# Potentially malicious or infected application says Bit Defender



## Cjreef (Aug 21, 2009)

I get the message:
"Bit Defender has blocked a potentially malicious or infected application"

The application apparently is part of the Microsoft Windows Operating System:
C:\Windows\System 32\svchost.exe

Bit Defender blocks it and I'm not sure I can allow it because of previous problems involving blue screens and stop errors. Dell support was unable to help me, as a matter of fact they made things worse by uninstalling a video adapter and then installing one meant for Vista on my XP laptop. So, I restored to a previous point and haven't seen a blue screen since but it's only been a week or so. I also uninstalled McAfee which came with the computer and installed Bit Defender which still has some life from the previous computer. That's when I started getting the above message. Neither McAfee or Bit Defender found anything wrong with malware or spyware.
Normally, I would allow the program to run since you would think a new computer would not have a corrupted operating system, but because one of the techs at Dell suggested that that was the problem with my blue screens and the fact that I haven't been able to use the delete key since day one and that the delete key works in safe mode. According to him, 2/3 of the time it's due to spyware. They want me to restore the computer to its original day one status. It took me two days to get all my programs and stuff moved from the old computer, so I'm not really too anxious to start all over again unless I'm really sure that's what needs to be done. Can you tell I don't trust the Dell techs at this point?
I was told the same thing when I had problems getting all kinds of screens when typing certain keys, but I went on a chat with another tech who uninstalled and reinstalled the touchpad driver and everything was fine after that. I had been also told by another tech that it was a software problem and I had to call the fee based number. What a mess. I've had nothing but problems since day one.

If it helps any, the last time I got a blue screen here is what it said:

Check that there is adequate disk space
If driver is identified in the stop message disable driver
Try changing vedeo adapters
Do a BIOS update
Disable BIOS memory options such as caching or shadowing
Technical info: xxxSTOP P:0X0000008E (0XE0000001, 0X99D72925, 0X9804944C, 0X00000000)
xxxWatchdog.sys - address 99D72925 base 99D72000 Date stamp 480254ab

This last error occured after I tried to play a video demo on the Samsung's website.

Hope you can help, thank you in advance.


----------



## perfume (Sep 13, 2008)

Dear Cjreef,
Welcome aboard! From your post it is apparent that you have two anti-virus programs running side by side! That's a* Real Big No !* If the BitDefender you have is the *2009* version, then keep it and delete McAfee! If *the BitDefender is 2010 version,please remove it as it has an inbuilt"registry DESTROYER"* and keep McAfee! The minimum disk space required for (us) XP users is 200 MB!

I am posting below the message of another person who had a similar prob.: My computer, a Dell Dimension WinXP home edition, was working and suddenly a blue screen appeared with the following message:
A PROBLEM HAS BEEN DETECTED AND WINDOWS HAS BEEN SHUT DOWN TO PREVENT DAMAGE TO YOUR COMPUTER.

IF THIS IS THE FIRST TIME YOU'VE SEEN THIS "STOP ERROR" SCREEN, RESTART YOUR COMPUTER. iF THIS SCREEN APPEARS AGAIN, FOLLOW THESE STEPS:

CHECK TO BE SURE YOU HAVE ADEQUATE DISK SPACE. iF A DRIVER IS IDENTIFIED IN THE "STOP MESSAGE", DISABLE THE DRIVER OR CHECK WITH THE MANUFACTURER FOR DRIVER UPDATES. TRY CHANGING VIDEO ADAPTERS.

CHECK WITH YOUR HARDWARE VENDOR FOR ANY BIOS UPDATES. DISABLE BIOS MEMORY OPTIONS SUC AS CACHING OR SHADOWING. IF YOU NEE TO USE SAFE MODE TO REMOVE OR DIASABLE COMPONENTS, RESTART YOUR COMPUTER, PRESS F8 TO SELECT ADVANCE STARTUP OPTIONS, AND THEN SELECT SAFE MODE.

TECHNICAL INFORMATION:

*** STOP: 0X0000008E (0xC0000005,0x8053CF57,0xB158199C,0x00000000)

BEGINNING DUMP OF PHYSICAL MEMORY
PHYSICAL MEMORY DUMP COMPLETE.
CONTACT YOUR SYSTEM ADMINISTRATOR OR TECHNICAL SUPPORT GROU FOR FURTHER ASSISTANCE.

I had no choice but to turn off the computer.

After I restart got "windows experienced a serious error", etc, and the following error message in one of those "send error reporting to Microsoft" options. I copied what was in the message and it is as follows:

Error signature:
BCCode: 10000008e BCP1: C0000005 BCP2: 8053cF57 BCP3:B158199C
BCP4:00000000 OSVer: 5_1_2600 SP: 1_0 Product: 768_1

REPORTING DETAILS: This error report includes: information regarding the condition of Microsoft Window when the problem occurred, the operating system version and computer hardware in use, and the Internet Protocol (IP) address of your computer.


----------



## Cjreef (Aug 21, 2009)

Thanks for the reply. I did uninstall McAfee before installing Bit Defender, so there is no problem there.

Does anyone know what this svchost application is? I get the screen from Bit Defender every few minutes about it being potentially malicious or infected.


----------



## perfume (Sep 13, 2008)

Dear Cjreef,
The points below are taken from an article, the link to which i will provide at the end! 1) The easiest, i can come up with what svchost.exe is " it is an underlying Windows component responsible for Windows services"(This is my copyright ).

"The Svchost Viewer is a small application that lists all of the current svchost.exe instances, shows how much memory each one is using and what services are running beneath it(this is not my copyright)". I am providing below an excellent, must-read article from--> howtogeek.com about svchost. I urge you to read it! http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/

Once you get a hang of it, you will be advising folks about svchost!

If you want to use the "command line" here it goes:To view the list of services that are running in Svchost: 

Click *Start* on the Windows taskbar, and then click *Run*.
In the *Open* box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
 Tasklist displays a list of active processes. The */SVC* switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER: Tasklist /FI "PID eq processID" (with the quotation marks) . *Source : *http://support.microsoft.com/kb/314056

Please get back and tell us all whether you could access the svchost via "command line". Do you know one thing, when i am helping you i am enriching myself and that's the kick i get out of it!:up:


----------



## Cjreef (Aug 21, 2009)

I was able to access the list of services via the command list but when I tried to get more information I was told that "the search filter cannot be recognized".

There were two active processes one for stisvc and the other WebClient.

I also checked under Windows Task Manager, six processes were running all of them with user names of "system", "local service" or "Network Service". Based on what I read in the thread you provided, it seems that I do not have an infection. I will have to read more as it is a lot to assimilate. I'm not completely computer illiterate but I'm no expert either. It will take me a while to digest it all.

Thank you so very much, you have helped a lot.

I think what I will do is back up all my data, just in case, and allow Bit Defender to unblock svchost and see what happens. Will let you know.

I'm a bit confused that this application is running when Bit Defender says it blocked it?

Thanks again.


----------



## Cookiegal (Aug 27, 2003)

There will always be several instances of svchost.exe running and applications run under svchost.exe so it's possible one of those applications is malicious. It's also possible the actual svchost.exe is patched, meaning altered by malware so therefore infected. Before doing anything else, please do the following:

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.	
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Cjreef (Aug 21, 2009)

Thank you, here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:32 PM, on 8/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [LoJackForLaptops] C:\Program Files\LFLInstall\InstallManager.exe /d60 /dd1 /bd0
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9749 bytes


----------



## Cookiegal (Aug 27, 2003)

Doesn't BitDefender tell you more about the detection than that?

Nother there other than some minor iffy stuff like Ask Toolbar. But since not everything shows in a HijackThis log, let's run this scan:

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## Cjreef (Aug 21, 2009)

The only other thing Bit Defender said was to allow if the application was trusted. I'm paraphrasing , I didn't write that down. I didn't trust it since Dell seemed to think my computer was infected and wanted me to reinstall windows, ugh...


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/23/2009 4:36:36 PM
mbam-log-2009-08-23 (16-36-36).txt

Scan type: Quick Scan
Objects scanned: 100488
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Wow, and I trusted Bit Defender so much. 

Also, when I installed the program, I got an error message. "An error occurred. Please report the following error to the Malwarebytes Anti-Malware support team. Error code: 732 (0,0)"

I was hoping fixing the infections would fix my "delete" key problem, but it didn't.

Could you please let me know, if you have an idea, what those two infections are all about? Thank you so very much for your help.


----------



## Cjreef (Aug 21, 2009)

Follow up:
I found in the FAQ the problem with error code 732 (0,0). I had to close all the programs in order to install and so the data base could not be updated. I have updated it now and reran the scan. No further problems were found.

I have a USB smart drive onto which I had copied my Program Files and Documents folders. I stuck it into the computer for the second scan but it didn't look like it was scanned, only the C drive was. I wonder if I should erase the smart drive and start over?

Thanks again


----------



## Cookiegal (Aug 27, 2003)

I believe the two items found by MalwareBytes are false positives because the setup.exe file is in the wrong location. You must have downloaded something and saved the setup.exe file in there. The registry entry is because it's linked to that file.

I doubt there's any need to reformat the flash drive but we'll check it. Please insert the Smart USB drive into the slot and then do the following. 

I'm attaching a MountPoints Diagnostic.zip file to this post. Save it to your desktop. Unzjip it and double click the MountPoints Diagnostic.bat file and let it run. It will create a report in Notepad named Diagnostic.txt. Please upload the Diagnostic.txt file as an attachment.


----------



## Cjreef (Aug 21, 2009)

Here you are:
Diagnostic Report
Mon 08/24/2009 15:28:03.93

Mountpoints > Drives subkeys: 
------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a42-409c-11de-acf9-806d6172696f}]
"BaseClass"="Drive"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a43-409c-11de-acf9-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,e0,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a43-409c-11de-acf9-806d6172696f}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a43-409c-11de-acf9-806d6172696f}\_Autorun\DefaultIcon]
@="D:\\cdrom.ico"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,20,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\Shell\AutoRun\command]
@="E:\\LaunchU3.exe -a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\_Autorun\Action]
@="Run U3 Launchpad"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\_Autorun\DefaultIcon]
@="E:\\LaunchU3.exe,0"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,09,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell]
@="Open"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell\AutoRun]
"Extended"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell\AutoRun\command]
@="F:\\LinksysConnectPC.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\_Autorun\Action]
@="Wireless Network Setup Wizard"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\_Autorun\DefaultIcon]
@="F:\\LinksysConnectPC.ICO"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252af-8e85-11de-ad93-002219eedf2b}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,20,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252af-8e85-11de-ad93-002219eedf2b}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252af-8e85-11de-ad93-002219eedf2b}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252af-8e85-11de-ad93-002219eedf2b}\Shell\AutoRun\command]
@="E:\\LaunchU3.exe -a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252af-8e85-11de-ad93-002219eedf2b}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252af-8e85-11de-ad93-002219eedf2b}\_Autorun\Action]
@="Run U3 Launchpad"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252af-8e85-11de-ad93-002219eedf2b}\_Autorun\DefaultIcon]
@="E:\\LaunchU3.exe,0"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252b0-8e85-11de-ad93-002219eedf2b}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252b0-8e85-11de-ad93-002219eedf2b}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252b0-8e85-11de-ad93-002219eedf2b}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afb252b0-8e85-11de-ad93-002219eedf2b}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9557e4b-59f6-11de-ad26-002219eedf2b}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9557e4b-59f6-11de-ad26-002219eedf2b}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9557e4b-59f6-11de-ad26-002219eedf2b}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9557e4b-59f6-11de-ad26-002219eedf2b}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da0c2a69-5a8d-11de-ad28-002219eedf2b}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,\
5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,5f,5f,00,00,10,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da0c2a69-5a8d-11de-ad28-002219eedf2b}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da0c2a69-5a8d-11de-ad28-002219eedf2b}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da0c2a69-5a8d-11de-ad28-002219eedf2b}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~ 
No Autorun files found in C:\WINDOWS

No Autorun files found in C:\WINDOWS\system32

No Autorun files found in root of C:

Files found on E:
autorun.inf

Contents of autorun.inf on E:
[AutoRun] 
open=LaunchU3.exe -a
icon=LaunchU3.exe,0
action=Run U3 Launchpad

[Definitions]
Launchpad=LaunchPad.exe
Vtype=2

[CopyFiles]
FileNumber=1
File1=LaunchPad.zip

[Update]
URL=http://u3.sandisk.com/download/lp_installer.asp?custom=1.6.1.4&brand=PelicanBFG

[Comment]
brand=PelicanBFG

No Autorun files found in root of F:

Wow, I'm glad this means something to you, it's Greek to me.


----------



## Cjreef (Aug 21, 2009)

By the way, I haven't heard from Bit Defender about svchost all day.


----------



## Cookiegal (Aug 27, 2003)

I'm sorry it took me so long to respond. It's been pretty hectic.

The flash drive looks fine.

Let's just do an on-line scan for good measure.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

*JRE 6 Update 15 *

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## Cjreef (Aug 21, 2009)

Please, don't apologize. I am so grateful for all the time you have given me.
I'm getting the warnings again, on and off, mostly when I'm using Microsoft Outlook, if that means anything.
Since we've checked for infections with so many programs and came up with nothing, do you think it is safe for me to "allow" Bit Defender to let the application run?
Here is the log you requested and thanks again:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 26, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 26, 2009 23:44:34
Records in database: 2690294
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 99426
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:52:11

No threats found. Scanned area is clean.

Selected area has been scanned.


----------



## Cookiegal (Aug 27, 2003)

That's good. Please post a new HijackThis log.


----------



## Cjreef (Aug 21, 2009)

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:56 PM, on 8/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Claude Poole\Application Data\U3\1740720A3512385F\LaunchPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [LoJackForLaptops] C:\Program Files\LFLInstall\InstallManager.exe /d60 /dd1 /bd0
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9932 bytes


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.


----------



## Cjreef (Aug 21, 2009)

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Reader 9.1.2
Advanced Audio FX Engine
Agile Lines
Apple Software Update
Ask Toolbar
Banctec Service Agreement
BitDefender Total Security 2009
Choice Guard
Compatibility Pack for the 2007 Office system
Complete Care Consumer Service Agreement
Dell DataSafe Online
Dell Dock
Dell Support Center (Support Software)
Dell Touchpad
Dell Video Chat
Dell Webcam Central
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Product Assistant
HP Solution Center & Imaging Support Tools 5.3
HP Update
Integrated Webcam Driver (1.02.02.0106) 
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 11
Junk Mail filter update
Live! Cam Avatar Creator
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2000 SR-1 Premium
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.5.2)
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB927977)
OLYMPUS CAMEDIA Master 4.0
PacBomber
PowerDVD
QuickSet
QuickTime
Readiris Pro 7.5
RealPlayer
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Samsung SCX-4100 Series
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Segoe UI
SereneScreen Marine Aquarium 3
Simply Accounting v6.0
SmarThru 4
The Weather Channel Desktop 6
The Weather Channel Toolbar
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB898461)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format Runtime
Windows Presentation Foundation
Windows Search 4.0


----------



## Cookiegal (Aug 27, 2003)

I'm signing off for the night so wanted to let you know that I'll reply back in the morning.


----------



## Cjreef (Aug 21, 2009)

Thank You


----------



## Cookiegal (Aug 27, 2003)

Please go to Control Panel - Add/Remove programs and remove:

*Ask Toolbar*

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application.

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 15*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 14 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u15-windows-i586.exe) and save it to your desktop. *Do NOT use the Sun Download Manager.*
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with *Java Runtime Environment, JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

This is the older version of Java that you need to remove:

*Java(TM) 6 Update 11*

Then reboot, post a new HijackThis log and let me know how things are please.


----------



## Cjreef (Aug 21, 2009)

Okay, I've done the Java. There was already a newer version, 16. 

I started to remove the Ask Toolbar but the Revouninstall program I have been using listed 238 registry items which could be removed. The most items I've ever had were 22 for the Java 11 I just removed. This scared me and I thought I'd check with you before deleting them. I don't even remember using that toolbar, it wasn't even in view.

Thanks again for your dedication.


----------



## Cjreef (Aug 21, 2009)

I forgot to tell you. There was a Java DB 10.4.2.1 which I left alone since it wasn't in your description. Should I have deleted it?


----------



## Cookiegal (Aug 27, 2003)

Cjreef said:


> Okay, I've done the Java. There was already a newer version, 16.
> 
> I started to remove the Ask Toolbar but the Revouninstall program I have been using listed 238 registry items which could be removed. The most items I've ever had were 22 for the Java 11 I just removed. This scared me and I thought I'd check with you before deleting them. I don't even remember using that toolbar, it wasn't even in view.
> 
> Thanks again for your dedication.


You shouldn't use Revo when the program has it's own uninstaller unless the uninstall fails. Just uninstall The Ask Toolbar via the Control Panel please.


----------



## Cookiegal (Aug 27, 2003)

Cjreef said:


> I forgot to tell you. There was a Java DB 10.4.2.1 which I left alone since it wasn't in your description. Should I have deleted it?


If you're not a developer then you wouldn't need it. I didn't see that in your uninstall list though.


----------



## Cookiegal (Aug 27, 2003)

Sorry about the version of Java being 16 instead of 15. I forgot to update my reply speech.

When you've finished the above, please reboot and then post a new HijackThis log.


----------



## Cjreef (Aug 21, 2009)

I thought the add/remove program left a lot of junk that could be removed with the Revo got rid off?

You know, I didn't notice the JAVA DB program until I looked at the log after installing the update. May be it was installed with the update?

Okay, I did it, here is the new log, and thanks again:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:05 PM, on 8/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [LoJackForLaptops] C:\Program Files\LFLInstall\InstallManager.exe /d60 /dd1 /bd0
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9680 bytes


----------



## Cjreef (Aug 21, 2009)

_Cookiegal_,

I haven't seen the screen about an infected application in quite a few days now. Do you think I'm out of the woods and i can mark the thread "solved"?

Thank you very much for all your help.


----------



## Cookiegal (Aug 27, 2003)

We just have a little tidying up to do.

Rescan with HijackThis, close all other browser windows, place a check mark beside the following entries and then click on "Fix Checked".
*
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k*

Are there any problems remaining?


----------



## Cjreef (Aug 21, 2009)

Okay, done. I saved a log just in case you need it later if the problem comes back.


I still have an on and off problem with the delete key and getting screens allocated to shortcut letters when I type. This happens in Microsoft Work and Outlook. If it becomes a big problem I will start a new thread. 

Thank you so much for all your help. If I were younger I would really enjoy learning more about computers and programming, it is fascinating.

I'll mark the thread as solved.


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## Cjreef (Aug 21, 2009)

Windows couldn't find *ComboFix /u. *Idid a search and couldn't find it either.
I did create a new restore point and downloaded Spywareblaster.


----------



## Cookiegal (Aug 27, 2003)

I thought we had run ComboFix but we haven't. I think we should do that now.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## Cjreef (Aug 21, 2009)

ComboFix 09-09-09.09 - Claude Poole 09/10/2009 11:23.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3031.2518 [GMT -4:00]
Running from: c:\documents and settings\Claude Poole\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\install.dat
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Claude Poole\Application Data\install.dat
c:\program files\autorun.inf
c:\program files\BitDefender\BitDefender Online Backup\ntSVc.ocx
c:\windows\Installer\14f5b6f.msp
c:\windows\Installer\18c86d5.msp
c:\windows\Installer\18c86d6.msp
c:\windows\Installer\18c86d7.msp
c:\windows\Installer\18c86d8.msp
c:\windows\Installer\18c86d9.msp
c:\windows\Installer\18c86da.msp
c:\windows\Installer\18c86db.msp
c:\windows\Installer\18c86dc.msp
c:\windows\Installer\18c86dd.msp
c:\windows\Installer\18e1aa7.msp
c:\windows\Installer\18e1aa8.msp
c:\windows\Installer\18e1aa9.msp
c:\windows\Installer\18e1aaa.msp
c:\windows\Installer\18e1aab.msp
c:\windows\Installer\18e1aac.msp
c:\windows\Installer\18e1aad.msp
c:\windows\Installer\18e1aae.msp
c:\windows\Installer\18e1aaf.msp
c:\windows\Installer\18e1ab0.msp
c:\windows\Installer\18ea973.msp
c:\windows\Installer\18ea97d.msp
c:\windows\Installer\18ea988.msp
c:\windows\system32\config\system~1\applic~1\install.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-08 19:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 02:13 . 2009-09-08 02:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 02:13 . 2009-09-08 02:24 -------- d-----w- c:\program files\SpywareBlaster
2009-08-29 17:32 . 2009-08-29 17:32 -------- d-----w- c:\program files\Sun
2009-08-24 19:21 . 2009-08-24 19:28 -------- d-----w- c:\program files\Mountpoints Diagnostic
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-23 20:27 . 2009-08-23 20:27  -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 18:22 . 2009-08-23 18:22 -------- d-----w- c:\program files\Trend Micro
2009-08-23 17:07 . 2009-08-23 17:07 -------- d-----w- c:\program files\Process Explorer
2009-08-21 22:14 . 2009-08-21 22:14 71 ----a-w- c:\documents and settings\Claude Poole\Application DatadMb.dat
2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\VSRevoGroup
2009-08-21 19:11 . 2009-08-21 19:12 -------- d-----w- c:\program files\Revouninstaller
2009-08-18 17:27 . 2009-08-18 17:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Uniblue
2009-08-16 14:00 . 2009-09-10 02:04 81984 ----a-w- c:\windows\system32\bdod.bin
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- C:\Binaries
2009-08-16 13:36 . 2009-08-16 13:42 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\BitDefender
2009-08-16 13:33 . 2009-08-16 13:36 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-16 01:49 . 2009-08-16 01:49 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-12 13:17 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 13:23 . 2009-05-14 21:23 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-09 14:26 . 2009-05-06 13:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 17:32 . 2009-05-06 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 17:31 . 2009-05-06 12:59 -------- d-----w- c:\program files\Java
2009-08-28 16:58 . 2009-05-14 20:44 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\U3
2009-08-26 20:26 . 2009-08-26 20:26 0 ----a-w- c:\windows\system32\bda156.tmp
2009-08-21 14:48 . 2009-02-12 20:52 104456 ------w- c:\windows\system32\drivers\bdfndisf.sys
2009-08-16 13:29 . 2009-05-06 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-16 00:59 . 2009-07-03 22:08 664 ------w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:35 . 2009-08-08 17:35 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Printer Info Cache
2009-08-07 15:49 . 2009-05-22 00:34 3578 ------w- c:\documents and settings\Claude Poole\Application Data\wklnhst.dat
2009-08-07 02:40 . 2009-05-14 15:47 41520 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:06 . 2009-08-06 23:06 -------- d-----w- c:\program files\Dell DataSafe Online
2009-08-05 23:03 . 2009-05-06 13:00 -------- d-----w- c:\program files\Dell
2009-08-05 22:40 . 2009-08-05 22:40 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 23:21 . 2009-06-04 23:03 13 ------w- c:\windows\popcinfo.dat
2009-07-25 17:41 . 2009-05-15 04:30 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Marine Aquarium 3
2009-07-20 02:40 . 2009-06-04 22:00 -------- d-----w- c:\program files\Agile Lines
2009-07-18 19:25 . 2009-06-16 18:31 -------- d-----w- c:\program files\HP
2009-07-18 18:19 . 2009-07-18 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 16:46 . 2009-07-04 16:46 61224 ------w- c:\documents and settings\Claude Poole\GoToAssistDownloadHelper.exe
2009-07-03 17:09 . 2008-04-25 16:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 19:22 . 2009-06-16 18:23 80537 ------w- c:\windows\HPHins08.dat
2009-06-16 18:39 . 2009-06-16 18:39 135 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\fusioncache.dat
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-05-23 02:23 . 2009-05-23 02:23 1878888 ------w- c:\program files\install_flash_player.exe
2001-04-18 08:01 . 2009-05-21 22:15 6758912 ------r- c:\program files\ps601up.exe
2000-12-02 23:38 . 2009-05-21 22:15 2857 ------r- c:\program files\Abcpy.ini
2000-10-23 05:26 . 2009-05-21 22:15 42 ------r- c:\program files\serial.txt
2000-09-29 13:01 . 2009-05-21 22:15 652 ------r- c:\program files\layout.bin
2000-09-29 13:01 . 2009-05-21 22:15 107119545 ------r- c:\program files\data1.cab
2000-09-29 13:01 . 2009-05-21 22:15 204890 ------r- c:\program files\data1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 49 ------r- c:\program files\setup.lid
2000-09-29 13:00 . 2009-05-21 22:15 2389166 ------r- c:\program files\_user1.cab
2000-09-29 13:00 . 2009-05-21 22:15 101 ------r- c:\program files\DATA.TAG
2000-09-29 13:00 . 2009-05-21 22:15 8812 ------r- c:\program files\_user1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 6492 ------r- c:\program files\_sys1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 181565 ------r- c:\program files\_sys1.cab
2000-09-29 13:00 . 2009-05-21 22:15 198033 ------r- c:\program files\setup.ins
2000-09-14 11:22 . 2009-05-21 22:15 27551 ------r- c:\program files\Photoshop 6.0 Readme.wri
2000-08-30 20:15 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel.exe
2000-06-16 20:21 . 2009-05-21 22:15 415574 ------r- c:\program files\Setup.bmp
2000-01-04 21:34 . 2009-05-21 22:15 250 ------r- c:\program files\SETUP.INI
1998-10-02 22:15 . 2009-05-21 22:15 297989 ------r- c:\program files\_INST32I.EX_
1998-10-02 22:06 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel_old.exe
1998-09-29 20:34 . 2009-05-21 22:15 34816 ------r- c:\program files\_Setup.dll
1998-09-18 18:12 . 2009-05-21 22:15 4679 ------r- c:\program files\lang.dat
1998-07-27 21:41 . 2009-05-21 22:15 450 ------r- c:\program files\os.dat
2009-03-05 22:08 . 2009-08-16 13:42 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-05-06 13:08 . 2009-05-06 13:08 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-04-23 801904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-20 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-04 150040]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-25 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-21 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]

c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-11-27 46432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-21 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-04 16:46 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Claude Poole^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/6/2009 11:46 AM 113024]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [5/6/2009 9:08 AM 135936]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/6/2009 11:46 AM 110080]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [5/6/2009 11:46 AM 176640]
R3 OA008Afx;Provides a software interface to control audio effects of OA008 camera.;c:\windows\system32\drivers\OA008Afx.sys [5/6/2009 11:46 AM 148056]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [5/6/2009 11:46 AM 133472]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [5/6/2009 11:46 AM 271616]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/6/2009 11:46 AM 1656960]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-06 c:\windows\Tasks\BitDefender Online Backup - [email protected]
- c:\program files\BitDefender\BitDefender Online Backup\sosuploadagent.exe [2009-06-03 18:08]
.
.
------- Supplementary Scan -------
.
TCP: {C653377A-D8AC-4C64-9C39-69762EED141A} = 216.144.187.199,204.186.0.201
FF - ProfilePath - c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - 
FF - component: c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\extensions\[email protected]\components\NetDiag.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-LoJackForLaptops - c:\program files\LFLInstall\InstallManager.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 11:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1480)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-09-10 11:29
ComboFix-quarantined-files.txt 2009-09-10 15:29

Pre-Run: 207,608,180,736 bytes free
Post-Run: 207,936,655,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

242 --- E O F --- 2009-09-10 02:04

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:52 AM, on 9/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9090 bytes

I can't believe the amount of work you are doing for me. Thank you again, so much.


----------



## Cookiegal (Aug 27, 2003)

It's no problem. I like to be thorough. 

Please delete these two files manually:

c:\windows\system32\*bda156.tmp*
C:\windows\*popcinfo.dat*

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they arent required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://www.systemlookup.com/lists.php?list=2
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php


----------



## Cjreef (Aug 21, 2009)

Since my last post, Dell had an update which changed the BIOS. It said something about changing the registry while updating. Of course, it means nothing to me but I thought you might want to know in case you want to see a log or something before I go ahead and wipe out the restore points, I assume that's what you mean by "flash out"?
Also, I looked for those two files in Windows Explorer. I can't find them but I see they are listed in the ComboFix log. I'm sorry to bother you some more but I'll need instructions on how to find them and delete them. Thanks.


----------



## Cookiegal (Aug 27, 2003)

No, there's no need for another log and it won't affect flushing the restore points.

Did you try to navigate to those files or did you do a search?


----------



## Cjreef (Aug 21, 2009)

I tried to navigate to the files with Internet Explorer and I also ran searches, no dice.

ComboFix is gone and I have a new restore point.


----------



## Cookiegal (Aug 27, 2003)

Have you already deleted ComboFix? If not we can use it to delete those files, in case they do still exist.


----------



## Cjreef (Aug 21, 2009)

Yes, I have deleted ComboFix. What do those two files do? Can we just leave them? And, shouldn't they be visible in Windows Explorer?

I was working all day with my accounting program and the warning from Bit Defender kept cropping up every few minutes. Each time I told it to block. My program worked like a charm so whatever Windows wanted to do sure wasn't needed. I had not seen that warning in days. So, I guess I should change the thread back to unsolved, grrrr....


----------



## Cookiegal (Aug 27, 2003)

Please post a screen shot of the alert you're getting.


----------



## Cjreef (Aug 21, 2009)

I don't seem to be able to post the screen shot. I have one saved in Microsoft Word. Any idea how I can transfer it? When I try the copy and paste I just get a light colored broken picture in the reply window.

Here is what it says:

Bit Defender Behavioral Scanner
! Bit Defender blocked a potentially malicious or infected Application
Microsoft(r)Windows(r) Operating System
Application:
C:\WINDOWS\System32\svchost.exe

Bit Defender detects applications based on their behavior. If this is a known and trusted application, please click "allow"

You can either click "allow" to allow this action to be performed, or, "OK" to block this action.

I have been clicking OK based on the Dell's tech claim that my computer was probably infected. Not allowing the action doesn't seem to be a problem with any of my programs but it is really annoying to have that screen pop up all the time.


----------



## Cjreef (Aug 21, 2009)




----------



## Cookiegal (Aug 27, 2003)

You have to save the screenshot in MS Paint and then upload it as an attachment.


----------



## Cjreef (Aug 21, 2009)

I have uploaded the picture, can't seem to get it in the reply. Okay, I see the link.


----------



## Cookiegal (Aug 27, 2003)

Let's check to see if the svchost.exe file may be infected.

Go to the link below and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\Windows\System32\svchost.exe*


----------



## Cjreef (Aug 21, 2009)

*Something really strange happened. I was told that the scan had been run before on 9/13 with 0 out of 21 scanners reporting Malware, same as today's scan. I was never on that site before let alone uploading the file which I had trouble finding today. Noone but me has access to my computer. What's up?
*

*
*

*Jotti's malware scan*

Filename: svchost.exe Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 18 Sep 2009 03:17:40 (CET) Permalink

*Additional info*

File size: 14336 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18 SHA1: 49083ae3725a0488e0a8fbbe1335c745f70c4667


----------



## Cookiegal (Aug 27, 2003)

That's just telling you that someone else did a scan on that date.

Download *OTS.exe * to your Desktop and double-click on it to extract the files. It will create a folder named *OTS* on your desktop.

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Open the *OTS* folder and double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## Cjreef (Aug 21, 2009)

Here is the OTS file:


----------



## Cookiegal (Aug 27, 2003)

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill All Processes]
[Registry - Safe List]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {2E5E800E-6AC0-411E-940A-369530A35E43}:{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} [HKLM] -> Reg Error: Key error. [Button: The Weather Channel]
YN -> {2E5E800E-6AC0-411E-940A-369530A35E43}:Reg Error: Value error. [HKLM] -> Reg Error: Value error. [Menu: The Weather Channel]
[Files/Folders - Modified Within 30 Days]
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 31 C:\Documents and Settings\Claude Poole\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Claude Poole\Local Settings\temp\*.tmp
NY -> rtsr.dat -> C:\WINDOWS\Temp\rtsr.dat
NY -> msoAB.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\msoAB.com
NY -> mso5D.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\mso5D.com
NY -> msoAC.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\msoAC.com
NY -> mso30D.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\mso30D.com
NY -> mso2EE.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\mso2EE.com
NY -> mso30E.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\mso30E.com
[Alternate Data Streams]
NY -> @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## Cjreef (Aug 21, 2009)

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\Temp\rtsr.dat moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\msoAB.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\mso5D.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\msoAC.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\mso30D.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\mso2EE.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\mso30E.com moved successfully.
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Claude Poole
->Temp folder emptied: 95660824 bytes
File delete failed. C:\Documents and Settings\Claude Poole\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 41545176 bytes
->Java cache emptied: 43484675 bytes
->FireFox cache emptied: 76349991 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 43971409 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 82576 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 287.21 mb

< End of fix log >
OTS by OldTimer - Version 3.0.12.1 fix logfile created on 09202009_125804

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:04 PM, on 9/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9186 bytes

Cookiegal, Thanks again for all your help. By the way, I am not ignoring you. I did print all the 04 entries to be checked and (some) deleted from the start up. I just haven't had the time to get to it yet, I will. Computers are great when they work, but sooooo time consuming when there is a problem. I didn't add anything to the start up, it must have come with all these unnecessary start ups from the factory.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start* - *Run* and type in *cmd*

At the command prompt copy/paste this into the window and hit "enter":

*cd %userprofile%\desktop
tasklist /svc /fi "imagename eq svchost.exe" >> taskservlist.txt*

A text file should appear on your desktop called taskservlist.txt. Copy/paste the contents of that here.


----------



## Cjreef (Aug 21, 2009)

Image Name PID Services 
========================= ====== =============================================
svchost.exe 1704 DcomLaunch, TermService 
svchost.exe 1784 RpcSs 
svchost.exe 208 AudioSrv, BITS, Browser, CryptSvc, Dhcp, 
ERSvc, EventSystem, 
FastUserSwitchingCompatibility, helpsvc, 
HidServ, LanmanServer, lanmanworkstation, 
Netman, Nla, RasMan, Schedule, seclogon, 
SENS, SharedAccess, ShellHWDetection, 
srservice, TapiSrv, Themes, TrkWks, w32time, 
winmgmt, wscsvc, wuauserv, WZCSVC 
svchost.exe 620 LmHosts, RemoteRegistry, SSDPSRV 
svchost.exe 584 WebClient 
svchost.exe 268 stisvc


----------



## Cookiegal (Aug 27, 2003)

They are all legitimate process running under svchost.exe.


----------



## Cjreef (Aug 21, 2009)

That's good, but I've been blocking every warning window from Bit Defender, so whatever it is Bit Defender is warning about should not be running.

Since we've run so many program and I don't seem to be infected, do you think I can ignore the warning and allow the application to run? Thanks


----------



## Cookiegal (Aug 27, 2003)

I don't understand that BitDefender doesn't explain more about the process that's tryng to run under svchost.exe. Can you check the alert logs and see if there's any more detailed explanation please.


----------



## Cjreef (Aug 21, 2009)

I'm sorry, I can't find anything.
I've sent a query to Bit Defender. We'll see if I get a reply.


----------



## Cookiegal (Aug 27, 2003)

Please let me know what you find out.

In the meantime, are there any other problems remaining?


----------



## Cjreef (Aug 21, 2009)

I certainly will, when/if I hear anything.

Yes, I still have problems. My original problem with Microsoft Outlook resurfaced. Out of the blues screens pop up while I'm typing and the margins get messed up. That problem was originally fixed by uninstalling and reinstalling the keypad driver. It hasn't turned into a major problem yet, so I kept it on the back burner. 

Recently, another problem developed. The Windows updates appear to be installing but they are not and the yellow shield reappears on the task bar. Every time I turn off the computer it tries to install 1 update but next time it's there again. I did send an email to Microsoft and I'm waiting for an answer. I will let you know about that too.

Thanks


----------



## Cjreef (Aug 21, 2009)

Well, things are getting worse.
I received a reply from BitDefender with instructions to generate an AVIS log as well as a GMER log and sent them with a reply. Links were given to download the programs
I obtained the AVIS log without problem but received a "Blue Screen" while the GMER tool was running the scan. Now I'm scared to try to rerun it. 
I sent the info to BitDefender, we'll see what they have to say. Let me know if you want me to send you the AVIS log, it's called "bd sys log.xml". I don't know if it would mean anything to you, it looks like it might be just for Bit Defender use.

Here is the technical info from the blue screen, if it should mean anything to you:

Technical info: STOP: (0XF9B28000, 0X00000000, 0X8DFAD7E3, 0X00000000)
Uwlii pow.sys - Address 8DFAD7E3 base a 8DFA2000, DateStamp 4aae2e86

The problem seems to be caused by the following file: uwliipow.sys.

Thanks a million.


----------



## Cookiegal (Aug 27, 2003)

It looks like it could be a rogue driver. I thought we had run GMER.

Try running it in safe mode and you can also rename it to something else.


----------



## Cjreef (Aug 21, 2009)

I didn't try to run it in safe mode yet, because, in the mean time I heard from BitDefender and they told me they needed a Rootkit Unhooker log. Here is the beginning of their email.

Dear......,

In order to be able to further investigate the reported situation we need a
log generated by the Rootkit Unhooker application.

[how to GENERATE A ROOTKIT UNHOOKER LOG]

. Save the Rootkit Unhooker tool (and then extract it if needed) to a location
of your choice:
RECOMMENDED:
http://forum.sysinternals.com/uploads/20071210_182632_rku37300509.rar
alternative:
http://www.bitdefender.com/files/KnowledgeBase/file/rku37300509.zip
or use the version attached to this email: rku37300509.zip (not available
for all email providers)

This is getting worse by the minute. I can't believe they would get me to download an infected file.

I did try to disinfect but because BitDefender still gave me a warning, I blocked it, so I'm back at square one.

What on earth do you think of that?


----------



## Cookiegal (Aug 27, 2003)

It wouldn't be an infected file they sent you. Either malware or one of your security programs is interfering. Have you tried replying yes to that prompt?


----------



## Cjreef (Aug 21, 2009)

Yes I did. It took two tries to make that screen disappear. BTW, that screen was from the Rootkit Unhooker tool not from BitDefender. It says the parasite was within itself. How could Malware or BitDefender make up a statement like that? When the screen disappeared, the BitDefender screen gave me the same warning as it does with svchost.exe.

In an earlier post you said you thought we had run GMER. We did not as such but on 9/9 we ran Combofix and it looks like GMER rootkit/stealth malware detection was run as part of Combofix. I didn't download or run the program but there is an entry following the Combofix results.

Here is what we ran so far:
Hijack This (several times throughout this thread)
MBAM
Mount Points Diagnostic
Kaspersky Webscanner
Combofix
Jotti virus scan on svchost file (21 programs checked the file all with negative results.)
OTS
Taskservlist from the cmd command

If I have some malware or other threat on my computer it sure is good at hiding 

I'm beginning to wonder if my settings are too high. They're all set at "aggressive"

Microsoft replied about the problem updating. They want me to uninstall and reinstall the MSXML software on my computer. I'll do it tomorrow.


----------



## Cookiegal (Aug 27, 2003)

I know it's BitDefender but it may be reacting that way to malware.

ComboFix only runs CatchMe by Gmer which is not the full rootkit detection that GMER is.

Let's remove ComboFix by dragging it to the recycle bin and download the latest version please, do a new scan and post that log.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Puppy.exe please.


----------



## Cjreef (Aug 21, 2009)

I followed the instructions from the Microsoft Tech and it did fix the updating problem. I'm now up to date on critical updates.

Here is the ComboFix log:

ComboFix 09-09-25.01 - Claude Poole 09/27/2009 13:55.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3031.2222 [GMT -4:00]
Running from: c:\documents and settings\Claude Poole\Desktop\Puppy.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Installer\1a267c1.msp
c:\windows\Installer\233f9af.msp

.
((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-25 20:46 . 2009-09-25 20:46 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-25 20:44 . 2009-09-25 20:44 -------- d-----w- c:\program files\MSECACHE
2009-09-25 14:40 . 2009-09-25 14:40 0 ----a-w- c:\windows\system32\drivers\rkhdrv40.sys
2009-09-23 17:39 . 2009-09-23 17:39 -------- d-sh--w- c:\documents and settings\Claude Poole\IECompatCache
2009-09-23 17:06 . 2009-09-23 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-20 16:58 . 2009-09-20 16:58 -------- d-----w- C:\_OTS
2009-09-20 15:42 . 2009-09-20 15:42 -------- d-----w- c:\program files\real
2009-09-12 01:06 . 2009-09-12 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 22:46 . 2009-09-11 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-08 19:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 02:13 . 2009-09-08 02:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 02:13 . 2009-09-08 02:24 -------- d-----w- c:\program files\SpywareBlaster
2009-08-29 17:32 . 2009-08-29 17:32 -------- d-----w- c:\program files\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 15:34 . 2009-05-14 21:23 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-27 15:33 . 2009-08-16 14:00 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-20 15:42 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-20 15:42 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-20 15:42 . 2009-05-26 20:47 -------- d-----w- c:\program files\Common Files\Real
2009-09-12 01:06 . 2009-05-22 01:05 -------- d-----w- c:\program files\QuickTime
2009-09-09 14:26 . 2009-05-06 13:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 17:32 . 2009-05-06 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 17:31 . 2009-05-06 12:59 -------- d-----w- c:\program files\Java
2009-08-28 16:58 . 2009-05-14 20:44 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\U3
2009-08-24 19:28 . 2009-08-24 19:21 -------- d-----w- c:\program files\Mountpoints Diagnostic
2009-08-23 20:27 . 2009-08-23 20:27 --------  d-----w- c:\documents and settings\Claude Poole\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-23 18:22 . 2009-08-23 18:22 -------- d-----w- c:\program files\Trend Micro
2009-08-23 17:07 . 2009-08-23 17:07 -------- d-----w- c:\program files\Process Explorer
2009-08-21 22:14 . 2009-08-21 22:14 71 ----a-w- c:\documents and settings\Claude Poole\Application DatadMb.dat
2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\VSRevoGroup
2009-08-21 19:12 . 2009-08-21 19:11 -------- d-----w- c:\program files\Revouninstaller
2009-08-21 14:48 . 2009-02-12 20:52 104456 ------w- c:\windows\system32\drivers\bdfndisf.sys
2009-08-18 17:27 . 2009-08-18 17:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Uniblue
2009-08-16 13:42 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\BitDefender
2009-08-16 13:36 . 2009-08-16 13:33 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-16 13:29 . 2009-05-06 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-16 00:59 . 2009-07-03 22:08 664 ------w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:35 . 2009-08-08 17:35 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Printer Info Cache
2009-08-07 15:49 . 2009-05-22 00:34 3578 ------w- c:\documents and settings\Claude Poole\Application Data\wklnhst.dat
2009-08-07 02:40 . 2009-05-14 15:47 41520 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:06 . 2009-08-06 23:06 -------- d-----w- c:\program files\Dell DataSafe Online
2009-08-05 23:03 . 2009-05-06 13:00 -------- d-----w- c:\program files\Dell
2009-08-05 22:40 . 2009-08-05 22:40 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 23:21 . 2009-06-04 23:03 13 ------w- c:\windows\popcinfo.dat
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-03 17:36 . 2009-08-23 20:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-23 20:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 16:46 . 2009-07-04 16:46 61224 ------w- c:\documents and settings\Claude Poole\GoToAssistDownloadHelper.exe
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-05-23 02:23 . 2009-05-23 02:23 1878888 ------w- c:\program files\install_flash_player.exe
2001-04-18 08:01 . 2009-05-21 22:15 6758912 ------r- c:\program files\ps601up.exe
2000-12-02 23:38 . 2009-05-21 22:15 2857 ------r- c:\program files\Abcpy.ini
2000-10-23 05:26 . 2009-05-21 22:15 42 ------r- c:\program files\serial.txt
2000-09-29 13:01 . 2009-05-21 22:15 652 ------r- c:\program files\layout.bin
2000-09-29 13:01 . 2009-05-21 22:15 107119545 ------r- c:\program files\data1.cab
2000-09-29 13:01 . 2009-05-21 22:15 204890 ------r- c:\program files\data1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 49 ------r- c:\program files\setup.lid
2000-09-29 13:00 . 2009-05-21 22:15 2389166 ------r- c:\program files\_user1.cab
2000-09-29 13:00 . 2009-05-21 22:15 101 ------r- c:\program files\DATA.TAG
2000-09-29 13:00 . 2009-05-21 22:15 8812 ------r- c:\program files\_user1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 6492 ------r- c:\program files\_sys1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 181565 ------r- c:\program files\_sys1.cab
2000-09-29 13:00 . 2009-05-21 22:15 198033 ------r- c:\program files\setup.ins
2000-09-14 11:22 . 2009-05-21 22:15 27551 ------r- c:\program files\Photoshop 6.0 Readme.wri
2000-08-30 20:15 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel.exe
2000-06-16 20:21 . 2009-05-21 22:15 415574 ------r- c:\program files\Setup.bmp
2000-01-04 21:34 . 2009-05-21 22:15 250 ------r- c:\program files\SETUP.INI
1998-10-02 22:15 . 2009-05-21 22:15 297989 ------r- c:\program files\_INST32I.EX_
1998-10-02 22:06 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel_old.exe
1998-09-29 20:34 . 2009-05-21 22:15 34816 ------r- c:\program files\_Setup.dll
1998-09-18 18:12 . 2009-05-21 22:15 4679 ------r- c:\program files\lang.dat
1998-07-27 21:41 . 2009-05-21 22:15 450 ------r- c:\program files\os.dat
2009-03-05 22:08 . 2009-08-16 13:42 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-05-06 13:08 . 2009-05-06 13:08 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-04-23 801904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-20 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-04 150040]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-21 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]

c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-11-27 46432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-21 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-04 16:46 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Claude Poole^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/6/2009 11:46 AM 113024]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [5/6/2009 9:08 AM 135936]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/6/2009 11:46 AM 110080]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [5/6/2009 11:46 AM 176640]
R3 OA008Afx;Provides a software interface to control audio effects of OA008 camera.;c:\windows\system32\drivers\OA008Afx.sys [5/6/2009 11:46 AM 148056]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [5/6/2009 11:46 AM 133472]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [5/6/2009 11:46 AM 271616]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/6/2009 11:46 AM 1656960]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ACABC4EE
*Deregistered* - acabc4ee

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-27 c:\windows\Tasks\BitDefender Online Backup - [email protected]
- c:\program files\BitDefender\BitDefender Online Backup\sosuploadagent.exe [2009-06-03 18:08]
.
.
------- Supplementary Scan -------
.
TCP: {C653377A-D8AC-4C64-9C39-69762EED141A} = 216.144.187.199,204.186.0.201
FF - ProfilePath - c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - 
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-RealPlayer 12.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 13:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1480)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-09-27 14:00
ComboFix-quarantined-files.txt 2009-09-27 18:00
ComboFix2.txt 2009-09-10 15:29

Pre-Run: 206,895,509,504 bytes free
Post-Run: 206,911,574,016 bytes free

235 --- E O F --- 2009-09-27 16:00


----------



## Cookiegal (Aug 27, 2003)

Download RootkitRevealer from here:

http://www.sysinternals.com/utilities/rootkitrevealer.html

Unzip it then doubleclick the RootkitRevealer.exe file. Click the scan button and let it scan. Save the scan results and post them here.


----------



## Cjreef (Aug 21, 2009)

I ran the RootkitRevealer but ran into trouble trying to save the log. The only place it wanted me to save it was in Sys32. I tried to save to the desktop and to My Documents unsuccessfully. I got a little farther with My Documents and it did try to save but then it froze after telling me the file already existed (that would have been from several prior attempts). Then I was told the program was not responding.
I did a search for the .txt file and found two under My Documents/localservice?. They both had 0 bytes since I had to end the program when it was not responding.

Incidentally, every time I ran the scan I got a different number of discrepancies found. The first time it was 1300 and some, then the other times were in the 30s and 40s?

Now, I got a little farther with BitDefender. They sent me an email asking me to rerun the test with BitDefender disabled. I'm attaching the results here. It looks like two hidden files are suspect.


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\system32\emtjh73m.exe
C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\uwliipow.sys

Driver::
uwliipow
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

***Note** *

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## Cjreef (Aug 21, 2009)

ComboFix 09-09-28.01 - Claude Poole 09/28/2009 20:59.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3031.2182 [GMT -4:00]
Running from: c:\documents and settings\Claude Poole\Desktop\Puppy.exe
Command switches used :: c:\documents and settings\Claude Poole\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

FILE ::
"c:\docume~1\CLAUDE~1\LOCALS~1\Temp\uwliipow.sys"
"c:\windows\system32\emtjh73m.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UWLIIPOW
-------\Service_uwliipow

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-28 19:56 . 2009-09-28 19:57 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\QuickScan
2009-09-27 23:35 . 2009-09-27 23:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\BitDefender
2009-09-27 17:54 . 2009-09-27 18:00 -------- d-----w- C:\Puppy
2009-09-25 20:46 . 2009-09-25 20:46 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-25 20:44 . 2009-09-25 20:44 -------- d-----w- c:\program files\MSECACHE
2009-09-23 17:39 . 2009-09-23 17:39 -------- d-sh--w- c:\documents and settings\Claude Poole\IECompatCache
2009-09-23 17:06 . 2009-09-23 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-20 16:58 . 2009-09-20 16:58 -------- d-----w- C:\_OTS
2009-09-20 15:42 . 2009-09-20 15:42 -------- d-----w- c:\program files\real
2009-09-12 01:06 . 2009-09-12 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 22:46 . 2009-09-11 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-08 19:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 02:13 . 2009-09-08 02:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 02:13 . 2009-09-08 02:24 -------- d-----w- c:\program files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 01:04 . 2009-05-14 21:23 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-29 01:03 . 2009-08-16 14:00 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-27 21:27 . 2009-06-04 23:03 13 ----a-w- c:\windows\popcinfo.dat
2009-09-27 18:46 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-09-20 15:42 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-20 15:42 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-20 15:42 . 2009-05-26 20:47 -------- d-----w- c:\program files\Common Files\Real
2009-09-12 01:06 . 2009-05-22 01:05 -------- d-----w- c:\program files\QuickTime
2009-09-09 14:26 . 2009-05-06 13:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 17:32 . 2009-08-29 17:32 -------- d-----w- c:\program files\Sun
2009-08-29 17:32 . 2009-05-06 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 17:31 . 2009-05-06 12:59 -------- d-----w- c:\program files\Java
2009-08-28 16:58 . 2009-05-14 20:44 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\U3
2009-08-24 19:28 . 2009-08-24 19:21 -------- d-----w- c:\program files\Mountpoints Diagnostic
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-23 18:22 . 2009-08-23 18:22 -------- d-----w- c:\program files\Trend Micro
2009-08-23 17:07 . 2009-08-23 17:07  -------- d-----w- c:\program files\Process Explorer
2009-08-21 22:14 . 2009-08-21 22:14 71 ----a-w- c:\documents and settings\Claude Poole\Application DatadMb.dat
2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\VSRevoGroup
2009-08-21 19:12 . 2009-08-21 19:11 -------- d-----w- c:\program files\Revouninstaller
2009-08-21 14:48 . 2009-02-12 20:52 104456 ------w- c:\windows\system32\drivers\bdfndisf.sys
2009-08-18 17:27 . 2009-08-18 17:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Uniblue
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\BitDefender
2009-08-16 13:36 . 2009-08-16 13:33 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-16 13:29 . 2009-05-06 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-16 00:59 . 2009-07-03 22:08 664 ------w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:35 . 2009-08-08 17:35 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Printer Info Cache
2009-08-07 15:49 . 2009-05-22 00:34 3578 ------w- c:\documents and settings\Claude Poole\Application Data\wklnhst.dat
2009-08-07 02:40 . 2009-05-14 15:47 41520 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:06 . 2009-08-06 23:06 -------- d-----w- c:\program files\Dell DataSafe Online
2009-08-05 23:03 . 2009-05-06 13:00 -------- d-----w- c:\program files\Dell
2009-08-05 22:40 . 2009-08-05 22:40 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-03 17:36 . 2009-08-23 20:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-23 20:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 16:46 . 2009-07-04 16:46 61224 ------w- c:\documents and settings\Claude Poole\GoToAssistDownloadHelper.exe
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-05-23 02:23 . 2009-05-23 02:23 1878888 ------w- c:\program files\install_flash_player.exe
2001-04-18 08:01 . 2009-05-21 22:15 6758912 ------r- c:\program files\ps601up.exe
2000-12-02 23:38 . 2009-05-21 22:15 2857 ------r- c:\program files\Abcpy.ini
2000-10-23 05:26 . 2009-05-21 22:15 42 ------r- c:\program files\serial.txt
2000-09-29 13:01 . 2009-05-21 22:15 652 ------r- c:\program files\layout.bin
2000-09-29 13:01 . 2009-05-21 22:15 107119545 ------r- c:\program files\data1.cab
2000-09-29 13:01 . 2009-05-21 22:15 204890 ------r- c:\program files\data1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 49 ------r- c:\program files\setup.lid
2000-09-29 13:00 . 2009-05-21 22:15 2389166 ------r- c:\program files\_user1.cab
2000-09-29 13:00 . 2009-05-21 22:15 101 ------r- c:\program files\DATA.TAG
2000-09-29 13:00 . 2009-05-21 22:15 8812 ------r- c:\program files\_user1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 6492 ------r- c:\program files\_sys1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 181565 ------r- c:\program files\_sys1.cab
2000-09-29 13:00 . 2009-05-21 22:15 198033 ------r- c:\program files\setup.ins
2000-09-14 11:22 . 2009-05-21 22:15 27551 ------r- c:\program files\Photoshop 6.0 Readme.wri
2000-08-30 20:15 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel.exe
2000-06-16 20:21 . 2009-05-21 22:15 415574 ------r- c:\program files\Setup.bmp
2000-01-04 21:34 . 2009-05-21 22:15 250 ------r- c:\program files\SETUP.INI
1998-10-02 22:15 . 2009-05-21 22:15 297989 ------r- c:\program files\_INST32I.EX_
1998-10-02 22:06 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel_old.exe
1998-09-29 20:34 . 2009-05-21 22:15 34816 ------r- c:\program files\_Setup.dll
1998-09-18 18:12 . 2009-05-21 22:15 4679 ------r- c:\program files\lang.dat
1998-07-27 21:41 . 2009-05-21 22:15 450 ------r- c:\program files\os.dat
2009-03-05 22:08 . 2009-08-16 13:42 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-05-06 13:08 . 2009-05-06 13:08 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( [email protected]_17.59.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-29 01:04 . 2009-09-29 01:04 16384 c:\windows\Temp\Perflib_Perfdata_180.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-04-23 801904]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-20 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-04 150040]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-21 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]

c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-11-27 46432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-21 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-04 16:46 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Claude Poole^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/6/2009 11:46 AM 113024]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [5/6/2009 9:08 AM 135936]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/6/2009 11:46 AM 110080]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [5/6/2009 11:46 AM 176640]
R3 OA008Afx;Provides a software interface to control audio effects of OA008 camera.;c:\windows\system32\drivers\OA008Afx.sys [5/6/2009 11:46 AM 148056]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [5/6/2009 11:46 AM 133472]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [5/6/2009 11:46 AM 271616]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/6/2009 11:46 AM 1656960]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]
S3 BWMMHD;BWMMHD;c:\docume~1\CLAUDE~1\LOCALS~1\Temp\BWMMHD.exe --> c:\docume~1\CLAUDE~1\LOCALS~1\Temp\BWMMHD.exe [?]
S3 FKFRBQO;FKFRBQO;c:\docume~1\CLAUDE~1\LOCALS~1\Temp\FKFRBQO.exe --> c:\docume~1\CLAUDE~1\LOCALS~1\Temp\FKFRBQO.exe [?]
S3 P;P;c:\docume~1\CLAUDE~1\LOCALS~1\Temp\P.exe --> c:\docume~1\CLAUDE~1\LOCALS~1\Temp\P.exe [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 RKPCFMNZSN;RKPCFMNZSN;c:\docume~1\CLAUDE~1\LOCALS~1\Temp\RKPCFMNZSN.exe --> c:\docume~1\CLAUDE~1\LOCALS~1\Temp\RKPCFMNZSN.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-27 c:\windows\Tasks\BitDefender Online Backup - [email protected]
- c:\program files\BitDefender\BitDefender Online Backup\sosuploadagent.exe [2009-06-03 18:08]
.
.
------- Supplementary Scan -------
.
TCP: {C653377A-D8AC-4C64-9C39-69762EED141A} = 216.144.187.199,204.186.0.201
FF - ProfilePath - c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - 
FF - component: c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\extensions\[email protected]\components\NetDiag.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 21:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1488)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2968)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\drivers\audio\R214424\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\windows\system32\wscript.exe
.
**************************************************************************
.
Completion time: 2009-09-29 21:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-29 01:07
ComboFix2.txt 2009-09-27 18:00
ComboFix3.txt 2009-09-10 15:29

Pre-Run: 206,858,694,656 bytes free
Post-Run: 206,738,780,160 bytes free

278 --- E O F --- 2009-09-27 16:00

Cookiegal: I didn't get a message box with the log.

I will have to post the HijackThis log in a second post as it made this one too long for posting.

Cookiegal: I didn't get a message box with the ComboFix log


----------



## Cjreef (Aug 21, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:32 PM, on 9/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (qsax Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: BWMMHD - Unknown owner - C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\BWMMHD.exe (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: FKFRBQO - Unknown owner - C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\FKFRBQO.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: P - Unknown owner - C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\P.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RKPCFMNZSN - Unknown owner - C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\RKPCFMNZSN.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9754 bytes


----------



## Cookiegal (Aug 27, 2003)

The driver was likely associated with GMER as well. It uses odd random file names so it looks like malware sometimes.

Open Notepad and copy and paste the text in the code box below into it:


```
Driver::
BWMMHD
FKFRBQO
P
rkhdrv40
RKPCFMNZSN

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

***Note** *

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## Cjreef (Aug 21, 2009)

ComboFix 09-09-30.01 - Claude Poole 09/30/2009 18:21.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3031.2358 [GMT -4:00]
Running from: c:\documents and settings\Claude Poole\Desktop\Puppy.exe
Command switches used :: c:\documents and settings\Claude Poole\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BWMMHD
-------\Legacy_FKFRBQO
-------\Legacy_P
-------\Legacy_RKHDRV40
-------\Legacy_RKPCFMNZSN
-------\Service_BWMMHD
-------\Service_FKFRBQO
-------\Service_P
-------\Service_rkhdrv40
-------\Service_RKPCFMNZSN

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-29 15:39 . 2009-09-29 15:39 8676 ----a-w- c:\documents and settings\Claude Poole\BootRecs.zip
2009-09-28 19:56 . 2009-09-28 19:57 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\QuickScan
2009-09-27 23:35 . 2009-09-27 23:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\BitDefender
2009-09-27 17:54 . 2009-09-27 18:00 -------- d-----w- C:\Puppy
2009-09-25 20:46 . 2009-09-25 20:46 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-25 20:44 . 2009-09-25 20:44 -------- d-----w- c:\program files\MSECACHE
2009-09-23 17:39 . 2009-09-23 17:39 -------- d-sh--w- c:\documents and settings\Claude Poole\IECompatCache
2009-09-23 17:06 . 2009-09-23 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-20 16:58 . 2009-09-20 16:58 -------- d-----w- C:\_OTS
2009-09-20 15:42 . 2009-09-20 15:42 -------- d-----w- c:\program files\real
2009-09-12 01:06 . 2009-09-12 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 01:04 . 2009-09-12 01:04 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-11 22:46 . 2009-09-11 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-08 19:19 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 02:13 . 2009-09-08 02:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 02:13 . 2009-09-08 02:24 -------- d-----w- c:\program files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 22:26 . 2009-05-14 21:23 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-30 22:24 . 2009-08-16 14:00 81984 ----a-w- c:\windows\system32\bdod.bin
2009-09-27 21:27 . 2009-06-04 23:03 13 ----a-w- c:\windows\popcinfo.dat
2009-09-27 18:46 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-09-20 15:42 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-20 15:42 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-20 15:42 . 2009-05-26 20:47 -------- d-----w- c:\program files\Common Files\Real
2009-09-12 01:06 . 2009-05-22 01:05 -------- d-----w- c:\program files\QuickTime
2009-09-09 14:26 . 2009-05-06 13:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 17:32 . 2009-08-29 17:32 -------- d-----w- c:\program files\Sun
2009-08-29 17:32 . 2009-05-06 13:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 17:31 . 2009-05-06 12:59 -------- d-----w- c:\program files\Java
2009-08-28 16:58 . 2009-05-14 20:44 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\U3
2009-08-24 19:28 . 2009-08-24 19:21 -------- d-----w- c:\program files\Mountpoints Diagnostic
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Malwarebytes
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 20:27 . 2009-08-23 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-23 18:22 . 2009-08-23 18:22 -------- d-----w- c:\program files\Trend Micro
2009-08-23 17:07 . 2009-08-23 17:07 -------- d-----w- c:\program files\Process Explorer
2009-08-21 22:14 . 2009-08-21 22:14 71 ----a-w- c:\documents and settings\Claude Poole\Application DatadMb.dat
2009-08-21 19:46 . 2009-08-21 19:46 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\VSRevoGroup
2009-08-21 19:12 . 2009-08-21 19:11 -------- d-----w- c:\program files\Revouninstaller
2009-08-21 14:48 . 2009-02-12 20:52 104456 ------w- c:\windows\system32\drivers\bdfndisf.sys
2009-08-18 17:27 . 2009-08-18 17:27 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Uniblue
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\BitDefender
2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\BitDefender
2009-08-16 13:36 . 2009-08-16 13:33 -------- d-----w- c:\program files\Common Files\BitDefender
2009-08-16 13:29 . 2009-05-06 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-16 00:59 . 2009-07-03 22:08 664 ------w- c:\windows\system32\d3d9caps.dat
2009-08-08 17:35 . 2009-08-08 17:35 -------- d-----w- c:\documents and settings\Claude Poole\Application Data\Printer Info Cache
2009-08-07 15:49 . 2009-05-22 00:34 3578 ------w- c:\documents and settings\Claude Poole\Application Data\wklnhst.dat
2009-08-07 02:40 . 2009-05-14 15:47 41520 ------w- c:\documents and settings\Claude Poole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:06 . 2009-08-06 23:06 -------- d-----w- c:\program files\Dell DataSafe Online
2009-08-05 23:03 . 2009-05-06 13:00 -------- d-----w- c:\program files\Dell
2009-08-05 22:40 . 2009-08-05 22:40 -------- d-----w- c:\program files\Intel
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-03 17:36 . 2009-08-23 20:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-23 20:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-04 16:46 . 2009-07-04 16:46 61224 ------w- c:\documents and settings\Claude Poole\GoToAssistDownloadHelper.exe
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-05-23 02:23 . 2009-05-23 02:23 1878888 ------w- c:\program files\install_flash_player.exe
2001-04-18 08:01 . 2009-05-21 22:15 6758912 ------r- c:\program files\ps601up.exe
2000-12-02 23:38 . 2009-05-21 22:15 2857 ------r- c:\program files\Abcpy.ini
2000-10-23 05:26 . 2009-05-21 22:15 42 ------r- c:\program files\serial.txt
2000-09-29 13:01 . 2009-05-21 22:15 652 ------r- c:\program files\layout.bin
2000-09-29 13:01 . 2009-05-21 22:15 107119545 ------r- c:\program files\data1.cab
2000-09-29 13:01 . 2009-05-21 22:15 204890 ------r- c:\program files\data1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 49 ------r- c:\program files\setup.lid
2000-09-29 13:00 . 2009-05-21 22:15 2389166 ------r- c:\program files\_user1.cab
2000-09-29 13:00 . 2009-05-21 22:15 101 ------r- c:\program files\DATA.TAG
2000-09-29 13:00 . 2009-05-21 22:15 8812 ------r- c:\program files\_user1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 6492 ------r- c:\program files\_sys1.hdr
2000-09-29 13:00 . 2009-05-21 22:15 181565 ------r- c:\program files\_sys1.cab
2000-09-29 13:00 . 2009-05-21 22:15 198033 ------r- c:\program files\setup.ins
2000-09-14 11:22 . 2009-05-21 22:15 27551 ------r- c:\program files\Photoshop 6.0 Readme.wri
2000-08-30 20:15 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel.exe
2000-06-16 20:21 . 2009-05-21 22:15 415574 ------r- c:\program files\Setup.bmp
2000-01-04 21:34 . 2009-05-21 22:15 250 ------r- c:\program files\SETUP.INI
1998-10-02 22:15 . 2009-05-21 22:15 297989 ------r- c:\program files\_INST32I.EX_
1998-10-02 22:06 . 2009-05-21 22:15 27648 ------r- c:\program files\_ISDel_old.exe
1998-09-29 20:34 . 2009-05-21 22:15 34816 ------r- c:\program files\_Setup.dll
1998-09-18 18:12 . 2009-05-21 22:15 4679 ------r- c:\program files\lang.dat
1998-07-27 21:41 . 2009-05-21 22:15 450 ------r- c:\program files\os.dat
2009-03-05 22:08 . 2009-08-16 13:42 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-05-06 13:08 . 2009-05-06 13:08 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( [email protected]_17.59.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-30 22:26 . 2009-09-30 22:26 16384 c:\windows\Temp\Perflib_Perfdata_3ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-08-21 782336]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]

c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-11-27 46432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-21 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-04 16:46 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Claude Poole^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\documents and settings\Claude Poole\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [5/6/2009 11:46 AM 113024]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [5/6/2009 9:08 AM 135936]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/6/2009 11:46 AM 110080]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [5/6/2009 11:46 AM 176640]
R3 OA008Afx;Provides a software interface to control audio effects of OA008 camera.;c:\windows\system32\drivers\OA008Afx.sys [5/6/2009 11:46 AM 148056]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [5/6/2009 11:46 AM 133472]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [5/6/2009 11:46 AM 271616]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [5/6/2009 11:46 AM 1656960]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-27 c:\windows\Tasks\BitDefender Online Backup - [email protected]
- c:\program files\BitDefender\BitDefender Online Backup\sosuploadagent.exe [2009-06-03 18:08]
.
.
------- Supplementary Scan -------
.
TCP: {C653377A-D8AC-4C64-9C39-69762EED141A} = 216.144.187.199,204.186.0.201
FF - ProfilePath - c:\documents and settings\Claude Poole\Application Data\Mozilla\Firefox\Profiles\ehao72fs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - 
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\CLAUDE~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1484)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2292)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\drivers\audio\R214424\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\searchindexer.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-09-30 18:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 22:28
ComboFix2.txt 2009-09-29 01:07
ComboFix3.txt 2009-09-27 18:00
ComboFix4.txt 2009-09-10 15:29

Pre-Run: 206,688,657,408 bytes free
Post-Run: 206,656,454,656 bytes free

251 --- E O F --- 2009-09-27 16:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:11 PM, on 9/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (qsax Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7503 bytes


----------



## Cookiegal (Aug 27, 2003)

I'm sorry about the delay and wanted to let you know that I haven't forgotten you. I've had connection problems for several days and wasn't able to get on-line at all. It will probably take me a few days to catch up so I will post back here as soon as I can with further instructions.


----------



## Cjreef (Aug 21, 2009)

Thanks for letting me know. I was getting worried about you as others were too.


----------



## Cookiegal (Aug 27, 2003)

I don't see anything out of place there.

Have you heard anything back from the BitDefender people?


----------



## Cjreef (Aug 21, 2009)

I finally did today. I had not heard since 9/29 and sent them an email. They claim they replied to me 3 days ago. It's always possible that I deleted the message by mistake but find it hard to believe since I was really anxious to hear from them. By the way, they do advertise that they provide phone support but I could not find a phone number on their website. Any idea what it might be?

Anyway, they sent me a new file to download, save with the extension .zip, unzip and run. It picked up two files which I had to send to them zipped and password protected. I will let you know when I hear from them again.

The file they sent, if it means anything to you, was pdmp_crypted. The two files picked up were Datasafeonline.exe and sprtcmd.exe.


----------



## Cookiegal (Aug 27, 2003)

Those files both belong to Dell, one for their support tool and the other for on-line storage.

I have no idea of a phone number for them.


----------



## Cjreef (Aug 21, 2009)

Hello Cookiegal,

After complaining that it was taking an awful long time, I finally received a reply from Bit Defender. I am more confused than ever so I decided not to do anything until I get more information from them. I am very frustrated with BitDefender at this point. Here is what they wanted me to do and my response to them:

Thank you for your response. 

Could you please let me know what the problem is that we are trying to fix, that is, what you found out from the information that you requested and that I sent you. I am concerned that with the passage of so much time things might be getting a bit confused. 

You are instructing me to run the .bat file. The mbrfix folder contains 7 items of which 2 have the extension .exe and 4 .bat. The last one is a FireFox documentation. 

Because of the above and the fact that the documentation warns that incorrect use of the program may cause loss of all data I will need more precise instructions. I am assuming I can ignore the 64 version and that I should run the MBRFIX.EXE program but that is neither of the .bat files and you want me to run a.bat file. I need to be sure. And, again, I would like to know what it is going to do to my computer because I dont understand how the MBR has anything to do with the message I get about the svchost application.

With thanks, Claude Poole.

-----Original Message-----
*From:* BitDefender Support Team [mailto:[email protected]]
*Sent:* Wednesday, October 28, 2009 1:12 PM
*To:* Claude Poole
*Subject:* Re: [Ticket ID:200909231009352] I need help with this screen


Dear Claude Poole,

Attached to this email you will find an archive "fixmbr.zip" containing the
utility used to restore the altered MBR.

Please download the attachment, disable the BitDefender real-time protection
and any other active security solutions, unpack the archive and run the .bat
file.

Once the process is completed enable the real-time protection.

~

[how to DISABLE THE REAL-TIME PROTECTION on version 2008]
In order to disable the Real-time protection please open BitDefender, select
"Settings", go to "Antivirus" > "Shield" and click on "Real-time protection is
enabled", select the time interval that suites your troubleshooting needs and
click "OK"; the message will change to "Real-time protection is disabled".
-----

[how to DISABLE THE REAL-TIME PROTECTION on version v10]
In order to disable the real-time protection please open BitDefender, go to
"Antivirus" > "Shield" and click on "Real-time protection is enabled"; this
message will change to "Real-time protection is disabled".
-----

If the situation persists or you require further assistance please do not
hesitate to contact us.
Best regards,

Cristian Raducu
BitDefender Technical Support Engineer


----------



## Cjreef (Aug 21, 2009)

BitDefender sent me an explanation:
"The virus injected itself into the Master Boot Record and the only way to
remove it is to restore the MBR.
The archive contains 4 bat files:
Look at the file name and run the one that fits your operating system:

fix32_vista.bat ->Vista 32 OS
fix32_w2k_xp.bat -> Windows 2000/Windows XP 32 OS

and the rest are for x64 OS which we can exclude.
Loss of data may occur if you don't run the proper bat file."

I clicked on the bat file for Windows XP. A black screen came on for a fraction of a second, disappeared, then nothing. 
I sent them another email, will let you know what happens.

If you have any ideas, please let me know, thank you.


----------



## Cjreef (Aug 21, 2009)

"I clicked on the bat file for Windows XP. A black screen came on for a fraction of a second, disappeared, then nothing."

Bit Defender says that's normal.

I will let you know if the problem is solved.

Thanks for all your help.


----------



## Cookiegal (Aug 27, 2003)

OK, thanks.


----------



## Cjreef (Aug 21, 2009)

Well, I haven't seen a warning screen for a month now, so I'm assuming that the problem is solved. I did get a blue screen once though.

While we were going through the solving process I accumulated a bunch of icons on my desktop and I'm not sure which ones I can safely delete.

Malwarebytes
Spyware Blaster
Rootkit unhooker
Puppy.exe
jdk-6u16-windoes
Shortcut to process explorer (no idea what that is)
Hijack this 
Spypware blaster.

Thanks again for your help.


----------



## Cookiegal (Aug 27, 2003)

I suggest keeping these:

Malwarebytes
Spyware Blaster

You can delete these by dragging them to the recycle bin:

jdk-6u16-windoes
Shortcut to process explorer
Rootkit unhooker

Delete HijackThis via the Control Panel - Add/Remove programs.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

*Read here* for info on how to tighten your security.


----------

