Cant Update Mse

BigDan · May 2, 2011

Somehow Notepad's been deleted. Hmmm? Using Wordpad now, although Notepad was fine this afternoon.

Here's the logs. Thanks!

RogueKiller V4.3.9 [04/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: user [Admin rights]
Mode: ProxyFix -- Date : 05/02/2011 05:46:19

Bad processes: 0

Registry Entries: 1
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (socks=127.0.0.1:4021) -> DELETED

Finished : << RKreport[1].txt >>
RKreport[1].txt

ComboFix 11-05-01.02 - user 05/02/2011 5:53.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1416 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Temp File Cleaner DB Toolbar\tbHElper.dll
c:\windows\system32\NOTEPAD.EXE
.
Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\sfcfiles.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-05-02 09:28 . 2011-05-02 09:28 -------- d-----w- c:\program files\Microsoft Reader
2011-05-02 09:28 . 2003-06-05 21:15 57436 ----a-w- c:\windows\DASShp.dll
2011-05-02 09:28 . 2003-05-23 04:15 217174 ----a-w- c:\program files\Common Files\Microsoft Shared\ClearType\ctras.dll
2011-04-25 23:42 . 2011-04-25 23:42 -------- d-----w- c:\program files\IObit
2011-04-25 23:42 . 2011-04-25 23:42 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-04-23 02:08 . 2011-04-23 02:09 -------- d-----w- c:\program files\ERUNT
2011-04-22 22:44 . 2011-04-23 16:54 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-22 22:35 . 2011-04-22 22:35 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-19 23:43 . 2011-04-20 00:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-04-19 00:36 . 2011-05-02 10:08 -------- d-----w- c:\windows\system32\wbem\Logs
2011-04-19 00:20 . 2011-05-02 06:23 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Temp
2011-04-17 19:52 . 2011-04-17 19:52 -------- d-----w- c:\program files\Easy-Hide-IP
2011-04-16 18:10 . 2011-04-16 18:11 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-14 04:29 . 2011-04-14 04:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-04-12 04:28 . 2011-04-12 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-04-12 04:23 . 2011-04-12 04:23 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Secunia PSI
2011-04-12 04:22 . 2011-04-12 04:22 -------- d-----w- c:\program files\Secunia
2011-04-12 04:22 . 2011-04-12 04:22 -------- d-----w- c:\documents and settings\user\Application Data\Toolbar4
2011-04-12 04:22 . 2011-05-02 10:05 -------- d-----w- c:\program files\Temp File Cleaner DB Toolbar
2011-04-12 04:22 . 2011-04-12 04:22 -------- d-----w- c:\program files\Temp File Cleaner
2011-04-10 20:57 . 2011-04-10 20:57 -------- d-----w- c:\program files\Common Files\Java
2011-04-10 20:54 . 2011-04-10 20:54 -------- d-----w- c:\program files\Sun
2011-04-09 14:42 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 14:42 . 2011-04-09 14:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 14:42 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 09:57 . 2011-04-09 09:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-04-08 01:43 . 2011-04-08 01:59 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-10 20:53 . 2010-11-04 23:09 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-10 20:53 . 2009-09-07 06:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-09 13:53 . 2008-04-14 09:42 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 09:41 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-09-02 14:40 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2010-11-18 02:29 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2010-11-18 02:29 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2010-11-18 02:29 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2010-11-18 02:29 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bandwidth Monitor Pro"="c:\program files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2005-02-16 225280]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-02-08 2343632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-01-07 126976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-25 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
StickyNotes.exe [2009-5-19 483328]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bandwidth Monitor Pro.lnk - c:\program files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe [2005-1-8 225280]
Evernote Clipper.lnk - c:\windows\Installer\{F761359C-9CED-45AE-9A51-9D6605CD55C4}\Evernote.ico [2010-12-16 293950]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 16:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2011-01-07 23:53 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 02:13 208952 -c--a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 02:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 02:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
2001-08-01 17:30 94208 ----a-w- c:\program files\QUICKENW\qagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 18:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 20:28 577536 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-08-01 19:23 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SugarSync]
2010-11-18 02:29 14790656 ----a-w- c:\program files\SugarSync\SugarSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-09-25 20:03 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\wLite\\wLite.exe"=
"c:\\Program Files\\wLite\\wService.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\RNX-N150UBE\\11n USB Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Easy-Hide-IP\\easy-hide-ip.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"85:TCP"= 85:TCP:BroadWave Web Server
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/14/2010 11:32 PM 218592]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/05/2010 2:17 PM 691696]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [01/11/2010 1:49 AM 34712]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [01/10/2011 10:24 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [01/10/2011 10:24 AM 399416]
S1 MpKsl46d3683f;MpKsl46d3683f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B6A7AF-9ADF-48EE-B9B7-3EA6C65A6B94}\MpKsl46d3683f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B6A7AF-9ADF-48EE-B9B7-3EA6C65A6B94}\MpKsl46d3683f.sys [?]
S2 gupdate1ca303f1aa26f2a;Google Update Service (gupdate1ca303f1aa26f2a);c:\program files\Google\Update\GoogleUpdate.exe [09/08/2009 12:44 AM 133104]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [12/23/2010 4:03 PM 44432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [09/08/2009 12:44 AM 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 lgmdbus;LG Mobile driver (WDM);c:\windows\system32\drivers\lgmdbus.sys [06/14/2010 10:53 PM 89600]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [12/15/2010 2:35 AM 131888]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/14/2010 11:32 PM 366840]
S3 wxpSvc;webcamXP Service;c:\program files\wLite\wService.exe [05/02/2010 5:34 PM 5027328]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-10-15 03:29]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 04:44]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 04:44]
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1450960922-1801674531-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-14 23:18]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1450960922-1801674531-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-14 23:18]
.
2011-05-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-1450960922-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-05-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-1450960922-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-02-23 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-06-21 02:57]
.
2011-05-02 c:\windows\Tasks\User_Feed_Synchronization-{E9078856-2E39-4A58-995F-39847461201E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2010-10-21 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-06-21 02:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigseekpro.com/tempcleaner/{22D7B6DD-AB2A-47B1-858B-1F515E6B2C37}
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{22D7B6DD-AB2A-47B1-858B-1F515E6B2C37}
uInternet Settings,ProxyOverride = local
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\1shtgwx9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.theglobeandmail.com/
FF - prefs.js: keyword.URL - hxxp://www.bigseekpro.com/search/toolbar/tempcleaner/{22D7B6DD-AB2A-47B1-858B-1F515E6B2C37}?q=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 06:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\user\Application Data\Dropbox\shellext\l\4dbe851a 124 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wxpSvc]
"ImagePath"="c:\program files\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-839522115-1450960922-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BD40D4B5-171E-9D66-FE6C-06211E3C1F1C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oagddkgahmcppaelnfkmodmlnedoei"=hex:64,61,64,66,69,65,65,69,00,84
"oacaejkalnfpdilcadkgpgacddafnc"=hex:69,61,67,66,66,68,6c,66,61,6d,64,62,6e,67,
6b,6d,69,63,00,00
"naiagkofmpfkojohadlfhofkgaal"=hex:69,61,67,66,66,68,6c,66,61,6d,64,62,6e,67,
6b,6d,69,63,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):7b,c8,10,a4,80,cb,78,fb,b7,b8,ee,c8,71,32,ca,8b,93,12,5b,f5,38,
d2,35,a3,ec,bb,8a,bb,1f,1c,f8,aa,57,12,3a,35,ae,f7,13,fc,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{919be9bf-a485-4e12-85c4-79e71d42bc08}]
@Denied: (Full) (Everyone)
"Model"=dword:00000116
"Therad"=dword:00000009
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(500)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3424)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\RocketDock\RocketDock.dll
c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\program files\SugarSync\SugarSyncShellExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\sql.dll
c:\program files\Unlocker\UnlockerCOM.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\JetAudio\JetFlExt.dll
c:\progra~1\FILEAS~1\FILEAS~1.DLL
c:\program files\WinRAR\rarext.dll
c:\program files\Power MP3 WMA Converter\shellext.dll
c:\program files\MagicISO\misosh.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
c:\program files\Microsoft Silverlight\xapauthenticodesip.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Google\Update\1.3.21.53\GoogleCrashHandler.exe
c:\windows\system32\wscntfy.exe
c:\program files\Evernote\Evernote\EvernoteClipper.exe
c:\documents and settings\user\Start Menu\Programs\Startup\StickyNotes.exe
c:\program files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe
.
**************************************************************************
.
Completion time: 2011-05-02 06:22:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-02 10:22
.
Pre-Run: 24,392,515,584 bytes free
Post-Run: 24,333,864,960 bytes free
.
- - End Of File - - 22CF22A3C9E98D39237CAD8735ABE343

starbuck · May 2, 2011

Hi BigDan

Somehow Notepad's been deleted. Hmmm? Using Wordpad now, although Notepad was fine this afternoon.
Click to expand...

Please post the report found here in your next reply:

C:\Qoobox\ComboFix-quarantined files.txt

Thanks

BigDan · May 2, 2011

here it is

2011-05-02 10:18:44 . 2011-05-02 10:18:44 654 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SpybotSD TeaTimer.reg.dat
2011-05-02 10:18:43 . 2011-05-02 10:18:43 704 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe Reader Speed Launcher.reg.dat
2011-05-02 10:05:05 . 2011-05-02 10:05:05 0 ----a-w- C:\Qoobox\Quarantine\Replicators\Replicator_8.txt
2011-05-02 10:02:10 . 2011-05-02 10:02:10 7,405 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-05-02 09:47:33 . 2011-05-02 09:48:34 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-02-16 15:57:38 . 2010-02-16 15:57:38 301,568 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Temp File Cleaner DB Toolbar\tbhelper.dll.vir
2009-09-02 14:42:35 . 2009-03-08 18:09:26 638,816 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\iexplore.exe.vir
2008-12-03 18:55:55 . 2008-04-14 09:41:52 617,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sfcfiles.dll.vir
2008-04-14 09:42:30 . 2008-04-14 09:42:30 69,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\notepad.exe.vir

starbuck · May 3, 2011

Hi BigDan

I can see a few p2p programs on the system:

P2P Warning
Please note that as long as you're using any form of Peer-to-Peer networking ( Frostwire, Shareaza, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.
Once upon a time, P2P file sharing was fairly safe. That is no longer true.
P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.

Step 1
Your previous 'Helper' asked you to uninstall Spyware Doctor with AntiVirus
Can you confirm it was removed.
It's still showing in the report.

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
Click to expand...

Step 2
I recommend you uninstal:
Advanced SystemCare 3

please read this:
http://www.systemlookup.com/Startup/19005-AWC_exe.html

Step 3
Please download SystemLook and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Double-click the SystemLook icon and copy/paste the following into the box
Code:
:filefind
notepad.exe
iexplore.exe
Click the Look button.... Let it finish the scan

A log will then pop-up on your Desktop.. Post the content of the log here in your next reply.
Thanks

BigDan · May 3, 2011

starbuck said: ↑

Does it say what sort of error?
Does it start to scan at all?
Click to expand...

Yes, says OTL has encountered an error and needs to close. No, doesnt run at all. Doing the rest of your steps now.

BigDan · May 3, 2011

OK Spyware Doctor is fully removed now. I went to Add/Remove programs. It was indeed there, meaning it prolly hadnt been fully erased. Now I did so.

I actually thought Advanced Systemcare was beneficial. It seemed to remove some junk. Nonetheless, got rid of it.

For some reason I cant paste the SystemLook log here. Dont know whats happening, when I hit paste all I get is an S. I'm attaching a screenshot.

starbuck · May 4, 2011

Hi BigDan

I'm attaching a screenshot.
Click to expand...

That's fine, i can see what i wanted.
The problem we have is that writing a script for CF to replace notepad, requires notepad to be working B)
So we'll have to do this manually to replace the removed notepad.exe ( which CF may have removed if it was infected) from a backed up copy.

Let's make sure all the folders/files are showing:

Make sure that you can see hidden files.

Click Start.

Click My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Uncheck the Hide file extensions for known file types.

Click OK.

Navigate to:
C:\Windows\System32\dllcache\notepad.exe right click on notepad.exe and select copy.
Now navigate to:
c:\windows\system32 and paste the notepad.exe into the system32 folder.

now do the same with iexplore:
Navigate to:
C:\Windows\System32\dllcache\iexplore.exe right click on iexplore.exe and select copy.
Now navigate to:
c:\program files\Internet Explorer and paste the iexplore.exe into the Internet Explorer folder.

You can then reverse the hidden files/folders step and hide them all again.

Reboot the system and see if notepad works now.

BigDan · May 4, 2011

OK done, its working

starbuck · Feb 4, 2014

Hi BigDan

OK done, its working
Click to expand...

Ok, before we continue, let's get a fresh MBAM scan done and we'll take it from there.

Please update MBAM and run another scan:
Start MBAM
Click on the Update tab

.

Click Check for Updates

The latest Database Version is: 6507

If it says that MBAM needs to close to update it... let it close and then restart.
Then click the Scan button.

Don't forget:

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

Make sure that everything is checked, and click Remove Selected.

When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Click to expand...

BigDan · May 4, 2011

No malicious items detected.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6507

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/04/2011 4:44:13 PM
mbam-log-2011-05-04 (16-44-13).txt

Scan type: Quick scan
Objects scanned: 157532
Time elapsed: 13 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

starbuck · May 4, 2011

Hi BigDan

Ok, that's good.
Let's take care of some locked reg files now.

Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Code:
RegNull::
[HKEY_USERS\S-1-5-21-839522115-1450960922-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BD40D4B5-171E-9D66-FE6C-06211E3C1F1C}*]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{919be9bf-a485-4e12-85c4-79e71d42bc08}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Let me have the new Combofix.txt in your next reply.

Thanks

BigDan · May 8, 2011

shoot sorry i thought you hadn't written here in a bit. i didnt get any alerts.

i ran combofix. it asked me if id like to update, i said no since i dont know if there's any changes made recently in i downloaded it a few days ago at your request. in hindsight that was probably a mistake huh? anyway here's the log:

ComboFix 11-05-01.02 - user 05/08/2011 14:52:58.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1440 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\sfcfiles.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-08 to 2011-05-08 )))))))))))))))))))))))))))))))
.
.
2011-05-07 00:59 . 2011-05-07 00:59 -------- d-----w- c:\documents and settings\user\Application Data\RealHideIP
2011-05-07 00:59 . 2011-05-07 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\RealHideIP
2011-05-06 23:10 . 2011-05-06 23:12 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AskToolbar
2011-05-06 23:10 . 2011-05-06 23:11 -------- d-----w- c:\program files\Ask.com
2011-05-06 23:09 . 2011-05-06 23:09 -------- d-----w- c:\program files\RealHideIP
2011-05-06 23:02 . 2011-05-06 23:02 -------- d-----w- c:\program files\Hotspot Shield
2011-05-04 17:47 . 2009-03-08 18:09 638816 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-05-04 17:45 . 2008-04-14 09:42 69120 ----a-w- c:\windows\system32\notepad.exe
2011-05-04 04:59 . 2011-05-04 04:59 -------- d-----w- c:\program files\UWC
2011-05-04 04:52 . 2011-05-04 04:52 -------- d-----w- c:\program files\Webshots
2011-05-04 04:52 . 2011-05-04 04:52 -------- d-----w- c:\documents and settings\user\Application Data\Webshots
2011-05-03 17:31 . 2011-05-03 21:30 -------- d-----w- c:\program files\DesktopEarth
2011-05-03 09:00 . 2011-05-03 09:00 -------- d-----w- c:\program files\Common Files\SWF Studio
2011-05-03 09:00 . 2011-05-03 09:00 4580537 ----a-w- c:\windows\X-mas Eve Screensaver.scr
2011-05-03 09:00 . 2011-05-03 09:00 45056 ----a-w- c:\windows\NCUNINST.EXe
2011-05-03 09:00 . 2011-05-03 09:00 40960 ----a-w- c:\windows\NCLAUNCH.EXe
2011-05-03 09:00 . 2011-05-03 09:00 -------- d-----w- c:\program files\X-mas Eve Screensaver
2011-05-03 05:38 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-03 05:38 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-03 05:38 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-03 05:38 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-03 05:38 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-03 05:38 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-03 05:38 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-03 05:38 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-03 05:37 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-05-03 05:37 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-03 05:36 . 2011-05-03 05:36 -------- d-----w- c:\program files\AVAST Software
2011-05-03 05:36 . 2011-05-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-02 10:17 . 2011-05-05 07:01 -------- d--h--w- c:\windows\$hf_mig$
2011-05-02 09:28 . 2011-05-02 09:28 -------- d-----w- c:\program files\Microsoft Reader
2011-05-02 09:28 . 2003-06-05 21:15 57436 ----a-w- c:\windows\DASShp.dll
2011-05-02 09:28 . 2003-05-23 04:15 217174 ----a-w- c:\program files\Common Files\Microsoft Shared\ClearType\ctras.dll
2011-04-25 23:42 . 2011-04-25 23:42 -------- d-----w- c:\program files\IObit
2011-04-25 23:42 . 2011-04-25 23:42 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-04-23 02:08 . 2011-04-23 02:09 -------- d-----w- c:\program files\ERUNT
2011-04-22 22:44 . 2011-04-23 16:54 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-22 22:35 . 2011-04-22 22:35 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-19 23:43 . 2011-05-03 18:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-04-19 00:36 . 2011-05-05 18:41 -------- d-----w- c:\windows\system32\wbem\Logs
2011-04-19 00:20 . 2011-05-02 06:23 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Temp
2011-04-17 19:52 . 2011-04-17 19:52 -------- d-----w- c:\program files\Easy-Hide-IP
2011-04-16 18:10 . 2011-04-16 18:11 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-14 04:29 . 2011-04-14 04:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-04-12 04:28 . 2011-04-12 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-04-12 04:23 . 2011-04-12 04:23 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Secunia PSI
2011-04-12 04:22 . 2011-04-12 04:22 -------- d-----w- c:\program files\Secunia
2011-04-12 04:22 . 2011-04-12 04:22 -------- d-----w- c:\documents and settings\user\Application Data\Toolbar4
2011-04-12 04:22 . 2011-05-02 10:05 -------- d-----w- c:\program files\Temp File Cleaner DB Toolbar
2011-04-12 04:22 . 2011-04-12 04:22 -------- d-----w- c:\program files\Temp File Cleaner
2011-04-10 20:57 . 2011-04-10 20:57 -------- d-----w- c:\program files\Common Files\Java
2011-04-10 20:54 . 2011-04-10 20:54 -------- d-----w- c:\program files\Sun
2011-04-09 14:42 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 14:42 . 2011-04-09 14:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 14:42 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 09:57 . 2011-04-09 09:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-10 20:53 . 2010-11-04 23:09 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-10 20:53 . 2009-09-07 06:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-07 05:33 . 2009-09-02 14:42 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 09:42 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-14 05:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-14 09:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2008-04-14 04:07 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-14 04:47 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-14 04:45 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-09-04 21:55 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-14 09:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-14 09:42 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 09:41 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-14 09:41 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2007-04-03 12:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-01 23:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2010-11-18 02:29 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2010-11-18 02:29 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2010-11-18 02:29 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2010-11-18 02:29 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bandwidth Monitor Pro"="c:\program files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2005-02-16 225280]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2011-05-03 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-01-07 126976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-25 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
StickyNotes.exe [2009-5-19 483328]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bandwidth Monitor Pro.lnk - c:\program files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe [2005-1-8 225280]
Evernote Clipper.lnk - c:\windows\Installer\{F761359C-9CED-45AE-9A51-9D6605CD55C4}\Evernote.ico [2010-12-16 293950]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 16:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2011-01-07 23:53 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 02:13 208952 -c--a-w- c:\windows\ime\IMJP8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 02:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 02:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
2001-08-01 17:30 94208 ----a-w- c:\program files\QUICKENW\qagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 18:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 20:28 577536 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-08-01 19:23 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SugarSync]
2010-11-18 02:29 14790656 ----a-w- c:\program files\SugarSync\SugarSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-09-25 20:03 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\wLite\\wLite.exe"=
"c:\\Program Files\\wLite\\wService.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\RNX-N150UBE\\11n USB Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Easy-Hide-IP\\easy-hide-ip.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"85:TCP"= 85:TCP:BroadWave Web Server
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02/05/2010 2:17 PM 691696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [05/03/2011 1:38 AM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/03/2011 1:38 AM 307288]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/03/2011 1:38 AM 19544]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [01/11/2010 1:49 AM 34712]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [01/10/2011 10:24 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [01/10/2011 10:24 AM 399416]
S1 MpKsl46d3683f;MpKsl46d3683f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B6A7AF-9ADF-48EE-B9B7-3EA6C65A6B94}\MpKsl46d3683f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A8B6A7AF-9ADF-48EE-B9B7-3EA6C65A6B94}\MpKsl46d3683f.sys [?]
S2 gupdate1ca303f1aa26f2a;Google Update Service (gupdate1ca303f1aa26f2a);c:\program files\Google\Update\GoogleUpdate.exe [09/08/2009 12:44 AM 133104]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [12/23/2010 4:03 PM 44432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [09/08/2009 12:44 AM 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 lgmdbus;LG Mobile driver (WDM);c:\windows\system32\drivers\lgmdbus.sys [06/14/2010 10:53 PM 89600]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [12/15/2010 2:35 AM 131888]
S3 wxpSvc;webcamXP Service;c:\program files\wLite\wService.exe [05/02/2010 5:34 PM 5027328]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HSSSRV
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-10-15 03:29]
.
2011-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 04:44]
.
2011-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 04:44]
.
2011-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1450960922-1801674531-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-14 23:18]
.
2011-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1450960922-1801674531-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-14 23:18]
.
2011-05-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-1450960922-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-05-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-1450960922-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
2011-05-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-02-01 23:17]
.
2011-02-23 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-06-21 02:57]
.
2011-05-08 c:\windows\Tasks\User_Feed_Synchronization-{E9078856-2E39-4A58-995F-39847461201E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2010-10-21 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-06-21 02:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=102876&l=dis&gct=hp
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{22D7B6DD-AB2A-47B1-858B-1F515E6B2C37}
uInternet Settings,ProxyServer = http=;ftp=;https=;
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\1shtgwx9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://globeandmail.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=HIP&o=102876&locale=en_US&apn_uid=42d2e64c-8756-4dd2-8bc6-2017f532a7d9&apn_ptnrs=6G&apn_sauid=B330931F-F64A-44BA-9898-BE0C8A054371&apn_dtid=YYYYYYYYCA&q=
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HotspotShield - c:\program files\Hotspot Shield\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-08 15:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wxpSvc]
"ImagePath"="c:\program files\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(556)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\NTMARTA.DLL
.
- - - - - - - > 'explorer.exe'(5100)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\RocketDock\RocketDock.dll
c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\program files\SugarSync\SugarSyncShellExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Google\Update\1.3.21.53\GoogleCrashHandler.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Hotspot Shield\bin\hsswd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\user\Start Menu\Programs\Startup\StickyNotes.exe
c:\program files\Winamp\winamp.exe
.
**************************************************************************
.
Completion time: 2011-05-08 15:11:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-08 19:11
ComboFix2.txt 2011-05-02 10:22
.
Pre-Run: 23,570,423,808 bytes free
Post-Run: 23,529,979,904 bytes free
.
- - End Of File - - CEB86038AF92A7D59546BD32EC0D9E6A

BeeCeeBee · May 8, 2011

i didnt get any alerts.
Click to expand...

Just a note. Make sure your notification settings are as you want them and be sure to "Watch Topic" at the top of the page and you should get the proper notification. If not let us know. Now back to the topic.

starbuck · May 8, 2011

Hi BigDan,

i ran combofix. it asked me if id like to update, i said no since i dont know if there's any changes made recently
Click to expand...

It would have been better to have updated it, that's why this is in the report:

- REDUCED FUNCTIONALITY MODE -
Click to expand...

As with most security software, CF will check for any updates before it runs.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
Click to expand...

Where did Avast come from??
Why was it added??

It is not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Avast or Microsoft Security Essentials.

Let's double check everything:

I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

Click the button.

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer.
Save it to your desktop.

Double click on the icon on your desktop.

Check

Click the button.

Accept any security warnings from your browser.

Check

Click the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push

Click , and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply.

Click the button.

Click

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Note:
It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )
To prevent this happening:
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

In your next reply, please submit:
Eset scan report

Thanks.

BigDan · May 8, 2011

Where did Avast come from??
Why was it added??

It is not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
Click to expand...

Avast was added because I didn't have any virus scanner. I started this thread because I wasn't able to install MSE for some reason. I did in fact have it earlier but dont anymore. I went thru my programs 4 times and dont see MSE anywhere.

Am doing the ESET scan right now.

BigDan · May 9, 2011

Wow this scan took a LOOONG time. 4 hours!

C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application cleaned by deleting - quarantined
C:\System Volume Information\_restore{771AD627-E393-463A-8841-12A4937A3BE1}\RP14\A0003680.exe a variant of Win32/HotSpotShield application cleaned by deleting - quarantined
C:\System Volume Information\_restore{771AD627-E393-463A-8841-12A4937A3BE1}\RP35\A0005471.exe a variant of Win32/HotSpotShield application deleted - quarantined
C:\System Volume Information\_restore{771AD627-E393-463A-8841-12A4937A3BE1}\RP42\A0005707.exe a variant of Win32/HotSpotShield application cleaned by deleting - quarantined

First hit, Hotspot, was something I recently installed. Although it slows things down I havent found it to be virus related. Basically it allows me to watch videos on CBS that are otherwise restricted to US only. No illegal file sharing. I've used it in the past a lot as well.

starbuck · May 9, 2011

Hi BigDan

I went thru my programs 4 times and dont see MSE anywhere.
Click to expand...

If MSSE has been removed, then the entry in the CF report must still be an entry in the WMI.
We can remove that.

Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Code:
SecCenter:: 
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Let CF update this time when you run the scan.

BigDan · May 12, 2011

ive just run the scan. took a loooong time. now cfscript has been removed from the desktop, and i dont see a combofix log. not sure what to do?

BigDan · May 12, 2011

actually i just remembered the qoobox directory. i went there, 2 files added today, one is add-remove programs, other is combofix quarantined files. im pasting the contents of the second one below.

2011-05-08 19:09:03 . 2011-05-08 19:09:03 1,426 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HotspotShield.reg.dat
2011-05-08 18:52:36 . 2011-05-12 20:36:33 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-05-08 18:49:30 . 2011-05-12 20:30:16 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-05-04 17:47:01 . 2009-03-08 18:09:26 638,816 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\iexplore.exe.vir
2011-05-04 17:45:55 . 2008-04-14 09:42:30 69,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\NOTEPAD.EXE.vir
2011-05-02 10:18:44 . 2011-05-02 10:18:44 654 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SpybotSD TeaTimer.reg.dat
2011-05-02 10:18:43 . 2011-05-02 10:18:43 704 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Adobe Reader Speed Launcher.reg.dat
2011-05-02 10:05:05 . 2011-05-02 10:05:05 0 ----a-w- C:\Qoobox\Quarantine\Replicators\Replicator_8.txt
2011-05-02 10:02:10 . 2011-05-12 20:53:42 7,388 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-02-16 15:57:38 . 2010-02-16 15:57:38 301,568 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Temp File Cleaner DB Toolbar\tbhelper.dll.vir
2008-12-03 18:55:55 . 2008-04-14 09:41:52 617,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\sfcfiles.dll.vir
2008-04-14 09:42:40 . 2008-04-14 09:42:40 26,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir

starbuck · May 13, 2011

Hi BigDan

and i dont see a combofix log. not sure what to do?
Click to expand...

It should be here:
C:\ComboFix.txt

If entries have been added to the 'Qoobox', then that means that CF did run correctly.

Log in or Sign up

Cant Update Mse

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

BeeCeeBee ADMINISTRATOR IN MEMORY

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

Share This Page

Log in or Sign up

Cant Update Mse

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

BeeCeeBee ADMINISTRATOR IN MEMORY

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

BigDan Registered Members

BigDan Registered Members

starbuck Rest In Peace Pete Administrator

Share This Page

Useful Searches