.

Regarding the shortcut on the Desktop, right click on that and select "Properties" a new window will open, in there you`ll see "Target" "start in" "run" you will also see a tab labelled "open file location" select that, if the .exe is still present it will take you to it, if so delete it. Close that window then delete the short cut...
 

babushka

Thread Starter
Joined
Jun 7, 2007
Messages
67
Ok, don't worry about the error message, it was b/c the computer wasn't connected to the internet. My friend wanted to avoid that until everything was fine. I connected and updated everything. I rescanned w/ that aswMBR as well since the previous scan used outdated defs (by 6 days only, but nonetheless).

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-16 22:33:29
-----------------------------
22:33:29.687 OS Version: Windows 5.1.2600 Service Pack 3
22:33:29.687 Number of processors: 2 586 0xE08
22:33:29.687 ComputerName: PRO UserName:
22:33:33.843 Initialize success
22:33:34.515 AVAST engine defs: 11121603
22:33:41.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
22:33:41.187 Disk 0 Vendor: ST9120821AS 3.14 Size: 114473MB BusType: 3
22:33:41.203 Disk 1 \Device\Harddisk1\DR3 -> \Device\000000aa
22:33:41.203 Disk 1 Vendor: ( Size: 114473MB BusType: 0
22:33:41.203 Disk 2 \Device\Harddisk2\DR4 -> \Device\000000ab
22:33:41.203 Disk 2 Vendor: ( Size: 114473MB BusType: 0
22:33:43.218 Disk 0 MBR read successfully
22:33:43.218 Disk 0 MBR scan
22:33:43.218 Disk 0 Windows XP default MBR code
22:33:43.234 Disk 0 scanning sectors +234436545
22:33:43.328 Disk 0 scanning C:\WINDOWS\system32\drivers
22:33:59.750 Service scanning
22:34:01.171 Modules scanning
22:34:07.734 Disk 0 trace - called modules:
22:34:07.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:34:07.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f52ab8]
22:34:07.781 3 CLASSPNP.SYS[f75b0fd7] -> nt!IofCallDriver -> \Device\00000093[0x86f479e8]
22:34:07.796 5 ACPI.sys[f7447620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f58d98]
22:34:08.078 AVAST engine scan C:\WINDOWS
22:34:26.796 AVAST engine scan C:\WINDOWS\system32
22:36:04.812 AVAST engine scan C:\WINDOWS\system32\drivers
22:36:19.640 AVAST engine scan C:\Documents and Settings\User
23:02:28.609 AVAST engine scan C:\Documents and Settings\All Users
23:03:57.937 Scan finished successfully
23:12:30.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
23:12:30.328 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"
____________________________________________________________________

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8383

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/16/2011 11:22:44 PM
mbam-log-2011-12-16 (23-22-44).txt

Scan type: Quick scan
Objects scanned: 181656
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 

Attachments

kevinf80

Malware Specialist
Joined
Mar 21, 2006
Messages
11,383
First Name
Kevin
OK, run DDS again and post the two logs, also give an update on current issues/concerns.

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.

  • Instead of attaching, please copy/past both logs into your next reply.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Kevin...
 

babushka

Thread Starter
Joined
Jun 7, 2007
Messages
67
Things seem to be running smoothly now. No problems I've noticed.

//dds.txt log
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_30
Run by User at 20:53:50 on 2011-12-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.554 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zinio\ZinioReader.exe
C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66028
uInternet Settings,ProxyOverride = *.local
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=66028
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Zinio DLM] c:\program files\zinio\ZinioReader.exe /autostart
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [Biomenu] "c:\program files\protector suite ql\menusw.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VMware User Process] c:\program files\vmware\vmware tools\VMwareUser.exe
mRun: [VMware Tools] c:\program files\vmware\vmware tools\VMwareTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxps://www.dotphoto.com/ImageUploader4.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
Filter: text/html - {1616b7a2-f623-42ad-8fe4-0ee55e87cd45} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - fusstub.dll
Notify: TPSvc - TPSvc.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: lsaczh.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Notification Packages = scecli fusstub
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\zro31ehi.default\
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2007-7-14 17968]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-10 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-5-27 314456]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-8 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-27 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-18 44768]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-22 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-22 33024]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-5-9 36352]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-8-13 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-8-13 226304]
S2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys --> c:\windows\system32\drivers\hgfs.sys [?]
S2 VMMEMCTL;VMware server memory controller;\??\c:\program files\vmware\vmware tools\drivers\memctl\vmmemctl.sys --> c:\program files\vmware\vmware tools\drivers\memctl\vmmemctl.sys [?]
S2 VMTools;VMware Tools Service;"c:\program files\vmware\vmware tools\vmwareservice.exe" --> c:\program files\vmware\vmware tools\VMwareService.exe [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2007-8-13 20160]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2007-7-14 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2007-7-14 63024]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2007-7-14 34992]
.
=============== Created Last 30 ================
.
2011-12-17 07:37:56 -------- d-----w- c:\documents and settings\user\local settings\application data\Amazon
2011-12-17 07:37:41 -------- d-----w- c:\program files\Amazon
2011-12-17 07:02:45 -------- d-----w- c:\program files\uTorrent
2011-12-17 07:01:57 -------- d-----w- c:\documents and settings\user\application data\uTorrent
2011-12-16 02:00:06 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2011-12-16 01:59:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-16 01:59:55 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-16 01:59:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-11 03:36:11 388096 ----a-r- c:\documents and settings\user\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-11 03:36:10 -------- d-----w- c:\program files\Trend Micro
2011-12-11 00:25:45 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-11 00:09:00 -------- d-----w- c:\windows\system32\GroupPolicy
.
==================== Find3M ====================
.
2011-12-17 07:09:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-17 07:09:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43:21 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-10-31 23:43:21 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 20:54:39.17 ===============

//attach.txt log
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/14/2007 2:02:38 AM
System Uptime: 12/17/2011 8:45:29 PM (0 hours ago)
.
Motherboard: Sony Corporation | | VAIO
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | N/A | 1833/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 106 GiB total, 47.099 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP357: 9/9/2011 1:28:27 PM - System Checkpoint
RP358: 9/10/2011 1:40:37 PM - System Checkpoint
RP359: 9/11/2011 3:57:32 PM - System Checkpoint
RP360: 9/16/2011 11:37:43 AM - Software Distribution Service 3.0
RP361: 9/18/2011 9:51:21 PM - System Checkpoint
RP362: 9/25/2011 11:51:32 AM - System Checkpoint
RP363: 9/28/2011 7:19:39 PM - System Checkpoint
RP364: 9/28/2011 9:26:51 PM - Software Distribution Service 3.0
RP365: 10/10/2011 6:11:33 PM - System Checkpoint
RP366: 10/13/2011 7:24:56 AM - Software Distribution Service 3.0
RP367: 10/15/2011 7:33:32 PM - System Checkpoint
RP368: 10/20/2011 11:21:44 AM - System Checkpoint
RP369: 10/28/2011 6:35:47 PM - System Checkpoint
RP370: 11/2/2011 9:53:55 PM - System Checkpoint
RP371: 11/4/2011 11:43:46 AM - System Checkpoint
RP372: 11/8/2011 3:07:06 PM - System Checkpoint
RP373: 11/8/2011 5:17:11 PM - Installed Apple Software Update
RP374: 11/10/2011 1:46:55 PM - Software Distribution Service 3.0
RP375: 11/11/2011 11:12:16 AM - Software Distribution Service 3.0
RP376: 11/13/2011 3:46:27 PM - System Checkpoint
RP377: 11/17/2011 11:22:05 AM - System Checkpoint
RP378: 11/19/2011 2:15:00 PM - System Checkpoint
RP379: 11/27/2011 2:52:41 PM - System Checkpoint
RP380: 11/28/2011 6:36:00 PM - System Checkpoint
RP381: 12/2/2011 9:46:41 AM - System Checkpoint
RP382: 12/3/2011 4:12:52 PM - System Checkpoint
RP383: 12/6/2011 9:21:21 AM - System Checkpoint
RP384: 12/7/2011 9:51:11 AM - System Checkpoint
RP385: 12/10/2011 10:16:57 PM - Removed MobileMe Control Panel
RP386: 12/10/2011 10:17:48 PM - Removed OpenOffice.org Installer 1.0
RP387: 12/10/2011 10:27:51 PM - Removed Cingular Connection Manager
RP388: 12/10/2011 10:33:57 PM - Installed HiJackThis
RP389: 12/10/2011 10:35:54 PM - Removed HiJackThis
RP390: 12/10/2011 10:36:09 PM - Installed HiJackThis
RP391: 12/16/2011 9:55:52 PM - Installed Java(TM) 6 Update 30
RP392: 12/16/2011 10:19:40 PM - Software Distribution Service 3.0
RP393: 12/16/2011 11:31:38 PM - Removed Skype Click to Call
RP394: 12/16/2011 11:33:12 PM - Removed VMware Tools
RP395: 12/16/2011 11:33:43 PM - Removed Windows Live Upload Tool
RP396: 12/16/2011 11:34:13 PM - Removed Windows Live Sign-in Assistant
RP397: 12/17/2011 1:37:55 AM - Removed Java(TM) 6 Update 13
RP398: 12/17/2011 1:38:35 AM - Removed Java(TM) SE Runtime Environment 6
RP399: 12/17/2011 1:38:56 AM - Removed Java(TM) 6 Update 3
RP400: 12/17/2011 2:08:53 AM - Installed Java(TM) 6 Update 30
.
==== Installed Programs ======================
.
µTorrent
ACDSee for PENTAX 3.0
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Adobe Shockwave Player 11.5
Amazon Kindle
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Becker's CPA Exam Review and PassMaster - 2010 Edition
Becker's Final Review - 2010 Edition
Becker CPA Review CD-ROM Course and PassMaster - 2009 Edition
BlackBerry Desktop Software 6.0.1
Bluetooth Stack for Windows by Toshiba
Bonjour
BufferChm
CCleaner
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
eSupportQFolder
Evernote v. 4.4.2
Garmin Communicator Plugin
Garmin USB Drivers
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 3900 series
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
HPDeskjet3900Series
HPProductAssistant
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iPod for Windows 2006-01-10
iTunes
Java Auto Updater
Java(TM) 6 Update 30
Java(TM) 6 Update 7
K-Lite Codec Pack 3.2.9 Full *BETA*
Malwarebytes' Anti-Malware version 1.51.2.1300
mCore
mDriver
mDrWiFi
mEoU
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
mIWA
mLogView
mMHouse
Motorola Phone Tools
Mozilla Firefox 8.0 (x86 en-US)
mPfMgr
mPfWiz
mProSafe
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
mZConfig
Nero 6 Ultra Edition
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PHStat2 version 2.5
PowerDVD
Protector Suite QL 5.3
QuickTime
Real Alternative 1.52
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB2618444)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Setting Utility Series
SigmaTel Audio
SIW version 2008-09-03
Skype™ 5.5
SolutionCenter
Sony Utilities DLL
Status
SUPERAntiSpyware Free Edition
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VAIO Event Service
WebFldrs XP
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - Sony Corporation (SPI) HIDCLASS (08/20/2002 7.0.3.820)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR 4.01 (32-bit)
Wireless Switch Setting Utility
Zinio Reader
.
==== Event Viewer Messages From Past Week ========
.
12/17/2011 8:46:15 PM, error: Service Control Manager [7000] - The VMware server memory controller service failed to start due to the following error: The system cannot find the path specified.
12/17/2011 1:59:06 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
12/17/2011 1:33:45 AM, error: Service Control Manager [7000] - The hgfs service failed to start due to the following error: The system cannot find the file specified.
12/10/2011 7:08:31 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VMware Tools Service service to connect.
12/10/2011 7:08:31 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/10/2011 4:54:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/10/2011 4:52:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi DMICall Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip Tosrfcom
12/10/2011 4:52:22 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 4:52:22 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 4:52:22 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 4:52:22 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 4:52:22 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 4:52:22 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/10/2011 4:52:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/10/2011 4:52:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/10/2011 4:12:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi DMICall Fips intelppm SASDIFSV SASKUTIL Tosrfcom
12/10/2011 11:21:00 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
.
==== End Of File ===========================
 

kevinf80

Malware Specialist
Joined
Mar 21, 2006
Messages
11,383
First Name
Kevin
OK do the following:

Step 1

  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click
    icon to start the program.
    If you are using Vista or Windows 7, please right-click and choose run as administrator
  • Then Click the big
    button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself. Any tools/logs remaining on the Desktop can be deleted.

Also uninstall the following via Start > Control Panel > Uninstall a Program (if present)

Java(TM) 6 Update 7

Step 2

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

Please go to the link below to update.

Adobe Reader Untick the Free McAfee® Security Scan Plus (optional) unless you want it. (not required)

Step 3

Download
TFC to your desktop, from either of the following links
Link 1
Link 2
  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
  • If prompted, click "Yes" to reboot.
Save any open work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Step 4

We now need to reset your system restore points and create a new clean one. To do this "Turn off" System restore > Left click start > Right click My Computer > Left click Properties > Select System restore tab > put tick in Turn off System Restore box > apply > ok. To reverse as previous but remove the tick from Turn off System Restore > apply ok.


Create the new restore point > Start > all programs > accessories > system tools > system restore > create a restore point > In the Restore point description box give it a name for reference eg. Clean 1. The time and date are added automatically > then select create and follow the wizard out.

Let me know if those steps completed OK, also if any remaining issue/concerns..

Kevin
 

babushka

Thread Starter
Joined
Jun 7, 2007
Messages
67
Did everything without problem, except there was no Java Update 7 in the Add/Remove list. Everything is running smoothly. I even helped her defragment since she hasn't done that ever and she's had the computer for years. Dare I say her system is better than ever. :)
I think we're near the end so thank you so much so far for your time and consideration!!!
 

kevinf80

Malware Specialist
Joined
Mar 21, 2006
Messages
11,383
First Name
Kevin
OK, if no remaining issues here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained Here

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....

...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

Firefox,

Opera, and

Chrome.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.


Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

If no remaining issues hit the &#8220;Mark Solved&#8221; tab at the top of the thread,

Take care,

Kevin
 

babushka

Thread Starter
Joined
Jun 7, 2007
Messages
67
Thanks for everything Kevin!! Much appreciated indeed.

Happy holidays! I'll mark as Solved.

:)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top