Jump to content
Sign in to follow this  
El Tel

Back Door Trojan Anything Left Over From

Recommended Posts

Hi.

 

Before I posted my question in User To User with "User Accounts & Hyjackthis" usage. I had to do a System Restore from an Administrator Account to get Internet access back on the affected Limited User Account. This was all preformed by Remote Access.

 

Since then I have ran CCleaner, Malwarebytes, SuperAntiSpyWare

 

My mini log so I don't lose track

19 files in the virus MalwareBytes vault from yesterday.

Ran MalwareBytes Full Scan 08:05 30/04/2011 Nothing found

 

SupperAntiSpayWare found File threats detected : 255 Yesterday

Now going 2 run SuperAntiSpyWare full Scan FREE

47 Tracking cookies of which 3 were mine to do with signing in2 MSN etc

Deleted 43 Saved 3 of mine

Re-Boot required. 09:14 30/04/2011 Re-Boot was very quick.

 

Running SupperAntiSpyWare again to check my 3 Cookies out... Not sure if I saved them or what

Apart from that SupperAntiSpyWare all clean 10:28 30/04/2011

 

Ran DDS have 2 log file to post on PCPitStop 10:36 30/04/2011

Posted below

 

.

DDS (Ver_11-03-05.01) - NTFS_AMD64

Run by El Tel at 10:30:27.80 on 30/04/2011

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2815.1453 [GMT 1:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\PROGRA~2\AVG\AVG10\avgchsva.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\nvvsvc.exe

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

c:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe

C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe

C:\Windows\system32\lxeacoms.exe

C:\Program Files (x86)\NTR global\NTRconnect\NTRconnect.exe

C:\Program Files (x86)\Packard Bell GameZone\GameConsole\OberonGameConsoleService.exe

C:\Program Files (x86)\AVG\AVG10\avgnsa.exe

C:\Program Files (x86)\AVG\AVG10\avgemca.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\Lexmark S300-S400 Series\lxeamon.exe

C:\Program Files (x86)\Lexmark S300-S400 Series\ezprint.exe

C:\Windows\vsnpstd3.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\QuickTime\qttask.exe

C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~2\AVG\AVG10\avgrsa.exe

C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\El Tel\Downloads\Virus Tools\CDRS Script\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3210&r=173602101606p03d5v135y4923924n

mDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3210&r=173602101606p03d5v135y4923924n

mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3210&r=173602101606p03d5v135y4923924n

mWinlogon: Userinit=userinit.exe,

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

 

\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper

 

\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared

 

\Windows Live\WindowsLiveLogin.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - C:\Program Files\Lexmark Printable Web\bho.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [sSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component

 

\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live

 

\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:

 

\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:

 

\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {0FADB9AA-6955-4319-B538-BB1461E11A28} - hxxps://www.ntrconnect.com/main/mod/setup/beta/ntrplugin1242v_2.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery

 

\AlbumDownloadProtocolHandler.dll

BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll

BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared

 

\Windows Live\WindowsLiveLogin.dll

TB-X64: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

mRun-x64: [lxeamon.exe] "C:\Program Files (x86)\Lexmark S300-S400 Series\lxeamon.exe"

mRun-x64: [EzPrint] "C:\Program Files (x86)\Lexmark S300-S400 Series\ezprint.exe"

mRun-x64: [snpstd3] C:\Windows\vsnpstd3.exe

.

================= FIREFOX ===================

.

FF - ProfilePath -

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2010-9-7 30288]

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-12-22 55024]

R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2010-12-8 308304]

R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2010-9-7 41040]

R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2010-11-12 382032]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

 

[2008-12-8 169312]

R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-1-6 6128720]

R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2010-10-22 265400]

R2 Greg_Service;GRegService;C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe [2009-8-28 1150496]

R2 lxea_device;lxea_device;C:\Windows\system32\lxeacoms.exe -service --> C:\Windows\system32\lxeacoms.exe -service [?]

R2 ntrconnect;ntrconnect;C:\Program Files (x86)\NTR global\NTRconnect\NTRconnect.exe [2010-2-11 403184]

R2 OberonGameConsoleService;Oberon Media Game Console service;C:\Program Files (x86)\Packard Bell GameZone\GameConsole

 

\OberonGameConsoleService.exe [2009-10-28 44312]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files (x86)\Common Files\PC Tools\sMonitor

 

\StartManSvc.exe [2011-2-1 583640]

R2 Updater Service;Updater Service;C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe [2009-10-28 240160]

R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2010-8-19 157264]

R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2010-8-19 35920]

R3 NTRvdd;NTRvdd;C:\Windows\System32\drivers\NTRvdd.sys [2010-12-12 28216]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2009-10-28 83488]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework

 

\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET

 

\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\lxeaserv.exe [2010-10-26 45736]

S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-2-13 48488]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]

S3 nosGetPlusHelper;getPlus® Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2009-7-14 27136]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-28 1255736]

.

=============== Created Last 30 ================

.

2011-04-30 06:19:55 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{01A06640-624F-41BD-A844-FA8B5ADC1561}

2011-04-28 16:58:57 -------- d-----w- C:\Users\ELTEL~1\AppData\Roaming\SUPERAntiSpyware.com

2011-04-28 16:58:57 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com

2011-04-28 16:58:47 -------- d-----w- C:\PROGRA~3\!SASCORE

2011-04-28 16:58:45 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-04-28 13:07:25 388096 ----a-r- C:\Users\ELTEL~1\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-

 

12FCBA4883D7}\HiJackThis.exe

2011-04-28 10:23:22 -------- d-----w- C:\Users\ELTEL~1\AppData\Roaming\Malwarebytes

2011-04-28 10:23:17 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-04-28 10:23:16 -------- d-----w- C:\PROGRA~3\Malwarebytes

2011-04-28 10:23:13 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-04-28 10:23:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-04-28 09:38:13 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{1D3A2E4C-179E-4169-A2EA-6F77D38D8E6A}

2011-04-27 13:39:18 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{53C3A166-C5F7-4053-9D42-B6EE70ABEECC}

2011-04-27 12:53:44 2870272 ----a-w- C:\Windows\explorer.exe

2011-04-27 12:53:42 2614784 ----a-w- C:\Windows\SysWow64\explorer.exe

2011-04-27 12:51:30 662528 ----a-w- C:\Windows\System32\XpsPrint.dll

2011-04-27 12:51:30 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll

2011-04-27 12:50:09 2566144 ----a-w- C:\Windows\System32\esent.dll

2011-04-27 12:50:09 1657216 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2011-04-27 12:50:08 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys

2011-04-27 12:50:08 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys

2011-04-27 12:50:08 187264 ----a-w- C:\Windows\System32\drivers\storport.sys

2011-04-27 12:50:08 1686016 ----a-w- C:\Windows\SysWow64\esent.dll

2011-04-27 12:50:08 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys

2011-04-27 12:50:08 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys

2011-04-27 12:50:08 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys

2011-04-27 12:50:07 96768 ----a-w- C:\Windows\System32\fsutil.exe

2011-04-27 12:50:07 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe

2011-04-27 12:48:25 31232 ----a-w- C:\Windows\SysWow64\prevhost.exe

2011-04-27 12:48:25 31232 ----a-w- C:\Windows\System32\prevhost.exe

2011-04-27 12:32:16 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{92C0150D-F102-47D8-84E4-7CE651F01DB1}

2011-04-26 21:12:14 -------- d-----w- C:\Program Files (x86)\Trend Micro

2011-04-26 21:07:38 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{58E61256-2807-4F73-84F9-F52220B7FD4D}

2011-04-26 20:41:01 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\Google

2011-04-14 10:40:02 32592 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\np_gp.dll

2011-04-14 10:27:46 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{0FF0A447-8A59-4320-A5BF-14D41D3675BD}

2011-04-14 05:52:57 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-04-14 02:39:02 103864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2011-04-14 02:39:02 103864 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll

2011-04-13 10:54:35 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{6AE3DC88-D390-4262-A384-7FB20B8BDF7C}

.

==================== Find3M ====================

.

2011-03-11 06:19:26 1395712 ----a-w- C:\Windows\System32\mfc42.dll

2011-03-11 06:19:26 1359872 ----a-w- C:\Windows\System32\mfc42u.dll

2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll

2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll

2011-03-08 06:14:30 976896 ----a-w- C:\Windows\System32\inetcomm.dll

2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2011-03-04 06:17:25 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2011-03-04 06:17:24 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2011-03-03 06:17:10 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll

2011-03-03 06:14:38 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe

2011-03-03 05:27:30 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe

2011-03-03 03:58:32 3133440 ----a-w- C:\Windows\System32\win32k.sys

2011-02-24 06:30:00 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll

2011-02-24 06:29:15 1197056 ----a-w- C:\Windows\System32\wininet.dll

2011-02-24 06:24:57 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2011-02-24 05:32:52 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll

2011-02-24 05:30:16 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2011-02-24 05:05:13 482816 ----a-w- C:\Windows\System32\html.iec

2011-02-24 04:24:04 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-02-24 04:23:48 386048 ----a-w- C:\Windows\SysWow64\html.iec

2011-02-24 03:50:26 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-02-23 05:16:28 461312 ----a-w- C:\Windows\System32\drivers\srv.sys

2011-02-23 05:16:01 401920 ----a-w- C:\Windows\System32\drivers\srv2.sys

2011-02-23 05:15:50 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys

2011-02-23 05:15:27 157696 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys

2011-02-23 05:15:14 286720 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys

2011-02-23 05:15:13 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys

2011-02-23 05:15:06 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys

2011-02-19 06:37:44 1135104 ----a-w- C:\Windows\System32\FntCache.dll

2011-02-19 06:37:10 1540608 ----a-w- C:\Windows\System32\DWrite.dll

2011-02-19 06:36:49 902656 ----a-w- C:\Windows\System32\d2d1.dll

2011-02-19 06:36:13 46080 ----a-w- C:\Windows\System32\atmlib.dll

2011-02-19 05:32:48 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll

2011-02-19 05:32:35 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll

2011-02-19 05:32:08 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-02-19 04:13:39 367104 ----a-w- C:\Windows\System32\atmfd.dll

2011-02-19 03:37:02 294912 ----a-w- C:\Windows\SysWow64\atmfd.dll

2011-02-18 06:37:05 612352 ----a-w- C:\Windows\System32\vbscript.dll

2011-02-18 05:36:26 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll

2011-02-12 06:14:41 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe

2011-02-05 12:41:43 556928 ----a-w- C:\Windows\System32\winresume.efi

2011-02-05 12:41:35 640896 ----a-w- C:\Windows\System32\winload.efi

2011-02-05 12:41:24 20352 ----a-w- C:\Windows\System32\kdusb.dll

2011-02-05 12:41:24 19328 ----a-w- C:\Windows\System32\kd1394.dll

2011-02-05 12:41:23 17792 ----a-w- C:\Windows\System32\kdcom.dll

2011-02-05 12:39:21 603976 ----a-w- C:\Windows\System32\winload.exe

2011-02-05 12:39:21 518160 ----a-w- C:\Windows\System32\winresume.exe

.

============= FINISH: 10:31:03.54 ===============

 

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 07/02/2010 13:25:37

System Uptime: 30/04/2011 09:14:51 (1 hours ago)

.

Motherboard: Packard Bell | | WMCP78M

Processor: AMD Athlon™ II X3 425 Processor | Socket AM2 | 2700/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 143 GiB total, 103.334 GiB free.

D: is FIXED (NTFS) - 143 GiB total, 142.686 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP78: 27/04/2011 07:24:34 - Hopefully Remove Back Door Trojan csrss exe

RP79: 27/04/2011 07:52:03 - Windows Update

RP80: 27/04/2011 13:21:19 - Windows Update

RP81: 27/04/2011 13:34:06 - Restore Operation

RP82: 27/04/2011 13:41:37 - Windows Update

RP83: 27/04/2011 14:24:33 - Adobe AVG Up Dated All Looking Well So Far

RP84: 27/04/2011 14:55:16 - All Looks OK Auto Up Dates ON AVG Up Dated

RP85: 27/04/2011 14:56:02 - Windows Update

RP86: 27/04/2011 15:37:20 - All Up Date Sorted All Looking Well

RP87: 28/04/2011 14:07:05 - Installed HiJackThis

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

2007 Microsoft Office Suite Service Pack 2 (SP2)

ABBYY FineReader 6.0 Sprint

Acrobat.com

Adobe AIR

Adobe Download Manager

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Photoshop Elements 7.0

Adobe Reader 9.4.4 MUI

Adobe Shockwave Player 11.5

Advertising Center

Alice Greenfingers

Amazonia

Aspell English Dictionary-0.50-2

Block Porn(remove only)

Chicken Invaders 2

CM4

Compatibility Pack for the 2007 Office system

D3DX10

Dairy Dash

Dream Day First Home

EAX Unified

eBay Worldwide

Expenses for Ministry

Farm Frenzy 2

First Class Flurry

GNU Aspell 0.50-3

Granny In Paradise

greenstreet Draw 3.0

greenstreet Publisher 3.13

greenstreet Utilities

Heroes of Hellas

HiJackThis

Identity Card

ieSpell

ImagXpress

Java Auto Updater

Java™ 6 Update 22

Junk Mail filter update

Lexmark Printable Web

Lexmark Toolbar

Lexmark Tools for Office

Malwarebytes' Anti-Malware

Merriam Websters Spell Jam

Metaboli

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office Live Add-in 1.3

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (English) 2007

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Works

Mozilla Firefox (3.6.10)

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero 9 Essentials

Nero ControlCenter

Nero DiscSpeed

Nero DiscSpeed Help

Nero DriveSpeed

Nero DriveSpeed Help

Nero Express Help

Nero InfoTool

Nero InfoTool Help

Nero Installer

Nero Online Upgrade

Nero StartSmart

Nero StartSmart Help

Nero StartSmart OEM

NeroExpress

neroxml

Notepad++

NTRConnect

NVIDIA ForceWare Network Access Manager

Packard Bell GameZone Console

Packard Bell InfoCentre

Packard Bell Recovery Management

Packard Bell Registration

Packard Bell ScreenSaver

Packard Bell Software Suite SE

Packard Bell Updater

Play Disney's Tigger's Honey Hunt

Puppy Luv A New Breed

QuickTime

Realtek High Definition Audio Driver

Registry Mechanic 10.0

Search for the Secret Keys

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2466156)

Security Update for 2007 Microsoft Office System (KB2509488)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft Office Excel 2007 (KB2464583)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2464594)

Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Update for 2007 Microsoft Office System (KB2284654)

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Visual C++ 8.0 Runtime Setup Package (x64)

Visual Studio 2008 x64 Redistributables

Welcome Center

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinPatrol

.

==== Event Viewer Messages From Past Week ========

.

30/04/2011 09:15:27, Error: Service Control Manager [7009] - A timeout was reached (30000

 

milliseconds) while waiting for the lxeaCATSCustConnectService service to connect.

30/04/2011 09:15:27, Error: Service Control Manager [7000] - The

 

lxeaCATSCustConnectService service failed to start due to the following error: The service did

 

not respond to the start or control request in a timely fashion.

29/04/2011 21:54:11, Error: Microsoft-Windows-WMPNSS-Service [14365] - Proximity

 

detection failed due to unknown error '0x80004004'. The best proximity time detected was -1

 

milliseconds.

28/04/2011 16:23:48, Error: Microsoft-Windows-DistributedCOM [10016] - The application-

 

specific permission settings do not grant Local Activation permission for the COM Server

 

application with CLSID {D3DCB472-7261-43CE-924B-0704BD730D5F} and APPID

 

{D3DCB472-7261-43CE-924B-0704BD730D5F} to the user dixon-PC\El Tel SID (S-1-5-21-

 

909527836-1280678326-320050609-1003) from address LocalHost (Using LRPC). This

 

security permission can be modified using the Component Services administrative tool.

28/04/2011 16:23:48, Error: Microsoft-Windows-DistributedCOM [10016] - The application-

 

specific permission settings do not grant Local Activation permission for the COM Server

 

application with CLSID {145B4335-FE2A-4927-A040-7C35AD3180EF} and APPID

 

{145B4335-FE2A-4927-A040-7C35AD3180EF} to the user dixon-PC\El Tel SID (S-1-5-21-

 

909527836-1280678326-320050609-1003) from address LocalHost (Using LRPC). This

 

security permission can be modified using the Component Services administrative tool.

27/04/2011 11:12:07, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation

 

Failure: Windows failed to install the following update with error 0x800705b4: Update for

 

Windows 7 for x64-based Systems (KB982018).

27/04/2011 11:02:51, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation

 

Failure: Windows failed to install the following update with error 0x800705b4: Update for

 

Windows 7 for x64-based Systems (KB2522422).

27/04/2011 11:02:51, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation

 

Failure: Windows failed to install the following update with error 0x800705b4: Update for

 

Windows 7 for x64-based Systems (KB2515325).

27/04/2011 11:02:51, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation

 

Failure: Windows failed to install the following update with error 0x800705b4: Update for

 

Windows 7 for x64-based Systems (KB2492386).

.

==== End Of File ===========================

 

I noticed some missing / failed Windows Up Dates, I will sort these when advised

 

Regards

 

El Tel

Share this post


Link to post
Share on other sites

El Tel,

 

Log is looking good.

 

Let's get an online scan.

 

ESET Online Scanner:

 

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

 

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

 

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Share this post


Link to post
Share on other sites

Hi Tom K

 

Now please don't shout at me as there is not much of a log file. I omitted the :pullhair: Un-Check "Remove Treats Found" stopped at approx 43% then un-installed, restarted then un checked the box :rolleyes: I should have done on the first attempt.

 

[email protected] as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

 

Now all 53 offending NQF files files have gone into a Quarantine Folder. If necessary I did see an un-quarantine button and I won't mind if I have to do it again.

 

I have Re-Booted and all seems well and created two more "Restore Points"

 

Regards

El Tel

Share this post


Link to post
Share on other sites

Not going to yell. The only reason I don't like to let it remove things automatically is because I'm a control freak and don't completely trust it. I just like to look for false positives and remove only what I think needs removed. However, false positives are fairly rare and typically don't cause any "major" problems. Worse case usually only require something to be reloaded if you really want it.

 

Have you got a log of what went on that you can post?

Share this post


Link to post
Share on other sites

Hi Tom K

 

As you can tell I manged to unravel my yesterday mistakes, below is the Log File requested

 

 

 

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\ea90b40-315c8fb5 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\61e17f8b-5c0a8b81 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-60d50c6f Java/TrojanDownloader.OpenStream.NBS trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\671a8acc-63cfd8af multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\1623eb0d-1cf3073d a variant of Java/TrojanDownloader.OpenStream.NBV trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\3c15550e-4066262b multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\4491a0ce-79f64a18 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\7a43fc8f-3752894f a variant of Java/TrojanDownloader.OpenStream.NBM trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\37841f52-1163668e multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\3b1f9752-3410170f multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\40fa5453-753e1d37 a variant of Java/TrojanDownloader.OpenConnection.MU trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\4e2d6d53-3e2612e2 a variant of Java/TrojanDownloader.OpenStream.NBM trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\57b9b494-37d1f0e7 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\4e16e85c-3c2088cd multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b5bc45d-19d89a17 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\642c9e1f-6f02baf4 Java/TrojanDownloader.OpenConnection.CU trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\3c061da0-44f425fb multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\596f0d21-14d53503 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\631320a1-12591044 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\585069a2-59f14339 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\680ae462-72c51d32 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\5dc585a4-194beadd multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\bd5f8a4-12a62926 a variant of Java/TrojanDownloader.OpenStream.NBV trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\357b8ba7-45b38a5f multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\1dd8e368-7f076aaf multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\657c8c28-3c14f5e1 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\3cb543ea-5f14d4a8 a variant of Java/TrojanDownloader.OpenStream.NBF trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\7292abea-2f05101a multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\7d92c22a-657ef110 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\54529aec-2361eeaa a variant of Java/TrojanDownloader.OpenStream.NBF trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\4fb8e06e-694476d9 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\571a22b0-1c674204 a variant of Java/TrojanDownloader.OpenStream.NBF trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\5e8fad71-17d52d2b multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\221732c5-1dabbb26 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\5cabd233-741c0c89 a variant of Java/TrojanDownloader.OpenStream.NBV trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\e5acb8-25629974 a variant of Java/TrojanDownloader.OpenStream.NBF trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\268abc7b-1b154dd4 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\6008ac86-689337c4 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\36fd777c-4bee78f0 a variant of Java/TrojanDownloader.OpenStream.NBF trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\4fffbfbc-5761e783 Java/TrojanDownloader.OpenStream.NAX trojan

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\7225587d-3141a043 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\6da3faff-251fee91 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\1693fbc7-191dc8f0 multiple threats

C:\Users\Bryn Limited\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\74bbd789-72be9d97 multiple threats

 

Regards

 

El Tel

Share this post


Link to post
Share on other sites

Aha... you have an infected Java cache. When you go to a web page that runs java... like games. Little Java applets are downloaded to make them run. These applets are stored in the Java cache so that next time you want to play the game (or whatever) the applet is already ready to run instead of having to be downloaded again. Most of what was found are just "vulnerable" while some a malicious. We'll clean them out and get you updated to the current version.

 

Your Java is out of date.

 

Java 6 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

 

Now to Clean out the Java cache:

 

Go into the Control Panel and double-click the Java Icon. Posted Image

  • Under Temporary Internet Files, click the Settings... button
  • click the Delete Files button.
  • There are two options in the window to clear the cache - Leave both Checked

    • Applications and Applets

      Trace and Log Files

  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Settings
  • Click OK to leave the Java Control Panel.

Then please run me a new set of DDS logs for me to have a final look at.

 

Also, let me know how things are running on your end.

Share this post


Link to post
Share on other sites

Hi Tom K

 

Followed your instruction properly this time... :blushing: Java up-dated ok cleaned out Temporary Cache, Application & Applets, and the Trace Log.

I did make it to check on a weekly :unsure: rather than Monthly.

 

.

DDS (Ver_11-03-05.01) - NTFS_AMD64

Run by El Tel at 19:34:58.36 on 03/05/2011

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_25

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2815.1637 [GMT 1:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-

 

ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-

 

96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\PROGRA~2\AVG\AVG10\avgchsva.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\nvvsvc.exe

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

c:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe

C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe

C:\Windows\system32\lxeacoms.exe

C:\Program Files (x86)\NTR global\NTRconnect\NTRconnect.exe

C:\Program Files (x86)\Packard Bell GameZone\GameConsole\OberonGameConsoleService.exe

C:\Program Files (x86)\AVG\AVG10\avgnsa.exe

C:\Program Files (x86)\AVG\AVG10\avgemca.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\Lexmark S300-S400 Series\lxeamon.exe

C:\Program Files (x86)\Lexmark S300-S400 Series\ezprint.exe

C:\Windows\vsnpstd3.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Program Files (x86)\QuickTime\qttask.exe

C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\DllHost.exe

C:\PROGRA~2\AVG\AVG10\avgrsa.exe

C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe

C:\Windows\system32\msiexec.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\El Tel\Downloads\Virus Tools\CDRS Script\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?

 

b=ACPW&l=0809&m=imedia_s3210&r=173602101606p03d5v135y4923924n

mDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?

 

b=ACPW&l=0809&m=imedia_s3210&r=173602101606p03d5v135y4923924n

mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?

 

b=ACPW&l=0809&m=imedia_s3210&r=173602101606p03d5v135y4923924n

mWinlogon: Userinit=userinit.exe,

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files

 

\Lexmark Toolbar\toolband.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files

 

(x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files

 

(x86)\AVG\AVG10\avgssie.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files

 

(x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:

 

\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - C:\Program Files

 

\Lexmark Printable Web\bho.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:

 

\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark

 

Toolbar\toolband.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader

 

\Reader_sl.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

mRun: [sSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update

 

\jusched.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component

 

\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell

 

\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell

 

\iespell.dll/SPELLOPTION.HTM

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-

 

E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-

 

F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-

 

96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {0FADB9AA-6955-4319-B538-BB1461E11A28} -

 

hxxps://www.ntrconnect.com/main/mod/setup/beta/ntrplugin1242v_2.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

 

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-

 

beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

 

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} -

 

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

 

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

 

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files

 

(x86)\AVG\AVG10\avgpp.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files

 

(x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

 

Files (x86)\AVG\AVG10\avgssiea.dll

BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} -

 

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

TB-X64: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

mRun-x64: [lxeamon.exe] "C:\Program Files (x86)\Lexmark S300-S400 Series\lxeamon.exe"

mRun-x64: [EzPrint] "C:\Program Files (x86)\Lexmark S300-S400 Series\ezprint.exe"

mRun-x64: [snpstd3] C:\Windows\vsnpstd3.exe

.

================= FIREFOX ===================

.

FF - ProfilePath -

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2010-9-7

 

30288]

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-12-22 55024]

R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2010-12-8

 

308304]

R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers

 

\avgmfx64.sys [2010-9-7 41040]

R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2010-11-12 382032]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17

 

14920]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17

 

12360]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6

 

-29 128752]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;C:\Program Files (x86)\Adobe

 

\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-12-8 169312]

R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection

 

\Agent\Bin\AVGIDSAgent.exe [2011-1-6 6128720]

R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2010-10-22

 

265400]

R2 Greg_Service;GRegService;C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe

 

[2009-8-28 1150496]

R2 lxea_device;lxea_device;C:\Windows\system32\lxeacoms.exe -service --> C:\Windows

 

\system32\lxeacoms.exe -service [?]

R2 ntrconnect;ntrconnect;C:\Program Files (x86)\NTR global\NTRconnect\NTRconnect.exe

 

[2010-2-11 403184]

R2 OberonGameConsoleService;Oberon Media Game Console service;C:\Program Files

 

(x86)\Packard Bell GameZone\GameConsole\OberonGameConsoleService.exe [2009-10-28

 

44312]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files

 

(x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-2-1 583640]

R2 Updater Service;Updater Service;C:\Program Files\Packard Bell\Packard Bell Updater

 

\UpdaterService.exe [2009-10-28 240160]

R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2010-8-

 

19 157264]

R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2010-8-19

 

35920]

R3 NTRvdd;NTRvdd;C:\Windows\System32\drivers\NTRvdd.sys [2010-12-12 28216]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers

 

\nvhda64v.sys [2009-10-28 83488]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:

 

\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:

 

\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;C:\Windows\System32\spool

 

\drivers\x64\3\lxeaserv.exe [2010-10-26 45736]

S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-2-13 48488]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family

 

Safety\fsssvc.exe [2010-9-23 1493352]

S3 nosGetPlusHelper;getPlus® Helper 3004;C:\Windows\System32\svchost.exe -k

 

nosGetPlusHelper [2009-7-14 27136]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat

 

\WatAdminSvc.exe [2010-8-28 1255736]

.

=============== Created Last 30 ================

.

2011-05-03 06:47:38 -------- d-----w- C:\Users\ELTEL~1\AppData\Local

 

\{390F89BD-851B-4FE9-96A6-D0C736EE2C70}

2011-05-02 16:51:20 -------- d-----w- C:\Program Files (x86)\ESET

2011-05-02 16:29:41 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{6D02BC31-

 

911A-4792-9DE9-1CAE7903973B}

2011-05-01 18:01:33 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{79674D28-

 

82CB-40BA-AF9F-245C3C3380DF}

2011-04-30 06:19:55 -------- d-----w- C:\Users\ELTEL~1\AppData\Local

 

\{01A06640-624F-41BD-A844-FA8B5ADC1561}

2011-04-28 16:58:57 -------- d-----w- C:\Users\ELTEL~1\AppData\Roaming

 

\SUPERAntiSpyware.com

2011-04-28 16:58:57 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com

2011-04-28 16:58:47 -------- d-----w- C:\PROGRA~3\!SASCORE

2011-04-28 16:58:45 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-04-28 13:07:25 388096 ----a-r- C:\Users\ELTEL~1\AppData\Roaming

 

\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-04-28 10:23:22 -------- d-----w- C:\Users\ELTEL~1\AppData\Roaming

 

\Malwarebytes

2011-04-28 10:23:17 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-04-28 10:23:16 -------- d-----w- C:\PROGRA~3\Malwarebytes

2011-04-28 10:23:13 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-04-28 10:23:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-04-28 09:38:13 -------- d-----w- C:\Users\ELTEL~1\AppData\Local

 

\{1D3A2E4C-179E-4169-A2EA-6F77D38D8E6A}

2011-04-27 13:39:18 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{53C3A166-

 

C5F7-4053-9D42-B6EE70ABEECC}

2011-04-27 12:53:44 2870272 ----a-w- C:\Windows\explorer.exe

2011-04-27 12:53:42 2614784 ----a-w- C:\Windows\SysWow64\explorer.exe

2011-04-27 12:51:30 662528 ----a-w- C:\Windows\System32\XpsPrint.dll

2011-04-27 12:51:30 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll

2011-04-27 12:50:09 2566144 ----a-w- C:\Windows\System32\esent.dll

2011-04-27 12:50:09 1657216 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2011-04-27 12:50:08 410496 ----a-w- C:\Windows\System32\drivers

 

\iaStorV.sys

2011-04-27 12:50:08 27008 ----a-w- C:\Windows\System32\drivers

 

\amdxata.sys

2011-04-27 12:50:08 187264 ----a-w- C:\Windows\System32\drivers

 

\storport.sys

2011-04-27 12:50:08 1686016 ----a-w- C:\Windows\SysWow64\esent.dll

2011-04-27 12:50:08 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys

2011-04-27 12:50:08 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys

2011-04-27 12:50:08 107904 ----a-w- C:\Windows\System32\drivers

 

\amdsata.sys

2011-04-27 12:50:07 96768 ----a-w- C:\Windows\System32\fsutil.exe

2011-04-27 12:50:07 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe

2011-04-27 12:48:25 31232 ----a-w- C:\Windows\SysWow64\prevhost.exe

2011-04-27 12:48:25 31232 ----a-w- C:\Windows\System32\prevhost.exe

2011-04-27 12:32:16 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{92C0150D-

 

F102-47D8-84E4-7CE651F01DB1}

2011-04-26 21:12:14 -------- d-----w- C:\Program Files (x86)\Trend Micro

2011-04-26 21:07:38 -------- d-----w- C:\Users\ELTEL~1\AppData\Local

 

\{58E61256-2807-4F73-84F9-F52220B7FD4D}

2011-04-26 20:41:01 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\Google

2011-04-14 10:40:02 32592 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins

 

\np_gp.dll

2011-04-14 10:27:46 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{0FF0A447-

 

8A59-4320-A5BF-14D41D3675BD}

2011-04-14 05:52:57 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-04-14 02:39:02 103864 ----a-w- C:\Program Files (x86)\Mozilla Firefox

 

\plugins\nppdf32.dll

2011-04-14 02:39:02 103864 ----a-w- C:\Program Files (x86)\Internet

 

Explorer\Plugins\nppdf32.dll

2011-04-13 10:54:35 -------- d-----w- C:\Users\ELTEL~1\AppData\Local\{6AE3DC88-

 

D390-4262-A384-7FB20B8BDF7C}

.

==================== Find3M ====================

.

2011-04-14 04:07:59 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-03-11 06:19:26 1395712 ----a-w- C:\Windows\System32\mfc42.dll

2011-03-11 06:19:26 1359872 ----a-w- C:\Windows\System32\mfc42u.dll

2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll

2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll

2011-03-08 06:14:30 976896 ----a-w- C:\Windows\System32\inetcomm.dll

2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2011-03-04 06:17:25 135168 ----a-w- C:\Windows\apppatch

 

\AppPatch64\AcXtrnal.dll

2011-03-04 06:17:24 347648 ----a-w- C:\Windows\apppatch

 

\AppPatch64\AcLayers.dll

2011-03-03 06:17:10 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll

2011-03-03 06:14:38 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe

2011-03-03 05:27:30 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe

2011-03-03 03:58:32 3133440 ----a-w- C:\Windows\System32\win32k.sys

2011-02-24 06:30:00 476160 ----a-w- C:\Windows

 

\System32\XpsGdiConverter.dll

2011-02-24 06:29:15 1197056 ----a-w- C:\Windows\System32\wininet.dll

2011-02-24 06:24:57 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2011-02-24 05:32:52 288256 ----a-w- C:\Windows

 

\SysWow64\XpsGdiConverter.dll

2011-02-24 05:30:16 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2011-02-24 05:05:13 482816 ----a-w- C:\Windows\System32\html.iec

2011-02-24 04:24:04 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-02-24 04:23:48 386048 ----a-w- C:\Windows\SysWow64\html.iec

2011-02-24 03:50:26 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-02-23 05:16:28 461312 ----a-w- C:\Windows\System32\drivers\srv.sys

2011-02-23 05:16:01 401920 ----a-w- C:\Windows\System32\drivers\srv2.sys

2011-02-23 05:15:50 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys

2011-02-23 05:15:27 157696 ----a-w- C:\Windows\System32\drivers

 

\mrxsmb.sys

2011-02-23 05:15:14 286720 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys

2011-02-23 05:15:13 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys

2011-02-23 05:15:06 90624 ----a-w- C:\Windows\System32\drivers

 

\bowser.sys

2011-02-19 06:37:44 1135104 ----a-w- C:\Windows\System32\FntCache.dll

2011-02-19 06:37:10 1540608 ----a-w- C:\Windows\System32\DWrite.dll

2011-02-19 06:36:49 902656 ----a-w- C:\Windows\System32\d2d1.dll

2011-02-19 06:36:13 46080 ----a-w- C:\Windows\System32\atmlib.dll

2011-02-19 05:32:48 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll

2011-02-19 05:32:35 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll

2011-02-19 05:32:08 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-02-19 04:13:39 367104 ----a-w- C:\Windows\System32\atmfd.dll

2011-02-19 03:37:02 294912 ----a-w- C:\Windows\SysWow64\atmfd.dll

2011-02-18 06:37:05 612352 ----a-w- C:\Windows\System32\vbscript.dll

2011-02-18 05:36:26 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll

2011-02-12 06:14:41 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe

2011-02-05 12:41:43 556928 ----a-w- C:\Windows\System32\winresume.efi

2011-02-05 12:41:35 640896 ----a-w- C:\Windows\System32\winload.efi

2011-02-05 12:41:24 20352 ----a-w- C:\Windows\System32\kdusb.dll

2011-02-05 12:41:24 19328 ----a-w- C:\Windows\System32\kd1394.dll

2011-02-05 12:41:23 17792 ----a-w- C:\Windows\System32\kdcom.dll

2011-02-05 12:39:21 603976 ----a-w- C:\Windows\System32\winload.exe

2011-02-05 12:39:21 518160 ----a-w- C:\Windows\System32\winresume.exe

.

============= FINISH: 19:35:34.40 ===============

 

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 07/02/2010 13:25:37

System Uptime: 03/05/2011 19:21:49 (0 hours ago)

.

Motherboard: Packard Bell | | WMCP78M

Processor: AMD Athlon™ II X3 425 Processor | Socket AM2 | 2700/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 143 GiB total, 103.107 GiB free.

D: is FIXED (NTFS) - 143 GiB total, 142.686 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP81: 27/04/2011 13:34:06 - Restore Operation

RP82: 27/04/2011 13:41:37 - Windows Update

RP83: 27/04/2011 14:24:33 - Adobe AVG Up Dated All Looking Well So Far

RP84: 27/04/2011 14:55:16 - All Looks OK Auto Up Dates ON AVG Up Dated

RP85: 27/04/2011 14:56:02 - Windows Update

RP86: 27/04/2011 15:37:20 - All Up Date Sorted All Looking Well

RP87: 28/04/2011 14:07:05 - Installed HiJackThis

RP88: 02/05/2011 20:24:24 - Re-Boot OK after a Clean Start

RP89: 03/05/2011 19:28:32 - Installed Java™ 6 Update 25

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

2007 Microsoft Office Suite Service Pack 2 (SP2)

ABBYY FineReader 6.0 Sprint

Acrobat.com

Adobe AIR

Adobe Download Manager

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Photoshop Elements 7.0

Adobe Reader 9.4.4 MUI

Adobe Shockwave Player 11.5

Advertising Center

Alice Greenfingers

Amazonia

Aspell English Dictionary-0.50-2

Block Porn(remove only)

Chicken Invaders 2

CM4

Compatibility Pack for the 2007 Office system

D3DX10

Dairy Dash

Dream Day First Home

EAX Unified

eBay Worldwide

Expenses for Ministry

Farm Frenzy 2

First Class Flurry

GNU Aspell 0.50-3

Granny In Paradise

greenstreet Draw 3.0

greenstreet Publisher 3.13

greenstreet Utilities

Heroes of Hellas

HiJackThis

Identity Card

ieSpell

ImagXpress

Java Auto Updater

Java™ 6 Update 25

Junk Mail filter update

Lexmark Printable Web

Lexmark Toolbar

Lexmark Tools for Office

Malwarebytes' Anti-Malware

Merriam Websters Spell Jam

Metaboli

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office Live Add-in 1.3

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (English) 2007

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Works

Mozilla Firefox (3.6.10)

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero 9 Essentials

Nero ControlCenter

Nero DiscSpeed

Nero DiscSpeed Help

Nero DriveSpeed

Nero DriveSpeed Help

Nero Express Help

Nero InfoTool

Nero InfoTool Help

Nero Installer

Nero Online Upgrade

Nero StartSmart

Nero StartSmart Help

Nero StartSmart OEM

NeroExpress

neroxml

Notepad++

NTRConnect

NVIDIA ForceWare Network Access Manager

Packard Bell GameZone Console

Packard Bell InfoCentre

Packard Bell Recovery Management

Packard Bell Registration

Packard Bell ScreenSaver

Packard Bell Software Suite SE

Packard Bell Updater

Play Disney's Tigger's Honey Hunt

Puppy Luv A New Breed

QuickTime

Realtek High Definition Audio Driver

Registry Mechanic 10.0

Search for the Secret Keys

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2466156)

Security Update for 2007 Microsoft Office System (KB2509488)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft Office Excel 2007 (KB2464583)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2464594)

Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Update for 2007 Microsoft Office System (KB2284654)

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Visual C++ 8.0 Runtime Setup Package (x64)

Visual Studio 2008 x64 Redistributables

Welcome Center

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinPatrol

.

==== Event Viewer Messages From Past Week ========

.

29/04/2011 21:54:11, Error: Microsoft-Windows-WMPNSS-Service [14365] - Proximity

 

detection failed due to unknown error '0x80004004'. The best proximity time detected was -1

 

milliseconds.

28/04/2011 16:23:48, Error: Microsoft-Windows-DistributedCOM [10016] - The application-

 

specific permission settings do not grant Local Activation permission for the COM Server

 

application with CLSID {D3DCB472-7261-43CE-924B-0704BD730D5F} and APPID

 

{D3DCB472-7261-43CE-924B-0704BD730D5F} to the user dixon-PC\El Tel SID (S-1-5-21-

 

909527836-1280678326-320050609-1003) from address LocalHost (Using LRPC). This

 

security permission can be modified using the Component Services administrative tool.

28/04/2011 16:23:48, Error: Microsoft-Windows-DistributedCOM [10016] - The application-

 

specific permission settings do not grant Local Activation permission for the COM Server

 

application with CLSID {145B4335-FE2A-4927-A040-7C35AD3180EF} and APPID

 

{145B4335-FE2A-4927-A040-7C35AD3180EF} to the user dixon-PC\El Tel SID (S-1-5-21-

 

909527836-1280678326-320050609-1003) from address LocalHost (Using LRPC). This

 

security permission can be modified using the Component Services administrative tool.

27/04/2011 11:12:07, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation

 

Failure: Windows failed to install the following update with error 0x800705b4: Update for

 

Windows 7 for x64-based Systems (KB982018).

27/04/2011 11:02:51, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation

 

Failure: Windows failed to install the following update with error 0x800705b4: Update for

 

Windows 7 for x64-based Systems (KB2522422).

27/04/2011 11:02:51, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation

 

Failure: Windows failed to install the following update with error 0x800705b4: Update for

 

Windows 7 for x64-based Systems (KB2515325).

27/04/2011 11:02:51, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation

 

Failure: Windows failed to install the following update with error 0x800705b4: Update for

 

Windows 7 for x64-based Systems (KB2492386).

03/05/2011 19:22:27, Error: Service Control Manager [7009] - A timeout was reached (30000

 

milliseconds) while waiting for the lxeaCATSCustConnectService service to connect.

03/05/2011 19:22:27, Error: Service Control Manager [7000] - The

 

lxeaCATSCustConnectService service failed to start due to the following error: The service did

 

not respond to the start or control request in a timely fashion.

.

==== End Of File ===========================

 

 

 

I note there are some Windows Up-Date errors that I need to sort out.

 

 

Regards

 

El Tel

 

Edit

 

Typos

Edited by El Tel

Share this post


Link to post
Share on other sites

Looking good.

 

None of the errors are current (last few days). See if you can update OK now.

Share this post


Link to post
Share on other sites

Hi Tom K

 

As it is my Brother-In-Laws PC and I was connected up remotely, I have left him to see how it is preforming.

 

I will do / try the Windows Up-Date errors 1st thing in the morning.

 

Many Thanks for all your help so far :tup: you are a :sparkle: man.

 

Regards

 

El Tel

Share this post


Link to post
Share on other sites

Hi Tom K

 

 

Widows Up-Dated OK, when checking the History of all Up-Dates, most of the errors were old, a few from last year. None have been hidden and I couldn't see a way to try to re-install them. Perhaps they got sorted out with the ones that were successful.

 

Now for Explorer 9 Up-Date I've left that with him for when hes get back home. My Sisters Laptop has Windows 7 thats I have just Up-Dated to, just waiting for there verdict on the way it works.

I personally HATE it from what I've seen and used by Remote Access. I'm glad :laughing: that new version is not available to me on XP.

 

 

There is still two problems and I will start a New Topic if they can't be sorted here. Below are Screen Shots

 

This one is the highlighted in Blue

 

Posted Image

 

While this one is to do with Auto Signing into My MSN UK... (This one is also on one of my own PC's, but it comes and goes from time to time without out any interference from me and with no settings altered.) Both my Sisters Laptop, my Brother-In-Laws PC used to sign in with no problem.

 

Posted Image

 

Not sure if these are related to any Up-Dates or something that has been added by mistake.

 

 

Regards

 

El Tel

Share this post


Link to post
Share on other sites

As I don't have anything newer than XP, I've been unable to try I IE9. However, I've heard good things about it.

 

For your add-on issue...Please right click on that entry and select More Information. The click on the copy button. Then come back here and click in the reply window and select paste.

 

For MSN, I believe that what happened was when we cleaned out temp files, your cookies for remembering you were flushed. When you sign in, be sure to click the little box that tells it to remember you... and the cookie should be restored.

Share this post


Link to post
Share on other sites

Hi Tom K

 

 

Name: ÍøÖ·´óÈ«

Publisher: Not Available

Type: Browser Extension

Version: Not available

File date:

Date last accessed: ‎04 ‎May ‎2011, ‏‎09:22

Class ID: {C18CB140-0BBB-11D4-8FE8-0088CC102438}

Use count: 1660

Block count: 47

File: Not available

Folder: Not available

 

 

The sign in question there is only a "Continue" button, nothing that Say's :mrsgreen: remember me to tick.

Some more information that I managed to get out of him, was that when he was out the room his daughter, with permission did use his PC to check her mail, there was two sign in details to which his daughters was deleted leaving his details as in the image.

I did remind him that there is a "Guest" account for this purpose, but that somehow got forgot.

 

 

Regards

 

El Tel

Share this post


Link to post
Share on other sites

In the picture you provided.. it says "You're already signed in". He needs to sign out.. and then when he tries to sign in he should get the "remember me" button.

 

The entry you pointed out is part of a backdoor trojan. It doesn't show in the logs. Either it is a remnant somehow, or the machine is re-infected.

 

Let's run a different tool.

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

 

* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html

     

  • Double click on ComboFix.exe & follow the prompts.

     

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

     

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

 

Posted Image

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

Posted Image

 

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

 

Notes:

 

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Share this post


Link to post
Share on other sites

Hi Tom K

 

:blushing:

 

In the picture you provided.. it says "You're already signed in". He needs to sign out.. and then when he tries to sign in he should get the "remember me" button.

Well spotted :laughing: I need to get stronger :rolleyes: glasses.

 

 

please tell your helper.

5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

I note this will disconnect me from their PC Umm... I think I will wait until I can get to my Sisters in the morning, I fancy one of her "Mega Full English Fry Ups".

 

Regards

 

El Tel

Share this post


Link to post
Share on other sites

Hi Tom K

 

I didn't make it for the full English Breakfast, something cropped up.

 

 

Had a bit of trouble disabling AVG, but sorted it.

 

 

ComboFix 11-05-05.04 - El Tel 06/05/2011 16:02:36.1.3 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2815.1645 [GMT 1:00]

Running from: c:\users\El Tel\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\FullRemove.exe

C:\readme.txt

c:\users\dixon\AppData\Roaming\.#

.

.

((((((((((((((((((((((((( Files Created from 2011-04-06 to 2011-05-06 )))))))))))))))))))))))))))))))

.

.

2011-05-06 15:08 . 2011-05-06 15:08 -------- d-----w- c:\users\Guest\AppData\Local\temp

2011-05-06 15:08 . 2011-05-06 15:08 -------- d-----w- c:\users\Dust Bin Lids\AppData\Local\temp

2011-05-06 14:59 . 2011-05-06 14:59 -------- d-----w- C:\32788R22FWJFW

2011-05-06 14:07 . 2011-05-06 14:07 -------- d-----w- c:\users\El Tel\AppData\Local\{1380B545-9C36-44D8-8922-EE0BFABC2992}

2011-05-06 08:25 . 2011-05-06 08:25 -------- d-----w- c:\users\El Tel\AppData\Local\{BB66765B-C928-463B-B94D-A1DB2B832FC1}

2011-05-05 20:52 . 2011-05-05 20:52 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{30F530A4-80FE-42FF-A785-F9D801EB4CB1}

2011-05-05 12:19 . 2011-05-05 12:19 -------- d-----w- c:\users\Guest\Tracing

2011-05-05 07:14 . 2011-05-05 07:15 -------- d-----w- c:\users\El Tel\AppData\Local\{EB8B75B4-AF3C-45AB-BD99-85F9DA5F1A97}

2011-05-05 05:33 . 2011-05-05 05:33 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{677CAFA1-6F4F-4AE1-A01F-24F581976957}

2011-05-04 15:34 . 2011-05-04 15:34 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{F2ED5762-44AE-45C5-9A24-810F668091EA}

2011-05-04 07:02 . 2011-05-04 07:02 -------- d-----w- c:\windows\system32\SPReview

2011-05-04 07:01 . 2011-05-04 07:01 -------- d-----w- c:\windows\system32\EventProviders

2011-05-04 06:59 . 2010-11-05 01:57 48976 ----a-w- c:\windows\system32\netfxperf.dll

2011-05-04 06:59 . 2010-11-05 01:57 1942856 ----a-w- c:\windows\system32\dfshim.dll

2011-05-04 06:57 . 2010-11-20 13:33 140672 ----a-w- c:\windows\system32\drivers\msdsm.sys

2011-05-04 06:56 . 2010-11-20 13:27 10240 ----a-w- c:\windows\system32\rdpcfgex.dll

2011-05-04 06:52 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll

2011-05-04 06:52 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll

2011-05-04 06:52 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll

2011-05-04 06:52 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll

2011-05-04 06:52 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe

2011-05-04 06:51 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll

2011-05-04 06:51 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll

2011-05-04 06:49 . 2011-05-04 06:49 -------- d-----w- c:\users\El Tel\AppData\Local\{93C35592-558D-43C5-ADA5-19DEAB9572C9}

2011-05-04 06:36 . 2011-01-17 11:09 197120 ----a-w- c:\windows\system32\d3d10_1.dll

2011-05-04 06:36 . 2011-01-17 05:47 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll

2011-05-04 06:36 . 2010-11-20 13:26 321024 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-05-04 06:36 . 2010-11-20 12:18 219136 ----a-w- c:\windows\SysWow64\d3d10_1core.dll

2011-05-04 03:33 . 2011-05-04 03:33 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{B7232148-B27C-47E6-B4DB-B4AAEF7FBDA3}

2011-05-03 18:48 . 2011-05-03 18:48 -------- d-----w- c:\users\El Tel\AppData\Local\{EDCAC1B1-4845-463B-BCF6-E31554C1D1A1}

2011-05-03 18:30 . 2011-05-03 18:30 -------- d-----w- c:\program files (x86)\Common Files\Java

2011-05-03 13:27 . 2011-05-03 13:27 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{70A80498-A3DF-4317-8813-0F50B641BE41}

2011-05-03 06:47 . 2011-05-03 06:48 -------- d-----w- c:\users\El Tel\AppData\Local\{390F89BD-851B-4FE9-96A6-D0C736EE2C70}

2011-05-02 19:29 . 2011-05-02 19:29 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{63EBF81C-9FEF-4630-802C-1EFB42CF6D89}

2011-05-02 16:51 . 2011-05-02 16:51 -------- d-----w- c:\program files (x86)\ESET

2011-05-02 16:29 . 2011-05-02 16:29 -------- d-----w- c:\users\El Tel\AppData\Local\{6D02BC31-911A-4792-9DE9-1CAE7903973B}

2011-05-02 07:17 . 2011-05-02 07:17 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{EC9599F3-4C0B-4554-A05F-EA2E1F21D399}

2011-05-01 18:01 . 2011-05-01 18:01 -------- d-----w- c:\users\El Tel\AppData\Local\{79674D28-82CB-40BA-AF9F-245C3C3380DF}

2011-05-01 16:30 . 2011-05-01 16:30 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{F47B8C8D-1A57-4BB3-A4F0-E128FA88CA61}

2011-05-01 04:29 . 2011-05-01 04:29 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{F571DA48-F5B5-4B65-B82A-0898A2807F92}

2011-04-30 10:48 . 2011-04-30 10:48 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{4493BB22-E400-4928-93F0-2FD0C12F2CDE}

2011-04-30 06:19 . 2011-04-30 06:20 -------- d-----w- c:\users\El Tel\AppData\Local\{01A06640-624F-41BD-A844-FA8B5ADC1561}

2011-04-29 19:08 . 2011-04-29 19:08 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{AD4BDAE0-265A-48A4-8A55-F24976C35057}

2011-04-29 07:07 . 2011-04-29 07:07 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{33562C3C-EF80-4269-A1C4-FB34DB92B787}

2011-04-28 19:06 . 2011-04-28 19:06 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{6611D1A0-A691-44F7-8F81-8E5A96EEC2E1}

2011-04-28 16:58 . 2011-04-28 16:58 -------- d-----w- c:\users\El Tel\AppData\Roaming\SUPERAntiSpyware.com

2011-04-28 16:58 . 2011-04-28 16:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-04-28 16:58 . 2011-04-28 16:58 -------- d-----w- c:\programdata\!SASCORE

2011-04-28 16:58 . 2011-04-28 16:59 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-28 13:07 . 2011-04-28 13:07 388096 ----a-r- c:\users\El Tel\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-04-28 10:23 . 2011-04-28 10:23 -------- d-----w- c:\users\El Tel\AppData\Roaming\Malwarebytes

2011-04-28 10:23 . 2010-12-20 17:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-04-28 10:23 . 2011-04-28 10:23 -------- d-----w- c:\programdata\Malwarebytes

2011-04-28 10:23 . 2011-04-28 10:23 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-04-28 10:23 . 2010-12-20 17:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-28 09:38 . 2011-04-28 09:38 -------- d-----w- c:\users\El Tel\AppData\Local\{1D3A2E4C-179E-4169-A2EA-6F77D38D8E6A}

2011-04-28 04:05 . 2011-04-28 04:05 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{2B3913DA-435E-4667-92B3-EB63121C4795}

2011-04-27 13:39 . 2011-04-27 13:39 -------- d-----w- c:\users\El Tel\AppData\Local\{53C3A166-C5F7-4053-9D42-B6EE70ABEECC}

2011-04-27 12:53 . 2011-02-25 06:19 2871808 ----a-w- c:\windows\explorer.exe

2011-04-27 12:53 . 2011-02-25 05:30 2616320 ----a-w- c:\windows\SysWow64\explorer.exe

2011-04-27 12:51 . 2011-03-12 12:08 1465344 ----a-w- c:\windows\system32\XpsPrint.dll

2011-04-27 12:51 . 2011-03-12 11:23 870912 ----a-w- c:\windows\SysWow64\XpsPrint.dll

2011-04-27 12:50 . 2011-03-11 06:41 1659776 ----a-w- c:\windows\system32\drivers\ntfs.sys

2011-04-27 12:50 . 2011-03-11 06:33 2565632 ----a-w- c:\windows\system32\esent.dll

2011-04-27 12:50 . 2011-03-11 05:33 1699328 ----a-w- c:\windows\SysWow64\esent.dll

2011-04-27 12:50 . 2011-03-11 06:41 189824 ----a-w- c:\windows\system32\drivers\storport.sys

2011-04-27 12:50 . 2011-03-11 06:41 166272 ----a-w- c:\windows\system32\drivers\nvstor.sys

2011-04-27 12:50 . 2011-03-11 06:41 148352 ----a-w- c:\windows\system32\drivers\nvraid.sys

2011-04-27 12:50 . 2011-03-11 06:41 410496 ----a-w- c:\windows\system32\drivers\iaStorV.sys

2011-04-27 12:50 . 2011-03-11 06:41 27008 ----a-w- c:\windows\system32\drivers\amdxata.sys

2011-04-27 12:50 . 2011-03-11 06:41 107904 ----a-w- c:\windows\system32\drivers\amdsata.sys

2011-04-27 12:50 . 2011-03-11 06:30 96768 ----a-w- c:\windows\system32\fsutil.exe

2011-04-27 12:50 . 2011-03-11 05:31 74240 ----a-w- c:\windows\SysWow64\fsutil.exe

2011-04-27 12:48 . 2011-02-18 10:51 31232 ----a-w- c:\windows\system32\prevhost.exe

2011-04-27 12:48 . 2011-02-18 05:39 31232 ----a-w- c:\windows\SysWow64\prevhost.exe

2011-04-27 12:43 . 2011-04-27 12:43 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{93B50A45-BDC5-4C38-9DDC-F5C58FADE0F3}

2011-04-27 12:32 . 2011-04-27 12:32 -------- d-----w- c:\users\El Tel\AppData\Local\{92C0150D-F102-47D8-84E4-7CE651F01DB1}

2011-04-27 10:27 . 2011-04-27 10:27 -------- d-----w- c:\users\dixon\AppData\Local\{6F757B46-2F14-4F67-986C-0590E2158D86}

2011-04-27 06:47 . 2011-04-27 06:47 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{922AD605-7D19-4291-8384-743E6C8F1C0E}

2011-04-26 21:12 . 2011-04-26 21:12 -------- d-----w- c:\program files (x86)\Trend Micro

2011-04-26 21:07 . 2011-04-26 21:08 -------- d-----w- c:\users\El Tel\AppData\Local\{58E61256-2807-4F73-84F9-F52220B7FD4D}

2011-04-26 20:41 . 2011-04-26 20:41 -------- d-----w- c:\users\El Tel\AppData\Local\Google

2011-04-26 17:57 . 2011-04-26 17:57 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{7ED5C301-021F-4AED-88FD-1881FC8521D7}

2011-04-25 22:00 . 2011-04-25 22:00 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{530E41C2-52BC-4D8B-9418-A2EB8CDB79BD}

2011-04-25 08:00 . 2011-04-25 08:00 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{EB6D8A39-5A8F-427F-A4A0-D1EB42FF9D1A}

2011-04-24 19:59 . 2011-04-24 19:59 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{0B02D848-2B2C-41CC-88BB-F49FEB547516}

2011-04-24 04:07 . 2011-04-24 04:07 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{B3D46CB4-EFBA-4362-A3A7-8A2AF575599D}

2011-04-23 14:10 . 2011-04-23 14:10 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{9A9679E3-7F27-4691-8A15-49C26BF1574C}

2011-04-22 19:57 . 2011-04-22 19:58 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{40B54645-9BD3-4DA0-AEEE-FC37E72B1EB0}

2011-04-22 07:56 . 2011-04-22 07:57 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{8F5AB6E3-B395-4844-9CB9-6432A1FB5BE5}

2011-04-21 19:56 . 2011-04-21 19:56 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{F453E030-890F-41C1-9B6D-1431ECCC7F78}

2011-04-21 18:02 . 2011-04-27 10:28 -------- d-----w- c:\users\dixon\AppData\Local\Windows Live

2011-04-21 18:02 . 2011-04-21 18:02 -------- d-----w- c:\users\dixon\AppData\Local\{73714353-AEC5-4F8A-969B-B9A605C80A66}

2011-04-21 07:55 . 2011-04-21 07:55 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{71CAC62D-0D29-48B0-9915-AF04CE647D98}

2011-04-20 19:54 . 2011-04-20 19:54 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{2F104B97-890D-46D1-8743-CD2637592E5A}

2011-04-20 07:53 . 2011-04-20 07:54 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{F1255C71-7853-4E86-B8B8-02653E5C24E2}

2011-04-19 19:17 . 2011-04-19 19:17 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{B6FE9061-6920-42FF-BC76-FCAADFEFCBE2}

2011-04-19 12:10 . 2011-05-05 20:52 -------- d-----r- c:\users\Bryn Limited\Dropbox

2011-04-19 12:08 . 2011-05-05 20:52 -------- d-----w- c:\users\Bryn Limited\AppData\Roaming\Dropbox

2011-04-19 05:57 . 2011-04-19 05:57 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{9CE2A4E7-482F-4405-9317-57F959A4C3B3}

2011-04-18 17:56 . 2011-04-18 17:56 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{15E6CE74-7EA6-4EC2-8EAF-D23757BC737A}

2011-04-18 05:55 . 2011-04-18 05:55 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{5E2AB35F-F569-49D6-A3C6-C5D8AC471C47}

2011-04-17 17:54 . 2011-04-17 17:55 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{505FC396-7D4C-4927-9CD4-D7B5A4FC3972}

2011-04-17 05:53 . 2011-04-17 05:54 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{3F906FB2-8DC4-47F3-8557-A1C944035CB7}

2011-04-16 17:53 . 2011-04-16 17:53 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{EA2DF3C8-4E7E-41A6-AA8C-E1C0838717CE}

2011-04-16 05:35 . 2011-04-16 05:35 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{1951A8BD-C11C-41BD-B037-57D6194DC2F6}

2011-04-15 11:33 . 2011-04-15 11:34 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{5C36293D-7F72-4603-886A-ACC5D9C07547}

2011-04-14 23:33 . 2011-04-14 23:33 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{C6A2FE62-9E98-4CF9-96AB-2DF73B77EF20}

2011-04-14 10:40 . 2011-03-01 08:57 32592 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\np_gp.dll

2011-04-14 10:39 . 2011-04-27 13:38 -------- d-----w- c:\programdata\NOS

2011-04-14 10:39 . 2011-04-27 12:38 -------- d-----w- c:\program files (x86)\NOS

2011-04-14 10:27 . 2011-04-14 10:27 -------- d-----w- c:\users\El Tel\AppData\Local\{0FF0A447-8A59-4320-A5BF-14D41D3675BD}

2011-04-14 09:58 . 2011-04-14 09:59 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{D3BFFD55-09EA-42B1-B5B2-705CA159A77C}

2011-04-14 05:52 . 2011-03-03 06:24 183296 ----a-w- c:\windows\system32\dnsrslvr.dll

2011-04-14 02:39 . 2011-04-14 02:39 103864 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2011-04-14 02:39 . 2011-04-14 02:39 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2011-04-13 20:46 . 2011-04-13 20:46 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{EDD78E7D-53A9-4556-91DA-DAA6500787F5}

2011-04-13 10:54 . 2011-04-13 10:54 -------- d-----w- c:\users\El Tel\AppData\Local\{6AE3DC88-D390-4262-A384-7FB20B8BDF7C}

2011-04-12 20:49 . 2011-04-12 20:50 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{5EE291C7-A8F2-4506-92C6-466D51C3D00A}

2011-04-11 20:57 . 2011-04-11 20:57 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{668E0582-ED75-4D67-9350-C6723A5A40B2}

2011-04-11 06:26 . 2011-04-11 06:26 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{3FA90C10-37A4-4411-B05B-9044C061E2BE}

2011-04-10 18:25 . 2011-04-10 18:25 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{34D756A8-457C-4D26-8470-1B205BA1C728}

2011-04-10 06:24 . 2011-04-10 06:25 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{9A70EEE8-8AAD-4938-8DD6-5A41AEE125B9}

2011-04-09 17:56 . 2011-04-09 17:56 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{2B30C600-AA07-4F06-AF61-83364FAE3D6A}

2011-04-09 05:55 . 2011-04-09 05:55 -------- d-----w- c:\users\Bryn Limited\AppData\Local\{1DFF729C-A644-4F74-80FB-E38AE9A2D0E5}

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-04 07:23 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll

2011-05-04 07:23 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll

2011-04-14 04:07 . 2010-10-15 19:08 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-03-09 04:54 . 2010-06-24 11:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-03-04 06:19 . 2011-04-27 12:51 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2011-03-04 06:19 . 2011-04-27 12:51 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2011-02-19 12:05 . 2011-03-09 04:58 1139200 ----a-w- c:\windows\system32\FntCache.dll

2011-02-19 12:04 . 2011-03-09 04:58 1544192 ----a-w- c:\windows\system32\DWrite.dll

2011-02-19 12:04 . 2011-03-09 04:58 902656 ----a-w- c:\windows\system32\d2d1.dll

2011-02-19 06:30 . 2011-03-09 04:58 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll

2011-02-19 06:30 . 2011-03-09 04:58 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"QuickTime Task"="c:\program files (x86)\QuickTime\qttask.exe" [2010-06-12 98304]

"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SSDMonitor"="c:\program files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-08-05 104408]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]

.

c:\users\Bryn Limited\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\El Tel\AppData\Roaming\Dropbox\bin\Dropbox.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

R0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [x]

R2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe [x]

R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxeaserv.exe [2010-04-14 45736]

R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 27136]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]

R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]

R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]

R4 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]

S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]

S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-12-08 169312]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

S2 Greg_Service;GRegService;c:\program files (x86)\Packard Bell\Registration\GregHSRW.exe [2009-08-28 1150496]

S2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe [2010-01-07 1052328]

S2 ntrconnect;ntrconnect;c:\program files (x86)\NTR global\NTRconnect\NTRconnect.exe [2010-02-11 403184]

S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files (x86)\Packard Bell GameZone\GameConsole\OberonGameConsoleService.exe [2009-08-29 44312]

S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-08-05 583640]

S2 Updater Service;Updater Service;c:\program files\Packard Bell\Packard Bell Updater\UpdaterService.exe [2009-07-04 240160]

S3 NTRvdd;NTRvdd;c:\windows\system32\DRIVERS\NTRvdd.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-02 c:\windows\Tasks\RMSchedule.job

- c:\program files (x86)\Registry Mechanic\RegMech.exe [2011-02-01 08:46]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Bryn Limited\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Bryn Limited\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Bryn Limited\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Bryn Limited\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]

"lxeamon.exe"="c:\program files (x86)\Lexmark S300-S400 Series\lxeamon.exe" [2010-01-18 770728]

"EzPrint"="c:\program files (x86)\Lexmark S300-S400 Series\ezprint.exe" [2010-01-18 139944]

"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x1

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3210&r=173602101606p03d5v135y4923924n

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

LSP: %SYSTEMROOT%\system32\nvLsp.dll

DPF: {0FADB9AA-6955-4319-B538-BB1461E11A28} - hxxps://www.ntrconnect.com/main/mod/setup/beta/ntrplugin1242v_2.cab

FF - ProfilePath -

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

Toolbar-Locked - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-909527836-1280678326-320050609-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-909527836-1280678326-320050609-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-05-06 16:09:59

ComboFix-quarantined-files.txt 2011-05-06 15:09

.

Pre-Run: 111,113,003,008 bytes free

Post-Run: 111,166,251,008 bytes free

.

- - End Of File - - 25FD6340C66BA249C0A6CC0EFC539B91

 

 

Regards

 

El Tel

Share this post


Link to post
Share on other sites

It appears it's just a left over remnant... not currently active.

 

COMBOFIX-Script

 

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

     

    Registry::
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}]
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

     

    Posted Image

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

Please also verify that things look correct on your end.

Share this post


Link to post
Share on other sites

Hi Tom K

 

I had trouble posting my previous reply for what ever reason so I came home. I have now ran into the same problem I had while I was at my Sisters with AVG being temporary disabled with this message

 

Posted Image

Hence I've got the script on the desktop, but after it is dropped into Combofix it runs for a short while then disappeared.

 

Regards

El Tel

Share this post


Link to post
Share on other sites

AVG is a pain... let's do it different.

 

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.

    (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

     

    :Processes
    
    :Reg
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}]
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Share this post


Link to post
Share on other sites

Hi Tom K

 

Old Timer worked a dream, I did temporary De-activated AVG. Peace of mind I think.

 

 

All processes killed

========== PROCESSES ==========

========== REGISTRY ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\ not found.

========== FILES ==========

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 0 bytes

 

User: All Users

 

User: Bryn Limited

->Temp folder emptied: 258456 bytes

->Temporary Internet Files folder emptied: 144002497 bytes

->Java cache emptied: 16006643 bytes

->FireFox cache emptied: 23892532 bytes

->Flash cache emptied: 144015 bytes

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: dixon

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 21869908 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 1058 bytes

 

User: Dust Bin Lids

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 91872949 bytes

->Java cache emptied: 585091 bytes

->FireFox cache emptied: 66204599 bytes

->Flash cache emptied: 469724 bytes

 

User: El Tel

->Temp folder emptied: 16541028 bytes

->Temporary Internet Files folder emptied: 52708906 bytes

->Java cache emptied: 1 bytes

->Flash cache emptied: 2824 bytes

 

User: Guest

->Temp folder emptied: 1526 bytes

->Temporary Internet Files folder emptied: 55143959 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 2905 bytes

 

User: Public

->Temp folder emptied: 0 bytes

 

User: shirl

->Temp folder emptied: 0 bytes

 

User: shirley

->Temp folder emptied: 0 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 438816 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 71471 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67496 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 468.00 mb

 

 

OTM by OldTimer - Version 3.1.17.2 log created on 05072011_085355

 

Files moved on Reboot...

C:\Users\El Tel\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

 

Registry entries deleted on Reboot...

 

.....................................................................................................................

 

All Re-Booted fine, I still have control of his PC & my Sisters Laptop

 

Finger x'd

 

Once again you are a :sparkle: man

 

 

Regards

 

El Tel

Share this post


Link to post
Share on other sites

Interesting enough... OTM says the entry was already gone. However, doesn't matter... the important thing is it's gone.

 

Alright then... let's clean up.

 

Log looks good :D

 

 

Time for some housekeeping

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK
  • Note the space between the X and the U, it needs to be there.
The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.

Cleanup

 

  • Double click on OTM to run it.
  • Click on CleanUp!
  • When done, you will be prompted to restart your computer. Please restart your computer.

 

Please re-enable any security that was disabled.

 

 

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

 

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

 

I would also suggest you read this:

So how did I get infected in the first place?

by Tony Klein

 

 

Also: "How to prevent malware"

by miekiemoes

 

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved. :thumbup:

Share this post


Link to post
Share on other sites

Hi Tom K

 

As before I had an awful job un-installing Combo-Fix it sure doesn't like AVG 2011 Free Version. In the end I had to un-install and then re-install AVG from the original download saved to disk. On re-installing I had some trouble with the Free Licence being not recognised luckily I did a Screen Shot from the first time I installed it, the Licence number had changed mysteriously Um-mm I have no answer for that at all. It plain refused to acknowledge it and I therefore located a new AVG from "CNet Downloads" and tried that with the exact same issue with the new licence number :pullhair: there appearers to be two extra numbers added from somewhere

 

4UY9X-NSVVL-O4BZQ-QIMCL-QTDCH

 

On installing above

 

Below after Installing

 

4UY9X-NSVVL-O4BZQ-QIMCL-QTDCH-4

 

Perhaps AVG leaves something in the registry on Un-installing :rolleyes: I don't know.

 

At some stage not sure when, a pop up asked if I wanted to turn on "Windows Defender" which was a new one on me, but I said yes at the time. It did a scan and I haven't seen it since :mrsgreen: I couldn't see an Icon for it :unsure: either.

 

Old Timer worked like a dream in every way.

 

I've read "Preventing Malware" but the link for Tony Klein "nutnworks" was blocked by my on-line "DynDNS Dynamic Network Service" as Spyware? As it turned out to "Third Party Cookies" which don't get allowed on my PC, I do allow "Main and Session Cookies" no site should force you to allow Third Party Cookies hence I didn't read it.

 

It was getting late so I will have to wait until I can connect back up to sort out AVG, I did read that when I get AVG back up and running Windows Defender would be turned off.

 

Regards

El Tel

Share this post


Link to post
Share on other sites

Hi Tom K

 

That link worked a treat.

 

I can't seem to get around this AVG licence.

 

Posted Image

Clicking on fix doesn't sort it out either.

 

 

I did a manual scan to see if that worked.

When some 15 Min's into the scan this appeared

 

Posted Image

I have no idea where this came from and my Brother-In-Law was a little vague? It dose show up in add remove programs.

 

When the scan finished I moved to one side to check the results of the scan, then I closed the window.

 

Posted Image

I have not tried to Un-Install AVG again because it refused to when I ran into trouble with ComboFix. Is there a AVG complete removal tool because I'm thinking there is / was something left over when I got ComboFix to work prior to me Re-Installing AVG.

 

Here is HijackThis log and there seems to be several missing files

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 18:34:35, on 10/05/2011

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Lexmark S300-S400 Series\lxeamon.exe

C:\Program Files (x86)\Lexmark S300-S400 Series\ezprint.exe

C:\Windows\vsnpstd3.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Users\El Tel\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Program Files (x86)\QuickTime\qttask.exe

C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe

C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.pack...d5v135y4923924n

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

O4 - Startup: Dropbox.lnk = El Tel\AppData\Roaming\Dropbox\bin\Dropbox.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {0FADB9AA-6955-4319-B538-BB1461E11A28} (NTR Plugin 1.2.4.2) - https://www.ntrconne...ugin1242v_2.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.ad...Plus/1.6/gp.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - c:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe

O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: lxeaCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxeaserv.exe

O23 - Service: lxea_device - - C:\Windows\system32\lxeacoms.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: NTRConnect (ntrconnect) - Unknown owner - C:\Program Files (x86)\NTR global\NTRconnect\NTRconnect.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: Oberon Media Game Console service (OberonGameConsoleService) - Unknown owner - C:\Program Files (x86)\Packard Bell GameZone\GameConsole\OberonGameConsoleService.exe

O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: Updater Service - Acer - C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

 

--

End of file - 12345 bytes

 

 

 

Regards

El Tel

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...