# I think I've come a across a virus...am I safe? (screenshots and urls included)



## hewwo2u2 (Jan 10, 2009)

I was surfing on myspace when all of the sudden a random screen came up that claimed to be some antivirus program that would perform a free scan.

*(see popup 1.jpg)* -- this popup claimed to be coming from antimalwarescanner.com

I did NOT click OK. I attempted to close it but it immediately brought me to another screen that said it was running an online scan on my computer which actually looked almost real. It then said I had a LOT of malware (hundreds of trojans) and a new popup came up asking me to download 'antivirus 360'.

*(**see popup 2.jpg)*-- this image is a screenshot of the "scanning" screen + the second popup.I attempted to exit this popup as well and then a new popup that appeared to be from Windows Security came up telling me to clean my files. *

(see windows security popup 3.jpg)*

After attempting to exit this one, _another_ popup came up asking me to please install the antivirus program _again_.

*(see popup 4.jpg)*

When I clicked the 'x' of this screen, a new popup came up saying I had chosen to open the file, and asking me if I would like to save it! The file it wanted me to save was called *installAVg_77024201.exe*

*(see popup 5.jpg)*

Of course, I attempted to close this window as well, and yet another popup came up this time warning me not to close the window!

***(see popup 6.jpg)*

Then popups 5,6, and 7 continued to reappear. I kept trying to exit but a new popup kept coming up saying how harmful the viruses are. I couldn't exit it and I couldn't close the browser. Then I lost internet connection so I just restarted the computer. I went to my history to see if it would show me where these popups were coming from and this was how I was able to get screenshots of the popups as well.

***(see browsing history.jpg)*

I'm almost positive this was some sort of a virus. I didn't download anything, but it did run whatever it was running and it did somehow get on my screen so it makes me very nervous that there could be something on my computer.

I performed a full scan of AVG (the real one) and MBAM. Both said there was nothing found on my system; however, AVG did show some files that it said it "changed". I'm curious as to why it said no threats were found and yet there are some files located under the "virus results" tab?

***(see AVGresults.jpg)*

Does anyone think these are relevant to what happened or are they unrelated?

And is anyone familiar with this file? *installAVg_77024201.exe* ? What else should I do to make sure my computer is safe and was not affected by whatever this was?

please note the url addresses in all of these pictures.

**I will upload the last 3 images in the next post


----------



## hewwo2u2 (Jan 10, 2009)

last 3 images


----------



## dvk01 (Dec 14, 2002)

*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* to your Desktop.

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything unless told to do so while we are fixing your problem. *


----------



## hewwo2u2 (Jan 10, 2009)

ok, I will do this but can you please promise me that I will be able to remove this once I download it? I am very wary of downloading new things now since I recently downloaded something on here when my computer ended up not needing it to begin with, and now I am unable to completely remove it.

please keep in mind that I did _not_ download the file that the popup asked me to download. Do you recognize this "thing" that happened? Is it necessary that I download another program to my computer or is this just the protocol for everyone that posts in this forum? Do you think it has done something to my computer even though I did not download it?


----------



## hewwo2u2 (Jan 10, 2009)

Also, I read via your link why you disable autorun of external hardware. I would like to know, is there a way to find out if your usb flash drive or external harddrive is infected without infecting the computer?


----------



## dvk01 (Dec 14, 2002)

I can't tell if it installed anything on your computer or was just pop ups

it installs using exploits on the computer when you aren't fully updated

In view of your other problems, unless you are having any pop ups , diverts or anything else wrong forget all about it


----------



## hewwo2u2 (Jan 10, 2009)

dvk01 said:


> I can't tell if it installed anything on your computer or was just pop ups
> 
> it installs using exploits on the computer when you aren't fully updated
> 
> In view of your other problems, unless you are having any pop ups , diverts or anything else wrong forget all about it


Does this mean you do not want me to download this Combofix program? I will do it if you recommend that I do it anyway.

Did you look at my screenshot of what AVG came up with? what were the things that it said it "changed"? Do you think they were related to this?


----------



## dvk01 (Dec 14, 2002)

No I don't want you to install it & I no longer wish to help

I feel it would be difficult to help you


----------



## hewwo2u2 (Jan 10, 2009)

_ouch_. I just realized you were one of the people who posted in my other thread where I was concerned as to weather or not a program I downloaded was fully removed. I suppose things can be taken in wrong ways when typing on a computer rather than speaking in person. In hopes to clarify, I never meant to step on any toes when expressing my concerns. I will be the first to say that I am very much a beginner when it comes to these things and in that sense, it probably is pretty difficult to help me as I _do_ need step-by-step guidance with many things. I hope that you understand that my questions are not meant to second guess your knowledge/experience in the subject. They are meant only to help me better understand what has happened and what I am doing about it.

I am re-reading my post, trying to understand what I said to offend you. Perhaps it was where I asked if it was really necessary for me to download another program? Please understand that I did not mean this in a sarcastic way although I am sure it can be read that way. I was asking if this was the routine procedure for all people who post or if it was specific to my problem. I wanted to know what the difference between it and MBAM or AVG were so that I could know why it was needed over the other programs. I had every intention of downloading it in order for you to see what you need to see, but I wanted to make sure I would be able to remove it without trouble when I was finished.

If this was not what upset you, and rather it was my questions that caused you to feel it would be difficult to help me, then I suppose you made the right decision. As I said before I do not know very much at all about this. This is the only computer I own and I have to make it last as long as possible as I do not have the resources to buy a new or even to fix it. I ask questions because I want to know and understand what is going on and why I am doing what the things that I'm told to do.

So again, I appologize if I offended you (or anyone else for that matter), as this was not my intention.


----------



## Cookiegal (Aug 27, 2003)

Part of the problem is that you have started 6 threads in 7 days, including 3 news one yesterday alone, and it's getting very confusing and wasting time with members repeating the same thing in various threads.

In view of the significant number of problems you have and your reluctance to follow instructions, I think the best thing for you to do would be to back up your important data such as documents, photos, music etc. to external media and reformat this machine. Then only load programs that you will need and use. In my opinion, it's the only way you're ever going to be happy with the result.


----------



## hewwo2u2 (Jan 10, 2009)

I'm sorry as this is definitely off topic, but I cannot help but be defensive here. I don't see where you get that I have started 6 new threads in 7 days? If by repeating you are talking about the thread I posted about not being able to delete GMER, I posted the new thread because the original issue came up in a completely irrelevant thread discussing which anti-malware softwares were the best. I even remember saying in that thread that I was going to start a new thread asking others to help me with the issue. The repeat of that thread that I posted in another forum was done before I knew it was against the rules, and I apologize for this; however, it was locked immediately so I don't see how that could have caused any confusion. I posted one new thread *2* days ago, and that is this one, and my other threads have nothing to do with this one whatsoever. So unless there is someone else on here with my name, I do not know how you figured that I had started 3 new threads yesterday as I did not even start 1 yesterday.

In regards to my happiness, I am very happy with the amount of help I have received with my other issues. I do not understand where the hostility is coming from here and again I apologize if I stepped on any toes. I do not feel that I am refraining from following directions. I was going to download and install this program that was previously discussed, I just wanted to be reassured that I would be able to remove it completely. I have done my best to keep up with all instructions given to me, and I apologize if I ask questions because I want to know _why_ I'm doing what I'm doing. I did not ask you to come here to gang up on me. I simply wanted your input on the problem described in the original post. I am not a big fan of drama and would prefer if someone would accept my appology and reconsider the issue, but it seems that this is almost impossible in this forum.


----------



## hewwo2u2 (Jan 10, 2009)

So if anyone would be willing to reconsider helping me, I currently have installed AVG free, spybot, and MBAM. I will install combofix, hjt, or whatever else if needed in order to be sure my system is not infected.


----------



## Cookiegal (Aug 27, 2003)

I'm sorry I did read the dates that the threads were started incorrectly and I do apologize for that. But you did start three threads in January and three in February and all were still active in February so that is a lot. 

We are not trying to be hostile, we are trying to help you but you it's difficult to keep up with you. I understand you have questions but if we ask you to download a program, we are not doing it for fun. We have a backlog of people waiting for help and not enough time to get to them all. The reports generated take time to analyze and then we have to prepare the proper fix if there is infection. You are also asking for guarantees that we can't give. Yes, sometimes programs don't uninstall properly. The same happens with anti-virus programs like Norton, etc. A lot depends on the state of your system and many other possible factors. But most of the time, they do uninstall properly. In any event, we can usually uninstall them manually and even if a file or a registry entry lingers, it won't do any harm to your system.


----------



## Cookiegal (Aug 27, 2003)

If you wish to continue, I would like you to post a new HijackThis log please.


----------



## hewwo2u2 (Jan 10, 2009)

I understand, and I promise I will try my hardest not to be so difficult. I appreciate your willingness to give me a second chance 

HijackThis will be posted shortly


----------



## hewwo2u2 (Jan 10, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:15 PM, on 2/15/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Users\Jessica\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6456
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 7225 bytes


----------



## Cookiegal (Aug 27, 2003)

The log looks fine but there are many things that don't show in a HijackThis log and we won't know for sure unless you run ComboFix, as suggested by dvk01. If you are willing then please follow his instructions and post the log.


----------



## hewwo2u2 (Jan 10, 2009)

hey again, excuse me for the delay, I haven't been on the internet for a few days. I will do this and post a log.


----------



## hewwo2u2 (Jan 10, 2009)

I am having dificulty disabling my AVG free edition. I went to the "resident shield" and clicked to uncheck the resident shield protection. Then I clicked "apply" and "ok". I then went to run combofix and it said that my real time scan was still running and that combofix would run anyway but to note that this was "at my own risk". I went back to the resident shield and it said the checkbox was still checked! I went through the steps to disable it 3 more times and it keeps re-checking itself. 
What do I need to do?


----------



## Cookiegal (Aug 27, 2003)

Try disconnecting from the Internet and disabling your anti-virus program completely then run ComboFix. Be sure to re-activate it before going back on-line.


----------



## hewwo2u2 (Jan 10, 2009)

I do not know how to disable it completely. Any tips? The only antivirus program I have is AVG free.


----------



## hewwo2u2 (Jan 10, 2009)

I feel like I have tried everything. I have downloaded and installed combofix but I cannot disable AVG free 7.5.


----------



## Cookiegal (Aug 27, 2003)

I think up until now you've just been disabling the resident shield, correct? If you right-click on AVG in the task bar, there should be an option to either disable it or close it so it's not running. I don't have it so I can't check that. Do you see an option like that?


----------



## Cookiegal (Aug 27, 2003)

Another option that could work would be to disconnect from the Internet and go to Start - Run - msconfig - click OK and click on the startup tab. Uncheck the following AVG process:

*avgcc*

Click Apply and OK.

Then open the Task Manager (Ctrl-Alt-Del) and end task on the avgcc.exe process.

But you will have to go back and check it again and reboot before going back on-line so it starts up.


----------



## hewwo2u2 (Jan 10, 2009)

I right clicked and it said I could "close AVG control panel" I did this, but I believe it is still running- I just don't have the icon in my system tray.


----------



## hewwo2u2 (Jan 10, 2009)

I am going to try the other option you gave me now.

do you have any idea why it won't allow me to turn off the resident shield? That was pretty annoying with it re-checking the option on its own every time I un-ticked it.


----------



## Cookiegal (Aug 27, 2003)

hewwo2u2 said:


> I am going to try the other option you gave me now.
> 
> do you have any idea why it won't allow me to turn off the resident shield? That was pretty annoying with it re-checking the option on its own every time I un-ticked it.


I honestly don't know. It could be something built into the program to protect you from it getting turned off.


----------



## hewwo2u2 (Jan 10, 2009)

hey im back. I disconnected from the internet. ran msconfig and unchecked "AVG anti virus" under the startup tab (note there was no avgcc)

Then I went to task manager and did not find avgcc.exe in the processes either. I tried running combofix and it said AVG 7.5 was still running.
Task manager does have all of the other avg services though (resident shield, email scanner, manager server, and update service) . These are also checked in my services under msconfig as well. Do you want me to try disabling these? If so do you want me to do it in task manager or in msconfig, or both?


----------



## hewwo2u2 (Jan 10, 2009)

I went ahead and disabled the resident shield in the task manager and also disabled the avg control center because I figured that would be AVGcc. then I tried to run combofix again but nothing happened. is something supposed to come up on the screen or is it supposed to look like nothing is happening?


----------



## Cookiegal (Aug 27, 2003)

You should see a DOS type screen while it's running through its steps.

Let's leave ComboFix for now and try this tool instead:

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. Be sure your are disconnected from the Internet before disabling them and remember to re-enable them before going back on-line. They can interfere with SDFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.


----------



## hewwo2u2 (Jan 10, 2009)

Ok I disabled everything that said AVG in it in my task manager, and that appeared to be sufficient for Combofix. It ran and I will post the log right now.


----------



## hewwo2u2 (Jan 10, 2009)

oops I just got on here to say that and just saw that you had replied to the post. :/ sorry! I have the combofix log now. do you still want me to do this SDFix as well?


----------



## Cookiegal (Aug 27, 2003)

You can post the ComboFix log first and then we'll see if it's necessary. It was only because you couldn't run ComboFix.


----------



## hewwo2u2 (Jan 10, 2009)

ComboFix 09-02-21.01 - Jessica 2009-02-22 19:37:46.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.291 [GMT -5:00]
Running from: c:\users\Jessica\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-18 18:27 . 2008-12-04 23:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-18 18:27 . 2008-12-04 23:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-18 18:27 . 2008-12-04 23:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-18 18:27 . 2008-12-04 23:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-18 18:27 . 2008-12-04 23:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-10 20:52 . 2009-01-14 22:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-10 20:52 . 2009-01-15 01:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-07 15:13 . 2008-06-19 20:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-07 15:13 . 2008-06-19 20:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-07 15:13 . 2008-06-19 20:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-07 15:13 . 2008-06-19 20:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-07 15:13 . 2008-06-19 20:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-07 15:13 . 2008-06-19 20:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-07 15:13 . 2008-06-19 20:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-07 15:13 . 2008-06-19 20:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-07 14:58 . 2008-07-27 13:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-07 14:58 . 2008-07-27 13:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-07 14:58 . 2008-07-27 13:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-07 14:57 . 2008-07-27 13:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-07 14:57 . 2008-07-27 13:03 83,968 --a------ c:\windows\System32\mscories.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 17:08 8,240 ----a-w c:\users\Jessica\AppData\Roaming\wklnhst.dat
2009-02-16 21:27 --------- d-----w c:\users\Jessica\AppData\Roaming\AVG7
2009-02-16 01:03 --------- d-----w c:\program files\Trend Micro
2009-02-15 05:31 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-15 04:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 15:19  38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-11 08:02 --------- d-----w c:\programdata\Microsoft Help
2009-02-11 08:01 --------- d-----w c:\program files\Windows Mail
2009-02-09 05:07 --------- d-----w c:\programdata\avg7
2009-02-07 20:43 --------- d-----w c:\programdata\Lavasoft
2009-02-07 20:41 --------- d-----w c:\program files\Lavasoft
2009-01-21 06:29 --------- d-----w c:\users\Jessica\AppData\Roaming\Malwarebytes
2009-01-21 06:28 --------- d-----w c:\programdata\Malwarebytes
2009-01-21 06:17 --------- d-----w c:\programdata\Viewpoint
2009-01-21 06:17 --------- d-----w c:\program files\Viewpoint
2009-01-10 19:38 --------- d-----w c:\users\Jessica\AppData\Roaming\CyberLink
2009-01-10 19:38 --------- d-----w c:\programdata\CyberLink
2009-01-09 18:40 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-01-09 18:40 --------- d-----w c:\program files\Java
2008-09-24 18:48 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 2348584]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-03 219136]

c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-06-12 20:57 9216 c:\windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-16 13:23 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1052193883-4255686519-1956554137-1000]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1052193883-4255686519-1956554137-500]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{214B1DC9-DB3B-45BA-A105-11084AE74B1C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{70799C91-14B5-489D-B946-378160CE00A4}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{B3D3279E-7556-41C6-9650-63B0BB6D3F48}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4B1E698F-7EA4-421F-8FDA-7075D4EA8883}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{14190B57-2EEA-47B7-9971-06D1478A239E}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2F202BA2-ADCD-44ED-9F96-8CB67AFBD7A5}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E4E94A94-2351-4DD9-B55F-B6FFFF87B055}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{8D511714-8FED-49A2-8F6A-09B7FA453FB2}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3FAD7418-79DF-46F8-ADD7-51C2469F84B6}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{BE124A08-7C7A-4914-9AA0-5EE44AE5FF66}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5C64036E-F7F2-44E5-822B-9B66EBA9A236}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AFFBA27C-307F-472E-AA6E-622BF42C8A83}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3CA76EBB-D8ED-40BC-AE5E-C7C56B0EFEE7}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{45F206FC-2162-4E7B-B0E5-AE21942F3072}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{8E92414B-8D9B-4C13-9C1D-37DE24BA2E09}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{C489BDA6-5B6B-4743-913D-9530BF352D4D}c:\\program files\\tencent\\qq games\\qqgames.exe"= UDP:c:\program files\tencent\qq games\qqgames.exe:QQ Games
"UDP Query User{B0D497DA-980E-4E76-96BB-0CA3A7099170}c:\\program files\\tencent\\qq games\\qqgames.exe"= TCP:c:\program files\tencent\qq games\qqgames.exe:QQ Games

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-09-16 1153368]
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\System32\drivers\avgwfp.sys [2007-06-12 53768]
R3 MRVW147;Marvell TOPDOG (TM) 802.11bgn Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\System32\drivers\MRVW147.sys [2008-08-20 529408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {9EB1C655-331C-5034-CCF8-436FA4B4A3DA} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1052193883-4255686519-1956554137-1000.job
- c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-13 00:27]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jessica\AppData\Roaming\Mozilla\Firefox\Profiles\c6339f51.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
1 file(s) moved.
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Jessica\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\Jessica\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 19:42:45
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-22 19:45:58
ComboFix-quarantined-files.txt 2009-02-23 00:45:56

Pre-Run: 98,189,881,344 bytes free
Post-Run: 98,187,591,680 bytes free

153 --- E O F --- 2009-02-22 01:46:21


----------



## hewwo2u2 (Jan 10, 2009)

running new HJT log now


----------



## hewwo2u2 (Jan 10, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:24 PM, on 2/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5756 bytes


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## hewwo2u2 (Jan 10, 2009)

can you please tell me how to re-enable my autorun. I don't use this for my flash drive or external hard drive, but I believe I do use this for my webcam and digital camera.


----------



## hewwo2u2 (Jan 10, 2009)

Cookiegal said:


> Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


ok one moment


----------



## hewwo2u2 (Jan 10, 2009)

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 6
Apple Software Update
ATI Uninstaller
AVG 7.5
BigFix
Browser Address Error Redirector
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Gateway Recovery Center Installer


----------



## hewwo2u2 (Jan 10, 2009)

I am going to get off the computer for the night. I have a test in the morning and I need to study for it. I will check back tomorrow to see if there are anymore steps you need for me to take.

As expected, I do have a couple questions about the combofix. I noticed it said something about "qq games". I installed this months ago with AIM and have since then attempted to uninstall it but it appeared to uninstall the first time so I tried again. Can you tell from the lof if this is still somewhere on my computer? 

I was also wondering if you could tell me what the deal is about the free bytes? It says

Pre-Run: 98,189,881,344 bytes free
Post-Run: 98,187,591,680 bytes free 

Why are there less bytes free post run than pre-run? 

Thanks in advance


----------



## Cookiegal (Aug 27, 2003)

It doesn't look like you posted the entire uninstll list. You must have programs whose names start with letters after "G".

The difference in bytes free is because ComboFix creates folders and backups. This will all be removed when we uninstall ComboFix.

I'll attach a zipped file to restore the autoruns. Save it to your desktop. Unzip (extract) it and double click the .reg file it contains and allow it to merge into the registry.


----------



## hewwo2u2 (Jan 10, 2009)

hey i just got back on to see if you replied. I will try the HJT again to see if I didn't get it all. I can't save your attachment though...it says "attachment blocked"


----------



## hewwo2u2 (Jan 10, 2009)

that's weird because the saved list really was that short. I opened HJT and resaved the list and now it is complete as far as I can tell


----------



## hewwo2u2 (Jan 10, 2009)

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 6
Apple Software Update
ATI Uninstaller
AVG 7.5
BigFix
Browser Address Error Redirector
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Gateway Recovery Center Installer
Google Talk Plugin
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart Essential 2.01
HP Product Assistant
HP Smart Web Printing
HP Solution Center 9.0
HP Update
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Kodak DIGITAL GEM Airbrush Professional Plug-In 1.0.1
Logitech QuickCam
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
Marvell(R) Wireless Card Software Package
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Money 2006
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.0.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
PDF Settings
Pet Vet 3D Animal Hospital
Power2Go 5.0
QuickTime
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
SigmaTel Audio
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959634)
Windows Media Player Firefox Plugin


----------



## Cookiegal (Aug 27, 2003)

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application.

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 12*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 12 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. *Do NOT use the Sun Download Manager.*
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

These are the older versions of Java that should be uninstalled:

Java(TM) 6 Update 11
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6


----------



## hewwo2u2 (Jan 10, 2009)

there are a lot of options listed on this site. Could you please tell me which one to select?

also, the attachments you posted in an earlier post were blocked. could you please tell me how to get to them?

thanks


----------



## Cookiegal (Aug 27, 2003)

It's the first one and it says:

*JRE 6 Update 12*

Also, it seems the attachment problem has been fixed so can you please try it again now?


----------



## hewwo2u2 (Jan 10, 2009)

ok, the old Javas have been uninstalled and the new one has been installed.

The attachment works now, thanks 
now that it says it added it to my registry, do I still need to keep the files or is it safe to delete them?


----------



## Cookiegal (Aug 27, 2003)

You can delete those files.

Are there any problems remaining?


----------



## hewwo2u2 (Jan 10, 2009)

I mainly wanted to make sure my computer wasn't affected by those popups that I originally posted about, but I do have a few other concerns I'd like to ask about.

I would like to know if you can tell from that log whether or not QQgames has been completely deleted or not, and if not could you tell me how to properly get rid of it?

also, when I opened my browser today I got a popup that said a new add-on called Microsoft.NET Framework Assistant 1.1 has been installed. I never gave it permission to be installed, and I don't know what "ClickOnce" support is. Do you know what this .NET thing is and how I can get rid of it if I don't need it?

I also wanted to tell you that under my control panel there is an icon that looks like a blank sheet of paper that says "viewpoint Manager". If I click on it a popup says "Application not found", but it won't let me delete it. I'm not sure what to do about this...Should I be able to delete this? if so, how?

and finally, could you please tell me what these files are that AVG detected and changed? When I ran the virus scan it said my system was clean, and yet these files appeared under the virus results tab. I uploaded a screen shot of the files it said it changed.
Could you also tell me if in your opinion, do you feel I should upgrade to AVG free 8? I tried to look up what people have said, and some people hate it and have found a lot of flaws in it, while others have said I should definitely upgrade. I was wondering what you thought.


----------



## Cookiegal (Aug 27, 2003)

> I would like to know if you can tell from that log whether or not QQgames has been completely deleted or not, and if not could you tell me how to properly get rid of it?


If you still have this folder you can delete it. That's likely all that remains:

c:\program files\*tencent*


> also, when I opened my browser today I got a popup that said a new add-on called Microsoft.NET Framework Assistant 1.1 has been installed. I never gave it permission to be installed, and I don't know what "ClickOnce" support is. Do you know what this .NET thing is and how I can get rid of it if I don't need it?


that's a Firefox add-on that Microsoft force fed during an update. ClickOnce Support belongs to that. Here's information on .NET Framework that comes installed on Vista.

http://en.wikipedia.org/wiki/.NET_Framework


> I also wanted to tell you that under my control panel there is an icon that looks like a blank sheet of paper that says "viewpoint Manager". If I click on it a popup says "Application not found", but it won't let me delete it. I'm not sure what to do about this...Should I be able to delete this? if so, how?


When you say Control Panel, you mean under Add or Remove Programs, correct?


> and finally, could you please tell me what these files are that AVG detected and changed? When I ran the virus scan it said my system was clean, and yet these files appeared under the virus results tab. I uploaded a screen shot of the files it said it changed.


It is normal for those files to change when downloading MS updates. AVG will drive you crazy with those.

I would uninstall AVG and get Avast! which is a much better program.


----------



## hewwo2u2 (Jan 10, 2009)

Cookiegal said:


> If you still have this folder you can delete it. That's likely all that remains:
> 
> c:\program files\*tencent*


Wow-I still have this folder! Inside the folder there is an uninstall icon. I have run this uninstall several times from my start list and then deleted the folder from there. I went to "my computer" and found the tencent file again! Will just deleting this file remove everything or do I need to figure out how to get the uninstall to work properly? (QQgames does not show up in my add/remove programs list)



Cookiegal said:


> that's a Firefox add-on that Microsoft force fed during an update. ClickOnce Support belongs to that. Here's information on .NET Framework that comes installed on Vista.
> 
> http://en.wikipedia.org/wiki/.NET_Framework


I read the article but it was a little over my head. It's a little unsettling that this clickonce thing gets downloaded without our permission. Is it something I need to keep or should I get rid of it?



Cookiegal said:


> When you say Control Panel, you mean under Add or Remove Programs, correct?


No, I removed all the viewpoint stuff from add or remove programs a while back when you told me to do it. What I'm seeing now is this icon in my control panel under "classic view". I had my boyfriend remove viewpoint from his add/remove programs list and this icon in his control panel is gone. I cannot delete the one in mine though. It's frustrating. It seems my computer does not want for me to remove anything! Do you know anything about this useless icon?



Cookiegal said:


> I would uninstall AVG and get Avast! which is a much better program.


I will do this right now. I only had AVG because someone had told me it was the better one, but I think you would know better.


----------



## hewwo2u2 (Jan 10, 2009)

wait, is it okay for me to go ahead and install Avast! ?



dvk01 said:


> *Please do not install any new programs or update anything unless told to do so while we are fixing your problem. *


Also I forgot to mention that with my windows updates it has also been periodically updating some sort of windows anti spyware or antivirus program called Windows Defender. How good is this, and is it okay to have both this and my free AV software? I'm asking because I remember someone once telling me not to have 2 AV software on my computer at once.


----------



## hewwo2u2 (Jan 10, 2009)

So is my computer clean? If so, is there a particular way that I need to remove the program?


----------



## Cookiegal (Aug 27, 2003)

> Wow-I still have this folder! Inside the folder there is an uninstall icon. I have run this uninstall several times from my start list and then deleted the folder from there. I went to "my computer" and found the tencent file again! Will just deleting this file remove everything or do I need to figure out how to get the uninstall to work properly? (QQgames does not show up in my add/remove programs list)


Since you've run the uninstaller and there are no entries in Add/Remove programs, you should just be able to delete that folder: C:\Program Files\*Tencent*


> I read the article but it was a little over my head. It's a little unsettling that this clickonce thing gets downloaded without our permission. Is it something I need to keep or should I get rid of it?


I can't answer that for you. It comes preloaded so I don't seem what harm it's doing.



> No, I removed all the viewpoint stuff from add or remove programs a while back when you told me to do it. What I'm seeing now is this icon in my control panel under "classic view". I had my boyfriend remove viewpoint from his add/remove programs list and this icon in his control panel is gone. I cannot delete the one in mine though. It's frustrating. It seems my computer does not want for me to remove anything! Do you know anything about this useless icon?


Right-click the icon in question and choose Create Shortcut.

When you get the following message, reply Yes:

"Windows cannot create a shortcut here.
Do you want the shortcut to be placed on the desktop instead?"

Right-click the shortcut on the desktop and choose Properties.

Click the Change Icon button and let me now the file name you see (it should have a .cpl extension)

Also, yes, please go ahead and uninstall AVG and install Avast!


----------



## hewwo2u2 (Jan 10, 2009)

I just saw when deleting the tencent file that there is a viewpoint folder in my programs list. i clicked it and there is a folder called viewpoint experience technology with some other folders and files in it. There are no viewpoint programs under add or remove programs. Will simply deleting the folders get rid if it or is there something else I need to do?

as for the weird icon, I did what you said and when I clicked change icon, it said "windows cannot find the file C:\Program Files\View Point\Common\Viewmgr.exe"


----------



## Cookiegal (Aug 27, 2003)

Yes, delete the entire Viewpoint folder then reboot and see if that icon is still there please.


----------



## hewwo2u2 (Jan 10, 2009)

Hey Cookiegal, We had snow (which is not very common in SC) and so the power lines aren't built to withstand it. I was out of power for 3 days with no internet, so I apologize for the wait.

I deleted these folders and restarted, and the white icon is still present. When I hover my mouse over it it says "Viewpoint manager updating options"

I dunno if this helps, but I was searching the internet to see if anyone else had a similar problem and I came across this

http://www.techsupportforum.com/mic...completely-remove-viewpoint-media-player.html


----------



## hewwo2u2 (Jan 10, 2009)

can you send me a link to the avast! software you want me to download? I went to the actual avast.com website and the one I'm seeing requires a registration before the 60-day trial period

http://www.avast.com/eng/download-avast-home.html


----------



## Cookiegal (Aug 27, 2003)

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and double click on the file to run it. If your antivirus interferes you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

*Viewpoint*

Copy and paste the results here please.


----------



## Cookiegal (Aug 27, 2003)

Here's the link to Avast:

http://www.avast.com/eng/avast_4_home.html


----------



## hewwo2u2 (Jan 10, 2009)

Cookiegal said:


> Download the Registry Search Tool here:
> 
> http://www.billsway.com/vbspage/
> 
> ...


Can you please tell me where on here I need to go to download this? The only registry tool I saw on here was one for windows 2000 and xp.

I am going to download Avast! now. Could you tell me if Windows Defender counts as another anti virus software, and if so, should I disable it so that I do not have 2 running? I also realized that this Windows Defender has real time protection which I did not disable when I ran ComboFix. I don't know if it's important but I thought I'd let you know since it was stressed to me that I needed to remove real-time protection before running it. Thanks!


----------



## hewwo2u2 (Jan 10, 2009)

I have now downloaded Avast! is it safe to remove combofix and anything else or will you want me to run it again with windows defender disabled? I'm anxious to put in my new RAM but I don't want to do anything with my computer until all of this is finished. I find myself checking here several times on the weekend.


----------



## Cookiegal (Aug 27, 2003)

You can go ahead and install the RAM.

Are you at all familiar with the registry? Do you know how to search for something there?


----------



## hewwo2u2 (Jan 10, 2009)

I know that you can type regedit in the search but I've always been scared to do anything in it due to not wanting to mess up my computer. So to answer your question I think I know how to get to it and possibly look for something but I'm not familiar with it.


----------



## Cookiegal (Aug 27, 2003)

I would like you to open the registry editor and do a search for Viewpoint. Let me know if you find any entries in the registry for it.


----------



## hewwo2u2 (Jan 10, 2009)

I did this and 5 things came up. I took a screenshot. (see attached image)


----------



## Cookiegal (Aug 27, 2003)

Let's try this.

Download *Viewpointkiller* from the following link:

http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip


Save it to your Desktop
Create a new folder on your desktop by right clicking on the background > New > Folder > name the folder Viewpoint Killer
Unzip the contents of the zip file to the newly created folder.
Open the Viewpoint Killer folder then run *ViewpointKiller*, and select File > Do All Killings.
Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with.


----------



## hewwo2u2 (Jan 10, 2009)

Hi Cookiegal,

I ran this and of course there were errors when it tried to remove the files that I still had. I ran it 2 more times and the same thing happened. Here is a log of what it did and which files it couldn't remove.

----------------------------------
ViewpointKiller Version 1.30 (beta)

The removal process was started on Tue Mar 10 18:44:10 2009

Preparing to remove Viewpoint Media Player...



Warning accepted, beginning removal process....



ViewpointKiller determined that "aim.exe" was not running.

ViewpointKiller determined that "aim6.exe" was not running.

ViewpointKiller determined that "aolsoftware.exe" was not running.

ViewpointKiller determined that "aol.exe" was not running.

ViewpointKiller determined that "MtsAxInstaller.exe" was not running.



Preparing to close the Viewpoint Manager Service if it is running...

Closing "Viewpoint Manager Service" failed, or the service is not running.





Searching for all known Viewpoint Media Player registry values and keys...

Finished searching for and removing all known Viewpoint Media Player registry values and keys.



Searching for all known Viewpoint Media Player files and folders...

There was an error removing C:\Program Files\Viewpoint\Viewpoint Media Player. The error returned was 124.

There was an error removing C:\Program Files\Viewpoint\Viewpoint Experience Technology. The error returned was 124.

Could not delete: C:\ProgramData\Application Data\Viewpoint

There was an error removing C:\ProgramData.WINDOWS\Application Data\Viewpoint. The error returned was 124.

There was an error removing C:\Program Files\Viewpoint\Common. The error returned was 124.

Finished searching for and removing all known Viewpoint Media Player files and folders.



Finished reporting.

----------------------------------
----------------------------------
ViewpointKiller Version 1.30 (beta)

The removal process was started on Tue Mar 10 18:44:14 2009

Preparing to remove Viewpoint Manager...



ViewpointKiller determined that "viewmgr.exe" was not running.

Searching for all known Viewpoint Manager registry values and keys...

Found and removed: Software\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager

Finished searching for and removing all known Viewpoint Manager registry values and keys.



Searching for all known Viewpoint Manager files and folders...

There was an error removing C:\Program Files\Viewpoint\Viewpoint Manager. The error returned was 124.

Could not delete: C:\ProgramData\Application Data\Viewpoint

Finished searching for and removing all known Viewpoint Manager files and folders.



Finished reporting.

----------------------------------
----------------------------------
ViewpointKiller Version 1.30 (beta)

The removal process was started on Tue Mar 10 18:44:16 2009

Preparing to remove Viewpoint Toolbar...



ViewpointKiller determined that "FotomatDeviceConnect.exe" was not running.

ViewpointKiller determined that "iexplore.exe" was not running.



Searming for all known Viewpoint Toolbar registry values and keys...

Finished searching for and removing all known Viewpoint Toolbar registry values and keys.



Searching for all known Viewpoint Toolbar files and folders...

There was an error removing C:\Program Files\Viewpoint\Viewpoint Toolbar V35. The error returned was 124.

Could not delete: C:\Users\Jessica\Local Settings\Application Data\Viewpoint

Could not delete: C:\ProgramData\Desktop\Fotomat.lnk

There was an error removing C:\Program Files\Viewpoint\Viewpoint Toolbar. The error returned was 124.

Could not delete: C:\ProgramData\Application Data\Viewpoint

There was an error removing C:\Program Files\Common Files\Viewpoint\Toolbar Runtime. The error returned was 124.

Finished searching for and removing all known Viewpoint Toolbar files and folders.



Finished reporting.

----------------------------------


----------



## Cookiegal (Aug 27, 2003)

Can you delete these folders manually:

C:\Program Files\*Viewpoint*

C:\ProgramData\Application Data\*Viewpoint*

and delete this file:

C:\ProgramData\Desktop\*Fotomat.lnk*

Reboot after doing that and let me know if you still have the icon in the control panel please.


----------



## hewwo2u2 (Jan 10, 2009)

I manually deleted C:\Program Files\*Viewpoint *a little while back. It was the one I told you about that contained afolder called "viewpoint experience technology" with some other folders and files in it. As for the other ones, where can I find C:\ProgramData? There is a Program Files but I do not see Program Data...


----------



## hewwo2u2 (Jan 10, 2009)

I made it to where I can see the hidden files, and I found "Program Data". There was a folder called "viewpoint" in there. Within this folder is another folder called "Viewpoint Experience Technology", which contains a folder called "User Shell". Inside the "User Shell" folder are 
2 folders: "AOL9" and "AOL9Plus". There is a single file in both of these that is called "FLFBootStrap.mtx".

This is _exactly_ what was in the file that I deleted from C:\Program Files\*Viewpoint. *Do you know why it was on here twice??

So now I have deleted the file C:\Program Files\*Viewpoint, *_and_ the hidden fileC:\Program Data\*Viewpoint. *

The weird little icon in my control panel is still there*.

*I cannot find the "Application Data" or the "desktop" files in order to delete_C:\ProgramData\Application Data\_*Viewpoint *and _C:\ProgramData\Desktop\_*Fotomat.lnk.* "Application Data" and "desktop" are not listed under "program Data". Could you please tell me where I can find them?
If I select the option to _show protected operating system files_, this message appears *
"these files are required to start and run windows....deleting or editing them can make your computer inoperatable"
*When I clicked to show them anyway, the two folders do appear, however they don't look like real folders. They are a lighter color and have the little arrow on them that my shortcuts on my desktop have. If I click on one of them it says *
C:\ProgramData\Apllication Data *(or desktop)* is not accessable. 
Access is denied *Also, if I hover my mouse over one of them it says* : size: 0bytes

*Where else can I look for these files?

p.s. I attached a picture of the useless icon and the message that comes up if I click it.


----------



## Cookiegal (Aug 27, 2003)

Going back to post 68, I need to know the full number that appears in the left-hand pane that produced those entries on the right as well as the full name of that registry key please.


----------



## hewwo2u2 (Jan 10, 2009)

Cookiegal,
I do not know if this is relevant, but I also found under *C:\Users\Jessica\* that there are 2 folders that I'm not sure what they are. These folders are:
*048298C9A4D3490B9FF9AB023A9238F3.TMP*
and
*{7b7c04a3-50aa-4087-8aed-e49c6dc083a3}*

inside the *048298C9A4D3490B9FF9AB023A9238F3.TMP *folderare 2 files: *WiseCustomCalla.dll* and *WiseCustomCalla6.dll*

inside the *{7b7c04a3-50aa-4087-8aed-e49c6dc083a3} *folder is a file called *lvusbsta.sys*.

I tried to look them both up and the *lvusbsta.sys* appears to be something that has to do with my logitech webcam. I'm wondering though why it is appearing here under my name when it is supposed to only be located in *C:\Windows\System32\drivers* and that some things will camouflage themselves as lvusbsta.sys in other areas of the computer. Avast has not found anything nor has MBAM. Why is it located where it is, and should I remove it?

As for the other folder that contains the *WiseCustomCalla.dll *files, I cannot find anything online pertaining to this and I have no idea why it is there or how it got there. Do you know what it is?


----------



## hewwo2u2 (Jan 10, 2009)

oh sorry I was writing that last post before you just posted. I will go find this now


----------



## hewwo2u2 (Jan 10, 2009)

I am not sure how to find out which folder on the left is actually producing the entries as none of them are highlighted. Can you tell me how to do this?

You probably already know this, but I thought I should add that when I click the 4th one down on the list of 5 on the right side it is called "System.Controlpanel.category" value data:8

and when I click on the second one down (that says Info Tip) it says value data: Viewpoint Manager Updating Options.

"Viewpoint Manager Updating Options" is also what appears when I hover my mouse over the weird icon

and to add bit to my prior post, I found those folders when trying to figure out what was going on this morning with my computer. I kept getting these errors from my browser: 
_Connection Iterrupted. _The _connection to the server was reset while the page was loading_. The _network link was interrupted while negotiating a connection_. _Please try again
_
but I was definietly still connected to the internet. I tried everything including a system restore but nothing seemed to work. And eventually the problem just stopped. You ever heard of this? I want to cry because it seems like its just one weird problem after another.


----------



## hewwo2u2 (Jan 10, 2009)

you still there?


----------



## Cookiegal (Aug 27, 2003)

Those folders with numbers are temporary folders created during installations. The first one seems to pertain to Optimizer. The other you mentioned is indeed related to a logitech product and the same would apply for it.

At the bottom of the registry editer, you should see the name of the registry key you're at. In order for those items to show on the right side, you have to click on something on the left side and normally it would be a folder that would show as being open. In XP it's also highlighted in blue when you click on it.


----------



## hewwo2u2 (Jan 10, 2009)

I did not have to click on anything. I simply went to edit> find and that's what came up. :/

This is the registry key:
HKEY_CLASSES_ROOT\CLSID\{D5407412-467F-45cd-8594-37DA29512BF6}

There is a folder on the left side that has been expanded to reveal hundreds of other folders with numbers and letters. I went through them and found the folder with the same letters and numbers *{D5407412-467F-45cd-8594-37DA29512BF6}*
and when I clicked it the same things came up on the right side so I believe this is the one.

There are additional folders under this one that have some additional things in them.

I don't know what optimizer is. If these are temporary folders, would it be ok to delete them from where they are right now? They are just randomly sitting there above my contacts, desktop, and favorites icon.


----------



## Cookiegal (Aug 27, 2003)

Let's create a backup of the registry in the event you make a mistake and then we can restore everything back to the way it was.

Please go to *Start *- *Run *and copy and paste the following and then click OK:

*regedit /e c:\registrybackup.reg*

It won't appear to be doing anything and that's normal. Your mouse pointer may turn to an hour glass for a minute.

When it no longer has the hour glass, check in your C drive to be sure you have a file called* registrybackup.reg *before continuing. If you do not see that file, please let me know before doing anything else.

If the backup file was created properly then navigate to this key again:

HKEY_CLASSES_ROOT
CLSID
*{D5407412-467F-45cd-8594-37DA29512BF6}*

The above are all showing on the left-hand side only.

Now, right-click on:

*{D5407412-467F-45cd-8594-37DA29512BF6}*

and select "delete".

Reboot and let me know if the icon is gone please.


----------



## hewwo2u2 (Jan 10, 2009)

*{D5407412-467F-45cd-8594-37DA29512BF6} *is one of many subfolders located on the left side under a folder called* CLSID. The **{D5407412-467F-45cd-8594-37DA29512BF6} *folder contains other folders within it as well. You want me to delete the entire *{D5407412-467F-45cd-8594-37DA29512BF6} *folder which will include the folders that are in it, correct?Or do you want to know what the subfolders of that folder are first?


----------



## Cookiegal (Aug 27, 2003)

You can tell me what they are but they should be things like:

InProcServer32
ProgId
TypeLib


----------



## hewwo2u2 (Jan 10, 2009)

none of those things are in that folder. :/

If I click on the *{D5407412-467F-45cd-8594-37DA29512BF6} *folder the 5 REG_SZ files show up on the right and on the left, 2 sub folders appear. One is called *DefaultIcon *and the other is called* Shell*. If I click the* DefaultIcon* file, one file appears on the right side. It is a REG_EXPAND_SZ.
When I click the *Shell* file, a REG_SZ file appears to the right, and another subfolder under it called *Open* appears.

The *Open* folder also has a REG_SZ file to the right and has yet anothet subfolder under it on the left. This last subfolder is called *Command* and if I click it, a REG_EXPAND_SZ file appears to the right. I attached a screenshot of this last folder so yo can see what I'm seeing.


----------



## Cookiegal (Aug 27, 2003)

Yes, you can go ahead and delete:

*D5407412-467F-45cd-8594-37DA29512BF6*

everything underneath it will go so that number will no long appear in the list on the left.


----------



## hewwo2u2 (Jan 10, 2009)

ok deleted. restarting now. will let you know ASAP if the icon is gone


----------



## hewwo2u2 (Jan 10, 2009)

now the icon is completely blank. There is nothing written under it. It looks like a blank sheet of paper. It has also moved to the top left side and is the first icon in my control panel. If I click on it nothing happens.

The _exact_ same thing happened to the other person that had this issue that I linked to in post #59.
http://www.techsupportforum.com/mic...completely-remove-viewpoint-media-player.html

should I restore like that person did since removing the keys didn't fix it? If so, How do I do it?

I uploaded a new screenshot of the new and even weirder icon


----------



## hewwo2u2 (Jan 10, 2009)

After some hard searching, here's another person that had the exact same problem again and his was actually solved.

http://www.techsupportforum.com/mic...s-vista-support/226274-viewpoint-manager.html

In that thread they did not tell him to delete the registry key under *\HKEY_CLASSES_ROOT\CLSID\ *but to delete the same subkey (that is *D5407412-467F-45cd-8594-37DA29512BF6) *located under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace

I looked and sure enough this sub key does exist and unlike the other one, there are no subfiles listed below it. There is just one REG_SZ file on the left and that's it.

should I restore the ones I deleted previously and go back and delete this other one instead?


----------



## Cookiegal (Aug 27, 2003)

There is another registry key that should remove it entirely.

It's at this location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\*{D5407412-467F-45cd-8594-37DA29512BF6}*

So it's the same deal as last time, below NameSpace, delete the following which is also on the left side:

*{D5407412-467F-45cd-8594-37DA29512BF6}*

Then reboot and let me know please.

I'm signing off now for the night.


----------



## hewwo2u2 (Jan 10, 2009)

that is what I just wrote to you.  I will let you know if this fixes it


----------



## Cookiegal (Aug 27, 2003)

Sorry, I hadn't seen your post before posting mine.


----------



## Cookiegal (Aug 27, 2003)

And no need to restore the previous one as it was indeed related to Viewpoint.


----------



## hewwo2u2 (Jan 10, 2009)

Cookiegal,

I went ahead and restored the keys because I thought you had signed off and I figured it wouldn't hurt. Well I _tried_ to restore it, but it said it was unable to because the backup was not successful. So I went and did a system restore to earlier today which worked. Then I went and deleted that one key and it removed the pesky icon from my control panel! Now that I've done this, would you like for me to go and re-delete the other file? Sorry about that. :/

and is it ok to delete those funny number files that were under my name?


----------



## Cookiegal (Aug 27, 2003)

Yes, please delete that other registry key again.

Before deleting anything else, please do this:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## hewwo2u2 (Jan 10, 2009)

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 6
Apple Software Update
ATI Uninstaller
avast! Antivirus
BigFix
Browser Address Error Redirector
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Gateway Recovery Center Installer
Google Talk Plugin
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart Essential 2.01
HP Product Assistant
HP Smart Web Printing
HP Solution Center 9.0
HP Update
Java(TM) 6 Update 12
Kodak DIGITAL GEM Airbrush Professional Plug-In 1.0.1
Logitech QuickCam
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
Marvell(R) Wireless Card Software Package
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Money 2006
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
PDF Settings
Pet Vet 3D Animal Hospital
Power2Go 5.0
QuickTime
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
SigmaTel Audio
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Windows Media Player Firefox Plugin


----------



## hewwo2u2 (Jan 10, 2009)

weird why does it list 2 of most of my Adobe programs?


----------



## Cookiegal (Aug 27, 2003)

Does Steamgames mean anything to you? Those files called WiseCustomCalla are used by several programs and so far I haven't been able to find any that are malicious.

You could try getting these files analyzed at the following site:

http://virusscan.jotti.org/

Please post the results back here.


----------



## hewwo2u2 (Jan 10, 2009)

Steam is this application that my boyfriend had me download in order to play a game that he bought for me online. It's some sort of program that allows people to buy the games online and play them with all the other people that have the game as well. I haven't used it in a long time though because my computer is too slow for these games. Is this what is using WiseCustomcalla? 

My main concern about these files is not so much that I have them as it is where they are located. They are just randomly there under my user name rather than in the folders that they should be (or perhaps they are in both)? I guess in that sense I sort of suspected malware since some malware present themselves as other benign things but reside in a different location than they're supposed to be?

I will scan and post results of scan now.


----------



## hewwo2u2 (Jan 10, 2009)

I'm not sure what it means but the bar at the top that says "service load" was remaining at 30%. Does this affect the accuracy of the scan?

I scanned all three files that are within these funny numbered folders right now. So far it says that all of the programs "found nothing" in *lvusbsta.sys* and *WiseCustomCalla.dll*


----------



## hewwo2u2 (Jan 10, 2009)

Service load: 0% 100% File: WiseCustomCalla6.dll Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5: b919f02b72e2cde1abc601666a810f3c Packers detected: -
Scanner results 
Scan taken on 16 Mar 2009 17:09:54 (GMT) A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found TrojanDownloader.Agent.ubl 
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


----------



## hewwo2u2 (Jan 10, 2009)

*Quick Heal* says I'm infected...what should I do? Could this be a false positive?


----------



## Cookiegal (Aug 27, 2003)

I believe they are related to that Steam games application and it looks like a false positive but to be sure, let's upload them to a colleague of mine to have them analyzed.

Go to the forum *here* and upload the files in question.

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## hewwo2u2 (Jan 10, 2009)

done

http://thespykiller.co.uk/index.php...ew?PHPSESSID=962b2b6127e2385aa652bbe3b47646c6

I only did that one in question. Let me know if you want me to upload the other 2 as well


----------



## hewwo2u2 (Jan 10, 2009)

cookiegal,

is there anything else you would like for me to do while we wait for this file to get analyzed?


----------



## Cookiegal (Aug 27, 2003)

Not for now. I'm sure we'll hear something by tomorrow.


----------



## hewwo2u2 (Jan 10, 2009)

Jintan replied to my post and this is what he said:

"All the file info I check indicates this is a Wise installation file for Valve. 

Please follow up back in your forum thread."

what should I do now? can I delete the files?


----------



## Cookiegal (Aug 27, 2003)

Yes, he informed me as well.

I would leave them as I'm not sure if they are needed or not for that program to run and the files are not doing any harm.

Are there any other issues remaining?


----------



## hewwo2u2 (Jan 10, 2009)

I was going to uninstall steam (or at least try to).

I guess my only other question was why do I have so many things listed twice in my "uninstall list"? Does this mean I have them installed more than once?


----------



## Cookiegal (Aug 27, 2003)

Do they show twice in the Control Panel under Add or Remove programs as well?


----------



## hewwo2u2 (Jan 10, 2009)

no, i just in the list I uploaded for ya


----------



## Cookiegal (Aug 27, 2003)

Then it's probably just a glitch with HijackThis.


----------



## hewwo2u2 (Jan 10, 2009)

ok, so I'm guessing I can uninstall the viewpoint killer, right? Is there something I need to do or do I just delete it from my desktop. And how can I make sure viewpoint doesn't come back again? Will I not be able to use AIM anymore?


----------



## Cookiegal (Aug 27, 2003)

It should not affect AIM and it shouldn't come back.

Yes, you can just move Viewpoint killer to the recycle bin.

Please post one last HijackThis log so I can be sure everything is fine.


----------



## hewwo2u2 (Jan 10, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:21 PM, on 3/23/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5746 bytes


----------



## Cookiegal (Aug 27, 2003)

This is just an orphaned entry from Yahoo that needs to be removed to tidy up but you will have to disable SpyBot's TeaTimer or it will prevent the change.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)*

Is everything fine now?


----------



## hewwo2u2 (Jan 10, 2009)

which part is tea-timer? is it the resident shield? if not, then how do I go about disabling in?

I also wanted to ask you about your thoughts on quicktime player. Someone told me that it was bad to have because it adds a lot of unwanted stuff to your computer and that it's one of those programs that you can't completely remove. Is this true?
My dilemma is that my digital camera saves all videos in the quicktime format...he recommended something called quicktime lite which I downloaded before and couldn't get to work. What are your thoughts on this?


----------



## Cookiegal (Aug 27, 2003)

Yes, it's the resident shield.

I've never heard of a problem with Quick Time.


----------



## hewwo2u2 (Jan 10, 2009)

I have followed your directions and I think it's good. Is there anything else I should do?

Also, I must have uninstalled Steam (by Valve) because I do not see it in my add or remove programs list. The weird folder with the Wisecustomcalla files in it are sill there though. Is it possible to find out if it got uninstalled correctly or if its still lingering on my computer?


----------



## Cookiegal (Aug 27, 2003)

I would empty the recycle bin first and then move those unwanted Steam files/folder there but don't empty it again. Leave them there for a few days to see if anything screams out for them. If all is fine then you should be able to delete them.

If you used the Steam uninstall, it should have uninstalled properly. There could be orphaned registry entries that linger but it would be hart to pinpoint them. You could try searching the registry for "Steam" and "Valve" and see if anything turns up but there could be some entries that only have numbers and not those particular words.


----------



## hewwo2u2 (Jan 10, 2009)

ok I moved the folder to my recycle bin. then I went into regedit and did a search and found some things that are quite unsettling. I'm gonna go out on a limb and say that my boyfriend is responsible for this since I can honestly say that I have no desire to look at such things, but after typing "steam" in the search, a lot of folders came up that I am *NOT* happy to see (I'm sure you can imagine what I'm talking about). Please tell me what I need to do to clean my registry of these as I am not comfortable just going through and deleting so many things in there when I'm told by so many people to stay away from regedit.

We're talkin hundreds of folders here. these are listed under windows> current version> internet settings> zone map> domains


----------



## Cookiegal (Aug 27, 2003)

Before you jump to conclusions, it's important to check the values for those sites listed. So click on one of them and then look at what appears in the right-hand pane. If what you see under the data column has a 4 at the end, like this: 0x00000004 (4) then these are sites that have been placed in the restricted zone, meaning you cannot access them. Various security programs do this (such as SpyBot S&D using immunization) as a way of protecting you from known bad sites.


----------



## hewwo2u2 (Jan 10, 2009)

yes, there is a 4 at the end of most of these. *whew* I bet you could imagine the smoke coming from my ears, lol. 

I always wondered what "immunizing" meant...I actually just recently did it. is this something I should continue doing or do you think this is taking up unnecessary space? And if I ever remove spybot, will it remove these folders? 

alright so i think everything is good for now...


----------



## Cookiegal (Aug 27, 2003)

hewwo2u2 said:


> yes, there is a 4 at the end of most of these. *whew* I bet you could imagine the smoke coming from my ears, lol.
> 
> I always wondered what "immunizing" meant...I actually just recently did it. is this something I should continue doing or do you think this is taking up unnecessary space? And if I ever remove spybot, will it remove these folders?
> 
> alright so i think everything is good for now...


Yes, I could imagine. I hope I saved the boyfriend from getting an earful. 

Yes, you should continue to immunize with SpyBot as this is an added layer of protection and the little space is worth it. If you uninstall SpyBot, those entries will not be deleted.


----------



## hewwo2u2 (Jan 10, 2009)

I was just told in another thread that they don't trust the Teatimer part of spybot. Do you think I should reinstall it without it? (I'd like a second opinion) And if I do remove spybot and those files stay, will I still be protected by them or will they just be sitting there?

and yes you saved him lol


----------



## Cookiegal (Aug 27, 2003)

hewwo2u2 said:


> I was just told in another thread that they don't trust the Teatimer part of spybot. Do you think I should reinstall it without it? (I'd like a second opinion) And if I do remove spybot and those files stay, will I still be protected by them or will they just be sitting there?
> 
> and yes you saved him lol


I don't believe it's a matter of trust but I found TeaTimer to be rather a nuisance as it stops you from doing things you want to do sometimes so I never used it. Any entries left in the registry will do what they were put there to do, even after uninstalling SpyBot as once something is in the registry it will work unless deleted.

You don't have to reinstall, you can just turn TeaTimer off by going into Advanced Mode then select *Tools *and *Resident*. Under *Resident Protection Status* uncheck TeaTimer there.


----------



## hewwo2u2 (Jan 10, 2009)

ok thank you! anything else I should do?


----------



## Cookiegal (Aug 27, 2003)

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

Click on the Start button to open your Start Menu. 
Click on the Control Panel menu option.
Click on the System and Maintenance menu option.
Click on the System menu option.
Click on System Protection in the left-hand task list.

You will now be at the System Protection tab in the System control panel.

Clear the check box next to the disk to turn off System Protection, and then click OK. This will flush out all previous restore points.

Now select the check box next to the disk, and then click OK to turn system restore back on.

Now create a new restore point. Click on the Create button. When you press this button a prompt will appear asking you to provide a title for this manual restore point.

Type in a title for the manual restore point and press the Create button. Vista will now create a manual restore point, and when completed, display a notice saying that it was created successfully.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## hewwo2u2 (Jan 10, 2009)

Cookiegal, I'm so sorry to ask this again (it's my luck this would happen again) but my computer all the sudden got some dirty popups coming up after I had some friends over, some of which were connected to my network. Avast even said it blocked a trojan. I cleared my private history and everything and ran MBAM (a quick scan) and nothing came up. I was wondering if we could run the combofix thing and HJT one last time and you look at the logs before we removed them, if that's ok with you. Just to make sure? I'm so upset because we've been doing this for so long and I wanted to be done and feel good about knowing that my computer is clean.


----------



## Cookiegal (Aug 27, 2003)

I need to know the name of the file that Avast detected and it's location please.

I suggest you drag ComboFix to the recycle bin and grab a new copy as it's updated frequently and we want to be sure to have the latest version.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.


----------



## hewwo2u2 (Jan 10, 2009)

one of the guys said the problem I was having was just a java script popup and I know they didn't download the virus that Avast blocked but it said it blocked it. But I'm not sure how to find out exactly what that file it was. is there a vault somewhere?

you want me to move combofix to the recycle bin without following the directions from the post before, correct?


----------



## hewwo2u2 (Jan 10, 2009)

I found the AVAST "virus chest" and there is nothing listed in it.

then I clicked on the "log viewer" and it says:
STSTEM - Application 1576 - *sign of "JSacked-AW [Trj]" has been found in "http://ashoping.com/?sid=aff0048\{gzip}" file.*

how embarrassing :-/


----------



## hewwo2u2 (Jan 10, 2009)

it did not give me the option to rename the combo fix file so I am renaming the icon on my desktop. is that enough or do I need to resave it?


----------



## Cookiegal (Aug 27, 2003)

hewwo2u2 said:


> it did not give me the option to rename the combo fix file so I am renaming the icon on my desktop. is that enough or do I need to resave it?


That should be fine.

Is that site ashoping.com one that you visit regularly? I had it checked out by a colleague and it's definitely a bad site and there is javascript embedded on that page but we don't know what it's meant to do.


----------



## Cookiegal (Aug 27, 2003)

hewwo2u2 said:


> you want me to move combofix to the recycle bin without following the directions from the post before, correct?


Yes, that's correct.


----------



## hewwo2u2 (Jan 10, 2009)

Cookiegal said:


> That should be fine.
> 
> Is that site ashoping.com one that you visit regularly? I had it checked out by a colleague and it's definitely a bad site and there is javascript embedded on that page but we don't know what it's meant to do.


NO! I am tempted to see what was being looked at on it, but I think with the popups I saw later, along with my imagination, I have a pretty good idea. I'm turning into this uptight over protective person over my things now because of these very reasons. I'm sure I'm thought of as a pretty bad host now for yelling at my friends but I don't feel bad about it. I'm definitely going to make sure they bring their own laptops from now on, but I was wondering if you could tell me any protective steps I can take with my network settings to be sure that any junk on their computers that thay have (or anything that they get while surfing the net connected through my network) doesn't get transfered to mine.

And that one site is just what AVAST actually saw. I'm pretty sure (in fact I'm almost positive) that that's not the only site that was visited. I have no way of knowing if anything else slipped through the cracks of my protection. I know I'm paranoid about this stuff but I just dont have the money to buy new computers like they do and I want mine to last as long as possible. That's why I wanted you to look at the logs one more time before I deleted the programs, if you think that would make any difference.

Shall I run combofix again now that I downloaded it? (the otherone is in my recycle bin)


----------



## Cookiegal (Aug 27, 2003)

Yes, please do run the newer version of ComboFix. Don't forget to disable all anti-virus programs before running it but make sure you're disconnected from the Internet when doing that and then be sure to re-enable them before you reconnect.


----------



## hewwo2u2 (Jan 10, 2009)

ComboFix 09-03-28.02 - Jessica 2009-03-29 15:51:57.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.312 [GMT -4:00]
Running from: c:\users\Jessica\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-24 21:31 . 2009-03-24 21:32 d-------- c:\program files\QuickTime
2009-03-16 00:09 . 2009-03-16 00:11 295,686,678 --a------ C:\registrybackup.reg
2009-03-10 20:05 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 20:05 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 20:05 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 20:05 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 20:05 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-10 20:04 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-07 16:34 . 2009-03-07 16:34 d-------- c:\program files\Alwil Software
2009-03-07 16:34 . 2003-03-18 17:20 1,060,864 --a------ c:\windows\System32\MFC71.dll
2009-03-07 16:34 . 2009-02-05 17:06 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2009-03-04 13:32 . 2009-03-04 13:32 d-------- c:\users\All Users\Avg7
2009-03-04 13:32 . 2009-03-04 13:32 d-------- c:\programdata\Avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 07:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 01:21 8,240 ----a-w c:\users\Jessica\AppData\Roaming\wklnhst.dat
2009-03-28 01:16 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-27 01:18 --------- d-----w c:\program files\Common Files\Adobe
2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 15:07 --------- d-----w c:\program files\Java
2009-03-25 01:31 --------- d-----w c:\programdata\Apple Computer
2009-03-15 02:38 --------- d-----w c:\programdata\FLEXnet
2009-03-14 15:25 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-03-11 07:09 --------- d-----w c:\program files\Windows Mail
2009-03-11 07:02 --------- d-----w c:\programdata\Microsoft Help
2009-03-09 09:19 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-02-16 01:03 --------- d-----w c:\program files\Trend Micro
2009-02-07 20:43 --------- d-----w c:\programdata\Lavasoft
2009-02-07 20:41 --------- d-----w c:\program files\Lavasoft
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-24 18:48 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( [email protected]_19.43.34.22 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2008-12-01 20:21:25 51,200 ----a-w c:\windows\inf\infpub.dat
+ 2009-03-15 03:06:50 51,200 ----a-w c:\windows\inf\infpub.dat
- 2008-12-01 20:21:17 86,016 ----a-w c:\windows\inf\infstor.dat
+ 2009-03-15 03:06:43 86,016 ----a-w c:\windows\inf\infstor.dat
- 2008-12-01 20:21:24 143,360 ----a-w c:\windows\inf\infstrng.dat
+ 2009-03-15 03:06:49 143,360 ----a-w c:\windows\inf\infstrng.dat
- 2009-02-11 08:01:58 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-11 07:02:39 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2009-02-11 08:02:01 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-03-11 07:02:40 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-02-11 08:01:58 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-03-11 07:02:39 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-02-11 08:01:58 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-03-11 07:02:39 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-02-11 08:02:00 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-03-11 07:02:39 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-02-11 08:02:01 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-03-11 07:02:40 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-02-11 08:02:02 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-11 07:02:40 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-02-11 08:01:59 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-03-11 07:02:39 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-02-11 08:01:59 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-03-11 07:02:39 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-02-11 08:02:00 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-03-11 07:02:40 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-02-11 08:02:02 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-03-11 07:02:40 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-02-11 08:01:58 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-03-11 07:02:39 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-03-27 01:20:43 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-5464-3428-900000000004}\ARPPRODUCTICON.exe
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2009-02-23 00:26:50 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-28 07:25:16 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-02-23 00:26:50 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-28 07:25:16 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-14 15:05:31 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-14 15:05:31 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-14 15:05:31 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-23 00:42:50 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-28 07:27:09 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-12-10 08:27:03 2,638,619 -c--a-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
+ 2009-03-11 07:13:44 2,638,619 -c--a-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
- 2009-02-23 00:29:11 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-28 07:27:39 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2009-02-05 21:11:35 1,256,296 ----a-w c:\windows\System32\aswBoot.exe
+ 2009-02-05 21:04:45 97,480 ----a-w c:\windows\System32\AvastSS.scr
- 2009-02-23 00:26:49 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-29 18:27:04 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-23 00:26:49 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-29 18:27:04 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-23 00:26:49 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-29 18:27:04 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-23 00:37:30 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-03-29 19:51:42 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-02-05 21:07:12 20,560 ----a-w c:\windows\System32\drivers\aswFsBlk.sys
+ 2009-02-05 21:06:10 23,152 ----a-w c:\windows\System32\drivers\aswRdr.sys
+ 2009-02-05 21:07:23 114,768 ----a-w c:\windows\System32\drivers\aswSP.sys
+ 2009-02-05 21:06:20 51,376 ----a-w c:\windows\System32\drivers\aswTdi.sys
- 2008-08-20 09:30:32 529,408 ----a-w c:\windows\System32\drivers\MRVW147.sys
+ 2009-01-05 23:04:16 534,016 ----a-w c:\windows\System32\drivers\MRVW147.sys
+ 2009-01-05 23:04:16 534,016 ----a-w c:\windows\System32\DriverStore\FileRepository\netmw147.inf_46fedfd1\MRVW147.sys
- 2008-10-15 07:14:25 1,716,096 ----a-w c:\windows\System32\FNTCACHE.DAT
+ 2009-03-11 07:12:31 1,716,096 ----a-w c:\windows\System32\FNTCACHE.DAT
- 2009-01-09 18:41:08 144,792 ----a-w c:\windows\System32\java.exe
+ 2009-03-09 09:19:11 144,792 ----a-w c:\windows\System32\java.exe
- 2009-01-09 18:41:09 144,792 ----a-w c:\windows\System32\javaw.exe
+ 2009-03-09 09:19:13 144,792 ----a-w c:\windows\System32\javaw.exe
- 2009-01-09 18:41:09 148,888 ----a-w c:\windows\System32\javaws.exe
+ 2009-03-09 09:19:13 148,888 ----a-w c:\windows\System32\javaws.exe
- 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\System32\mrt.exe
+ 2009-02-25 16:55:00 24,768,960 ----a-w c:\windows\System32\mrt.exe
- 2009-02-16 23:52:37 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-27 19:15:38 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-16 23:52:37 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-27 19:15:38 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-22 23:00:38 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-03-11 07:23:43 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-03-11 07:23:43 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat_previous
- 2009-02-23 00:29:47 11,696 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1052193883-4255686519-1956554137-1000_UserData.bin
+ 2009-03-28 07:27:21 13,204 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1052193883-4255686519-1956554137-1000_UserData.bin
- 2009-02-23 00:29:47 61,170 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-28 07:27:21 63,858 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-22 23:00:07 4,584 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-03-27 19:54:54 4,584 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-02-23 00:29:43 47,172 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-28 07:27:18 49,966  ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-02-22 15:45:19 264,412 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-03-29 18:25:01 277,182 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-02-07 16:05:49 203,024 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-03-06 21:46:53 208,678 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
- 2008-01-19 07:37:03 10,620,928 ----a-w c:\windows\System32\wmp.dll
+ 2008-12-16 05:31:35 10,622,976 ----a-w c:\windows\System32\wmp.dll
+ 2008-07-26 13:25:24 109,080 ----a-w c:\windows\Temp\logishrd\LVPrcInj04.dll
- 2009-02-18 23:21:26 205,972,731 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-03-11 00:05:15 206,755,642 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-12-16 05:53:36 4,096 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\dxmasf.dll
+ 2008-12-16 05:53:35 7,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\spwmp.dll
+ 2008-12-16 05:53:36 10,619,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmp.dll
+ 2008-12-16 05:53:30 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmpconfig.exe
+ 2008-12-16 05:53:30 168,960 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmplayer.exe
+ 2008-12-16 04:00:17 8,147,968 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmploc.DLL
+ 2008-12-16 05:53:30 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmpshare.exe
+ 2008-12-16 05:37:10 4,096 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\dxmasf.dll
+ 2008-12-16 05:36:47 7,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\spwmp.dll
+ 2008-12-16 05:37:33 10,619,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmp.dll
+ 2008-12-16 03:49:51 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmpconfig.exe
+ 2008-12-16 03:49:38 168,960 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmplayer.exe
+ 2008-12-16 03:49:52 8,147,968 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmploc.DLL
+ 2008-12-16 03:49:20 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmpshare.exe
+ 2008-12-16 05:31:31 4,096 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\dxmasf.dll
+ 2008-12-16 05:31:30 7,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\spwmp.dll
+ 2008-12-16 05:31:35 10,622,976 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmp.dll
+ 2008-12-16 05:31:19 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmpconfig.exe
+ 2008-12-16 05:31:19 168,960 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmplayer.exe
+ 2008-12-16 03:29:44 8,147,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmploc.DLL
+ 2008-12-16 05:31:19 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmpshare.exe
+ 2008-12-16 04:32:10 4,096 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\dxmasf.dll
+ 2008-12-16 04:31:29 7,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\spwmp.dll
+ 2008-12-16 04:32:38 10,624,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmp.dll
+ 2008-12-16 02:38:46 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmpconfig.exe
+ 2008-12-16 02:38:29 168,960 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmplayer.exe
+ 2008-12-16 02:39:20 8,147,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmploc.DLL
+ 2008-12-16 02:38:10 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmpshare.exe
+ 2009-02-11 23:29:35 2,409,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16819_none_f0a011f86e53bc84\OESpamFilter.dat
+ 2009-02-11 23:29:48 2,409,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.21009_none_f13456d18769739f\OESpamFilter.dat
+ 2009-02-12 00:40:03 2,409,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18214_none_f2814f2c6b7ecec2\OESpamFilter.dat
+ 2009-02-12 00:28:19 2,409,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22375_none_f2cb0cb984cc2f89\OESpamFilter.dat
+ 2008-11-27 04:42:05 269,824 ----a-w c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.16782_none_1fdb8f82585b552d\schannel.dll
+ 2008-12-02 04:25:38 269,824 ----a-w c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.20967_none_207fcf7d716438ef\schannel.dll
+ 2008-11-27 04:43:25 268,288 ----a-w c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18175_none_21cf9ef255771632\schannel.dll
+ 2008-12-02 04:36:39 268,288 ----a-w c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.22320_none_228a4bcd6e70a8bb\schannel.dll
+ 2009-02-09 01:59:26 2,028,032 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16816_none_b70870b09d62e718\win32k.sys
+ 2009-02-09 01:54:23 2,030,080 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.21006_none_b79cb589b6789e33\win32k.sys
+ 2009-02-09 03:10:34 2,033,152 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18211_none_b8e9ade49a8df956\win32k.sys
+ 2009-02-09 02:54:45 2,033,664 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22372_none_b9336b71b3db5a1d\win32k.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 2348584]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1052193883-4255686519-1956554137-1000]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1052193883-4255686519-1956554137-500]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{214B1DC9-DB3B-45BA-A105-11084AE74B1C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{70799C91-14B5-489D-B946-378160CE00A4}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{B3D3279E-7556-41C6-9650-63B0BB6D3F48}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4B1E698F-7EA4-421F-8FDA-7075D4EA8883}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{14190B57-2EEA-47B7-9971-06D1478A239E}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2F202BA2-ADCD-44ED-9F96-8CB67AFBD7A5}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E4E94A94-2351-4DD9-B55F-B6FFFF87B055}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{8D511714-8FED-49A2-8F6A-09B7FA453FB2}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3FAD7418-79DF-46F8-ADD7-51C2469F84B6}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{BE124A08-7C7A-4914-9AA0-5EE44AE5FF66}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5C64036E-F7F2-44E5-822B-9B66EBA9A236}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AFFBA27C-307F-472E-AA6E-622BF42C8A83}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3CA76EBB-D8ED-40BC-AE5E-C7C56B0EFEE7}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{45F206FC-2162-4E7B-B0E5-AE21942F3072}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{8E92414B-8D9B-4C13-9C1D-37DE24BA2E09}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{C489BDA6-5B6B-4743-913D-9530BF352D4D}c:\\program files\\tencent\\qq games\\qqgames.exe"= UDP:c:\program files\tencent\qq games\qqgames.exe:QQ Games
"UDP Query User{B0D497DA-980E-4E76-96BB-0CA3A7099170}c:\\program files\\tencent\\qq games\\qqgames.exe"= TCP:c:\program files\tencent\qq games\qqgames.exe:QQ Games

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2009-03-07 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2009-03-07 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2009-03-07 51792]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-09-16 1153368]
R3 MRVW147;Marvell TOPDOG (TM) 802.11bgn Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\System32\drivers\MRVW147.sys [2009-01-05 534016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {9EB1C655-331C-5034-CCF8-436FA4B4A3DA} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1052193883-4255686519-1956554137-1000.job
- c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-13 01:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jessica\AppData\Roaming\Mozilla\Firefox\Profiles\c6339f51.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Jessica\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\Jessica\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 15:56:15
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-29 15:58:55
ComboFix-quarantined-files.txt 2009-03-29 19:58:49
ComboFix2.txt 2009-02-23 00:46:00

Pre-Run: 97,891,147,776 bytes free
Post-Run: 97,908,203,520 bytes free

283 --- E O F --- 2009-03-26 22:35:29


----------



## hewwo2u2 (Jan 10, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:56 PM, on 3/29/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5766 bytes


----------



## hewwo2u2 (Jan 10, 2009)

I have re-enabled everything, but after I ran Combo-fix, my Avast icon is no longer in my system tray at the bottom right corner of my desktop, so I could not simply right click and re-enable. I went into Avast and clicked settings > resident protection, and it gives me two options: Standard and High. which do you recommend I use?

I also went through and disabled Windows firewall and windows defender (which I did not do last time as I didn't even know I had them!) I enabled them again after running Combofix and HJT. I wanted to ask you about these, because I was told before (I can't remember if it was by you or someone else on here) not to have more than one program running realtime protection. Can you advise me on which one(s) I should remove? I use Avast (free), MBAM (free), Spybot (free), Windows Defender, and Windows Firewall.

I also didn'teven know I had a firewall until recently. What is this in comparrison to the other programs I have and is this Windows Firewall adequate?


----------



## hewwo2u2 (Jan 10, 2009)

oh and I had to run HJT several times because I forgot ro select "run as administrator". So I'm assuming there's several logs saved somewhere that are useless because of this and I was hoping you could tell me where they are saved so that I can delete them?


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C489BDA6-5B6B-4743-913D-9530BF352D4D}c:\\program files\\tencent\\qq games\\qqgames.exe"=-
"UDP Query User{B0D497DA-980E-4E76-96BB-0CA3A7099170}c:\\program files\\tencent\\qq games\\qqgames.exe"=-
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## Cookiegal (Aug 27, 2003)

I would uninstall Windows Defender.

HijackThis logs are saved wherever you decide to save them. I believe by default they go to the desktop.

You can't uninstall the Windows Firewall and I'm told in Vista it should be adequate as it's much improved since XP. However, I suggest getting a router as that will protect you by blocking many things before they even get to the firewall.


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a AvastIcon.zip file to restore the Avast icon. This is a known problem that sometimes occurs after running ComboFix. Save the file to your desktop. Unzip it and double-click the AvastIcon.reg file and allow it to merge into the registry. Then reboot the machine and let me know if the icon has returned.

As for the settings, I would just reset it to the default settings as those are usually what's recommended.


----------



## hewwo2u2 (Jan 10, 2009)

I have a wireless router that I use in order to connect my laptop to the internet. Is this the type of router you are speaking of?

I have copied and saved the "CFScript" to my desktop. You said dragging it to the icon will start combofix again...do you want me to disable all my anti-malware programs and internet again prior to doing this?

My HJT logs do not save to my desktop. They simply automatically open up with notepad and after I exit the notepad I have no clue where they go. I did find ONE log (the one I posted here) listed under program files > trend micro > hijackthis but none of the prior logs were listed. Is it possible that this saved log gets deleted and replaced each time I run HJT or are these logs saved somewhere else?

My computer loses internet frequently and the only way to get re-connected is to restart my computer. I restarted recently, and the Avast Icon returned on its own, so I did not follow the last step that you posted.


----------



## Cookiegal (Aug 27, 2003)

Yes, if you have a wireless router, that would be fine.

HijackThis doesn't save the scans automatically, you have to do that and each time you save a scan, it you don't change the name, it overwrites the previous scan.

You can run ComboFix this time without disabling your security programs.

When did you start having connection problems?


----------



## Cookiegal (Aug 27, 2003)

I also recommend using Firefox with the NoScript add-on which will protect you from url exploits. Here are the links to download Firefox and the NoScript add-on.

http://www.mozilla.com/en-US/firefox/firefox.html

https://addons.mozilla.org/en-US/firefox/addon/722


----------



## hewwo2u2 (Jan 10, 2009)

ComboFix 09-03-28.02 - Jessica 2009-03-30 6:29:45.3 - NTFSx86 Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.893.334 [GMT -4:00] Running from: c:\users\Jessica\Desktop\Combo-Fix.exe Command switches used :: c:\users\Jessica\Desktop\CFScript.txt . ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 ))))))))))))))))))))))))))))))) . 2009-03-24 21:31 . 2009-03-24 21:32 d--------	c:\program files\QuickTime 2009-03-16 00:09 . 2009-03-16 00:11	295,686,678	--a------	C:\registrybackup.reg 2009-03-10 20:05 . 2008-12-15 23:29	8,147,456	--a------	c:\windows\System32\wmploc.DLL 2009-03-10 20:05 . 2008-11-27 00:43	268,288	--a------	c:\windows\System32\schannel.dll 2009-03-10 20:05 . 2008-12-16 01:31	7,680	--a------	c:\windows\System32\spwmp.dll 2009-03-10 20:05 . 2008-12-16 01:31	4,096	--a------	c:\windows\System32\msdxm.ocx 2009-03-10 20:05 . 2008-12-16 01:31	4,096	--a------	c:\windows\System32\dxmasf.dll 2009-03-10 20:04 . 2009-02-08 23:10	2,033,152	--a------	c:\windows\System32\win32k.sys 2009-03-07 16:34 . 2009-03-07 16:34 d--------	c:\program files\Alwil Software 2009-03-07 16:34 . 2003-03-18 17:20	1,060,864	--a------	c:\windows\System32\MFC71.dll 2009-03-07 16:34 . 2009-02-05 17:06	51,792	--a------	c:\windows\System32\drivers\aswMonFlt.sys 2009-03-04 13:32 . 2009-03-04 13:32 d--------	c:\users\All Users\Avg7 2009-03-04 13:32 . 2009-03-04 13:32 d--------	c:\programdata\Avg7 2009-02-18 19:27 . 2008-12-05 00:32	428,544	--a------	c:\windows\System32\EncDec.dll 2009-02-18 19:27 . 2008-12-05 00:32	293,376	--a------	c:\windows\System32\psisdecd.dll 2009-02-18 19:27 . 2008-12-05 00:31	217,088	--a------	c:\windows\System32\psisrndr.ax 2009-02-18 19:27 . 2008-12-05 00:31	177,664	--a------	c:\windows\System32\mpg2splt.ax 2009-02-18 19:27 . 2008-12-05 00:31	80,896	--a------	c:\windows\System32\MSNP.ax 2009-02-10 21:52 . 2009-01-14 23:36	1,383,424	--a------	c:\windows\System32\mshtml.tlb 2009-02-10 21:52 . 2009-01-15 02:11	827,392	--a------	c:\windows\System32\wininet.dll 2009-02-07 16:13 . 2008-06-19 21:14	781,344	--a------	c:\windows\System32\PresentationNative_v0300.dll 2009-02-07 16:13 . 2008-06-19 21:14	622,080	--a------	c:\windows\System32\icardagt.exe 2009-02-07 16:13 . 2008-06-19 21:14	326,160	--a------	c:\windows\System32\PresentationHost.exe 2009-02-07 16:13 . 2008-06-19 21:14	105,016	--a------	c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll 2009-02-07 16:13 . 2008-06-19 21:14	97,800	--a------	c:\windows\System32\infocardapi.dll 2009-02-07 16:13 . 2008-06-19 21:14	43,544	--a------	c:\windows\System32\PresentationHostProxy.dll 2009-02-07 16:13 . 2008-06-19 21:14	37,384	--a------	c:\windows\System32\infocardcpl.cpl 2009-02-07 16:13 . 2008-06-19 21:14	11,264	--a------	c:\windows\System32\icardres.dll 2009-02-07 15:58 . 2008-07-27 14:03	282,112	--a------	c:\windows\System32\mscoree.dll 2009-02-07 15:58 . 2008-07-27 14:03	96,760	--a------	c:\windows\System32\dfshim.dll 2009-02-07 15:58 . 2008-07-27 14:03	41,984	--a------	c:\windows\System32\netfxperf.dll 2009-02-07 15:57 . 2008-07-27 14:03	158,720	--a------	c:\windows\System32\mscorier.dll 2009-02-07 15:57 . 2008-07-27 14:03	83,968	--a------	c:\windows\System32\mscories.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-30 00:55	---------	d-----w	c:\program files\Spybot - Search & Destroy 2009-03-28 01:21	8,240	----a-w	c:\users\Jessica\AppData\Roaming\wklnhst.dat 2009-03-28 01:16	---------	d-----w	c:\program files\Malwarebytes' Anti-Malware 2009-03-27 01:18	---------	d-----w	c:\program files\Common Files\Adobe 2009-03-26 20:49	38,496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-26 20:49	15,504	----a-w	c:\windows\system32\drivers\mbam.sys 2009-03-25 15:07	---------	d-----w	c:\program files\Java 2009-03-25 01:31	---------	d-----w	c:\programdata\Apple Computer 2009-03-15 02:38	---------	d-----w	c:\programdata\FLEXnet 2009-03-14 15:25	---------	d-----w	c:\programdata\Spybot - Search & Destroy 2009-03-11 07:09	---------	d-----w	c:\program files\Windows Mail 2009-03-11 07:02	---------	d-----w	c:\programdata\Microsoft Help 2009-03-09 09:19	410,984	----a-w	c:\windows\System32\deploytk.dll 2009-02-16 01:03	---------	d-----w	c:\program files\Trend Micro 2009-02-07 20:43	---------	d-----w	c:\programdata\Lavasoft 2009-02-07 20:41	---------	d-----w	c:\program files\Lavasoft 2008-09-24 18:48	174	--sha-w	c:\program files\desktop.ini . ((((((((((((((((((((((((((((( SnapShot_2009-03-29_15.57.07.99 ))))))))))))))))))))))))))))))))))))))))) . - 2009-03-28 07:25:16	2,048	--sha-w	c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2009-03-30 00:55:39	2,048	--sha-w	c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2009-03-28 07:25:16	2,048	--sha-w	c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2009-03-30 00:55:39	2,048	--sha-w	c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2009-03-28 07:27:09	262,144	--sha-w	c:\windows\ServiceProfiles\LocalService\ntuser.dat + 2009-03-30 00:57:22	262,144	--sha-w	c:\windows\ServiceProfiles\LocalService\ntuser.dat + 2009-03-30 00:57:22	262,144	---ha-w	c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 - 2009-03-28 07:27:39	262,144	--sha-w	c:\windows\ServiceProfiles\NetworkService\ntuser.dat + 2009-03-30 00:57:17	262,144	--sha-w	c:\windows\ServiceProfiles\NetworkService\ntuser.dat + 2009-03-30 00:57:17	262,144	---ha-w	c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 - 2009-03-29 18:27:04	16,384	--sha-w	c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2009-03-30 08:56:57	16,384	--sha-w	c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2009-03-29 18:27:04	32,768	--sha-w	c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2009-03-30 08:56:57	32,768	--sha-w	c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2009-03-29 18:27:04	32,768	--sha-w	c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2009-03-30 08:56:57	32,768	--sha-w	c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2009-03-28 07:27:21	13,204	----a-w	c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1052193883-4255686519-1956554137-1000_UserData.bin + 2009-03-30 00:57:47	13,228	----a-w	c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1052193883-4255686519-1956554137-1000_UserData.bin - 2009-03-28 07:27:21	63,858	----a-w	c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2009-03-30 00:57:47	63,858	----a-w	c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2009-03-28 07:27:18	49,966	----a-w	c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2009-03-30 00:57:45	49,974	----a-w	c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-07-26 13:25:24	109,080	----a-w	c:\windows\Temp\logishrd\LVPrcInj01.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "Google Update"="c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-13 133104] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880] "BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 2348584] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1052193883-4255686519-1956554137-1000] "EnableNotificationsRef"=dword:00000001 "EnableNotificationsCache"=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1052193883-4255686519-1956554137-500] "EnableNotificationsRef"=dword:00000001 "EnableNotificationsCache"=dword:00000002 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{214B1DC9-DB3B-45BA-A105-11084AE74B1C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{70799C91-14B5-489D-B946-378160CE00A4}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "{B3D3279E-7556-41C6-9650-63B0BB6D3F48}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{4B1E698F-7EA4-421F-8FDA-7075D4EA8883}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{14190B57-2EEA-47B7-9971-06D1478A239E}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{2F202BA2-ADCD-44ED-9F96-8CB67AFBD7A5}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{E4E94A94-2351-4DD9-B55F-B6FFFF87B055}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{8D511714-8FED-49A2-8F6A-09B7FA453FB2}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{3FAD7418-79DF-46F8-ADD7-51C2469F84B6}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{BE124A08-7C7A-4914-9AA0-5EE44AE5FF66}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{5C64036E-F7F2-44E5-822B-9B66EBA9A236}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{AFFBA27C-307F-472E-AA6E-622BF42C8A83}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{3CA76EBB-D8ED-40BC-AE5E-C7C56B0EFEE7}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "TCP Query User{45F206FC-2162-4E7B-B0E5-AE21942F3072}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM "UDP Query User{8E92414B-8D9B-4C13-9C1D-37DE24BA2E09}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2009-03-07 114768] R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2009-03-07 20560] R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2009-03-07 51792] R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-09-16 1153368] R3 MRVW147;Marvell TOPDOG (TM) 802.11bgn Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\System32\drivers\MRVW147.sys [2009-01-05 534016] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static] msiexec /fums {9EB1C655-331C-5034-CCF8-436FA4B4A3DA} /qb . Contents of the 'Scheduled Tasks' folder 2009-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1052193883-4255686519-1956554137-1000.job - c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-13 01:27] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/ uInternet Settings,ProxyOverride = ;*.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\users\Jessica\AppData\Roaming\Mozilla\Firefox\Profiles\c6339f51.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\users\Jessica\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\users\Jessica\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-30 06:33:55 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-03-30 6:36:55 ComboFix-quarantined-files.txt 2009-03-30 10:36:48 ComboFix2.txt 2009-03-29 19:58:57 ComboFix3.txt 2009-02-23 00:46:00 Pre-Run: 96,131,469,312 bytes free Post-Run: 96,096,034,816 bytes free 179	--- E O F ---	2009-03-26 22:35:29


----------



## hewwo2u2 (Jan 10, 2009)

Ihave now tried to post this log twice and both times is is showing up like this? why? does this have to do with the firefox add-on?


----------



## hewwo2u2 (Jan 10, 2009)

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:01:35 AM, on 3/30/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Windows\ehome\ehtray.exe C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Windows\ehome\ehmsas.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Google Update] "C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- End of file - 5824 bytes


----------



## hewwo2u2 (Jan 10, 2009)

great... new problems ^^^ the weirdest thing happened after I ran combo fix. I restared my computer and when it came back on my touch pad mouse did not work. I had to plug in a regular mouse and restart again to get it to work again. Is this another known issue? I've had the internet problem for months. here's a link to the thread where I first started talking about it. http://forums.techguy.org/networking/789407-problems-staying-connected-wireless-internet.html will you please post the files that you gave me before to add back to my registry after running combofix again?


----------



## hewwo2u2 (Jan 10, 2009)

and the way this thing is not letting me space things out is getting kinda annoying lol!


----------



## Cookiegal (Aug 27, 2003)

The logs are posting like that because you have "word wrap" checked under Format in Notepad. Please uncheck that and post the log again as I can't use it in that format.

And what files are you referring to?


----------



## hewwo2u2 (Jan 10, 2009)

I do not have word wrap checked. And when I tried to type post #150, I originally had spaces between the lines but again, it posted like that. I am almost positive this is due the the firefox plugin that I installed. I LOVE the idea of blocking unwanted scripts, but it is already a nuisance for me with the sites I spend most of my spare time on (facebook and myspace). I'm considering doing a system restore to the time before I installed it because of this but at the same time, the very reason I started this thread to begin with was because of something that came up while surfing myspace...I'm having a little dilemma :/


----------



## hewwo2u2 (Jan 10, 2009)

the files I was talking about are the ones that removed my ability to choose what external media I did or did not want to start automatically. What's weird to me is that I didn't notice a difference when I used my flash drive. I had it already set to where it doesn't start automatically, so the usual screen pops up asking me what I want to do. The same thing happened after I ran combofix and the option to auto play media appears to still be there so what exactly is it that combofix removes?


----------



## hewwo2u2 (Jan 10, 2009)

ComboFix 09-03-28.02 - Jessica 2009-03-30 6:29:45.3 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.893.334 [GMT -4:00]
Running from: c:\users\Jessica\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Jessica\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-24 21:31 . 2009-03-24 21:32 d-------- c:\program files\QuickTime
2009-03-16 00:09 . 2009-03-16 00:11 295,686,678 --a------ C:\registrybackup.reg
2009-03-10 20:05 . 2008-12-15 23:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 20:05 . 2008-11-27 00:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 20:05 . 2008-12-16 01:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 20:05 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 20:05 . 2008-12-16 01:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-10 20:04 . 2009-02-08 23:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-07 16:34 . 2009-03-07 16:34 d-------- c:\program files\Alwil Software
2009-03-07 16:34 . 2003-03-18 17:20 1,060,864 --a------ c:\windows\System32\MFC71.dll
2009-03-07 16:34 . 2009-02-05 17:06 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2009-03-04 13:32 . 2009-03-04 13:32 d-------- c:\users\All Users\Avg7
2009-03-04 13:32 . 2009-03-04 13:32 d-------- c:\programdata\Avg7
2009-02-18 19:27 . 2008-12-05 00:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-18 19:27 . 2008-12-05 00:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-18 19:27 . 2008-12-05 00:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-18 19:27 . 2008-12-05 00:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-18 19:27 . 2008-12-05 00:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-10 21:52 . 2009-01-14 23:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-10 21:52 . 2009-01-15 02:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-07 16:13 . 2008-06-19 21:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-07 16:13 . 2008-06-19 21:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-07 16:13 . 2008-06-19 21:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-07 16:13 . 2008-06-19 21:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-07 16:13 . 2008-06-19 21:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-07 16:13 . 2008-06-19 21:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-07 16:13 . 2008-06-19 21:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-07 16:13 . 2008-06-19 21:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-07 15:58 . 2008-07-27 14:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-07 15:58 . 2008-07-27 14:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-07 15:58 . 2008-07-27 14:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-07 15:57 . 2008-07-27 14:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-07 15:57 . 2008-07-27 14:03 83,968 --a------ c:\windows\System32\mscories.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 00:55 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 01:21 8,240 ----a-w c:\users\Jessica\AppData\Roaming\wklnhst.dat
2009-03-28 01:16 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-27 01:18 --------- d-----w c:\program files\Common Files\Adobe
2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 15:07 --------- d-----w c:\program files\Java
2009-03-25 01:31 --------- d-----w c:\programdata\Apple Computer
2009-03-15 02:38 --------- d-----w c:\programdata\FLEXnet
2009-03-14 15:25 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-03-11 07:09 --------- d-----w c:\program files\Windows Mail
2009-03-11 07:02 --------- d-----w c:\programdata\Microsoft Help
2009-03-09 09:19 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-02-16 01:03 --------- d-----w c:\program files\Trend Micro
2009-02-07 20:43 --------- d-----w c:\programdata\Lavasoft
2009-02-07 20:41 --------- d-----w c:\program files\Lavasoft
2008-09-24 18:48 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot_2009-03-29_15.57.07.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-28 07:25:16 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-30 00:55:39 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-03-28 07:25:16 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-03-30 00:55:39 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-28 07:27:09 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-30 00:57:22 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-30 00:57:22 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-03-28 07:27:39 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-30 00:57:17 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-30 00:57:17 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-03-29 18:27:04 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-30 08:56:57 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-29 18:27:04 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-30 08:56:57 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-29 18:27:04 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-30 08:56:57 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-28 07:27:21 13,204 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1052193883-4255686519-1956554137-1000_UserData.bin
+ 2009-03-30 00:57:47 13,228 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1052193883-4255686519-1956554137-1000_UserData.bin
- 2009-03-28 07:27:21 63,858 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-30 00:57:47 63,858 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-03-28 07:27:18 49,966 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-30 00:57:45 49,974 ----a-w  c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-26 13:25:24 109,080 ----a-w c:\windows\Temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 2348584]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\users\Jessica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1052193883-4255686519-1956554137-1000]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1052193883-4255686519-1956554137-500]
"EnableNotificationsRef"=dword:00000001
"EnableNotificationsCache"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{214B1DC9-DB3B-45BA-A105-11084AE74B1C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{70799C91-14B5-489D-B946-378160CE00A4}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{B3D3279E-7556-41C6-9650-63B0BB6D3F48}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4B1E698F-7EA4-421F-8FDA-7075D4EA8883}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{14190B57-2EEA-47B7-9971-06D1478A239E}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2F202BA2-ADCD-44ED-9F96-8CB67AFBD7A5}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E4E94A94-2351-4DD9-B55F-B6FFFF87B055}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{8D511714-8FED-49A2-8F6A-09B7FA453FB2}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3FAD7418-79DF-46F8-ADD7-51C2469F84B6}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{BE124A08-7C7A-4914-9AA0-5EE44AE5FF66}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5C64036E-F7F2-44E5-822B-9B66EBA9A236}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AFFBA27C-307F-472E-AA6E-622BF42C8A83}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3CA76EBB-D8ED-40BC-AE5E-C7C56B0EFEE7}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{45F206FC-2162-4E7B-B0E5-AE21942F3072}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{8E92414B-8D9B-4C13-9C1D-37DE24BA2E09}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2009-03-07 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2009-03-07 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2009-03-07 51792]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-09-16 1153368]
R3 MRVW147;Marvell TOPDOG (TM) 802.11bgn Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\System32\drivers\MRVW147.sys [2009-01-05 534016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {9EB1C655-331C-5034-CCF8-436FA4B4A3DA} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1052193883-4255686519-1956554137-1000.job
- c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-13 01:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jessica\AppData\Roaming\Mozilla\Firefox\Profiles\c6339f51.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Jessica\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\Jessica\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 06:33:55
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-30 6:36:55
ComboFix-quarantined-files.txt 2009-03-30 10:36:48
ComboFix2.txt 2009-03-29 19:58:57
ComboFix3.txt 2009-02-23 00:46:00

Pre-Run: 96,131,469,312 bytes free
Post-Run: 96,096,034,816 bytes free

179 --- E O F --- 2009-03-26 22:35:29


----------



## hewwo2u2 (Jan 10, 2009)

it worked after I disabled the firefox plugin


----------



## hewwo2u2 (Jan 10, 2009)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:35 AM, on 3/30/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5824 bytes


----------



## Cookiegal (Aug 27, 2003)

hewwo2u2 said:


> it worked after I disabled the firefox plugin


OK, in Firefox you have to allow Tech Support Guy so it can run the necessary scripts.


----------



## Cookiegal (Aug 27, 2003)

I don't see any problems in the logs.

The files you asked about are still attached to an earlier post to enable autoruns so you just need to download the attachment again and merge it into the registry.

Is everything OK now?


----------



## hewwo2u2 (Jan 10, 2009)

yes everything is fine. the only thing I've been noticing recently is that my computer seems to be "thinking" alot. Like right now the little blue light is flickering and its making the little noise it makes when it "thinks" (like the sound it makes when something is loading or running) but the only thing I'm doing is typing on this forum...

can you please tell me what it is exactly that those files enable? I thought I knew what it was, but nothing seemed to be different when I put in a cd, and the option to autorun it appeared to still be there...

oh and I never actually uninstalled the 1st combofix I had. I simply dragged the icon on my desktop to the recycle bin (where it still is). Did the new one replace the old one or will i need to uninstall 2 of them?


----------



## Cookiegal (Aug 27, 2003)

The file add keys to the registry to allow CDs and USB devices to autorun when you put them in. ComboFix disables that feature as a security measure.


----------



## hewwo2u2 (Jan 10, 2009)

ok thanks. I was only asking because it appeared that I still had the feature even though I ran combo-fix.


----------



## Cookiegal (Aug 27, 2003)

OK, you're welcome.


----------



## hewwo2u2 (Jan 10, 2009)

so shall I follow the steps you put previously about combofix? and will I need to do it twice now?


----------



## Cookiegal (Aug 27, 2003)

It could be your anti-virus is updating or if you still have Firefox, it will look for updates as well.

If autoruns if running fine then you don't need to run the regfix.

It's getting difficult to follow this thread as so much has gone on. I'm not sure if I posted instructions on uninstalling ComboFix so I'll post it here.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combo-Fix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.


----------



## hewwo2u2 (Jan 10, 2009)

an error popped up that said "windows cannot find "Combo-Fix". Make sure you type the name correctly and try again" Is this because I changed the name?


----------



## Cookiegal (Aug 27, 2003)

It shouldn't be because that's the name we changed it to.

Try running the command the exact way you see it in the screenshot:

*ComboFix /u*


----------



## hewwo2u2 (Jan 10, 2009)

perhaps it has to do with renaming the icon on my desktop? like I just renamed the shortcut or something?

i will try it the other way right now


----------



## hewwo2u2 (Jan 10, 2009)

can you please tell me what this means?

(see attachment)

if turning off system restore flushes out previous restore points, does this mean I will not be able to restore back to before I uninstalled combofix if something weird happens?

do you want me to turn off system restore even though this error came up?


----------



## Cookiegal (Aug 27, 2003)

I don't know what's causing that message and only a few people are getting it. ComboFix does run on Vista but on 32-bit (not 64-bit) but according to the logs you posted you have 32-bit.

I would click OK on that screen.

Yes, if you flush restore points you won't be able to go back to one before uninstalling ComboFix. You could wait a few days before flushing them but it's important to do so in case there is infection lingering in the restore points.


----------



## hewwo2u2 (Jan 10, 2009)

before you replied, I did a restore to the latest point before I uninstalled combofix in case it didn't uninstall correctly or something, since I didn't know what that message meant. I will now do the combofix /u thing again since you don't seem to think it's a problem. Do you know why it still wants me to call it combofix even though the icon on my desktop is called combo-fix?

I was wondering if you could tell me why my firefox add-on is no longer there. I originally restored to one of the points that combofix had made a few days ago, but my clock was messed up after that, so I undid the restore and restored to my latest scheduled checkpoint before I had run the uninstall. The checkpoint was yesterday at 6:45 pm. I downloaded that add-on several days ago. If system restore is supposed to make the computer the way is was at that checkpoint, then why is my firefox add-on gone? Can you answer this?

also, i do not know if autorun is running fine as I'm not sure what all has been disabled. All I know is that when I put in a cd a screen pops up asking me what I would like to do next.
I found the .zip file from the earlier post. Is there a way I can search to see if I already have it in my registry? What happens if I allow it to merge and I already have it? Will it simply replace it or could this cause a problem?


----------



## hewwo2u2 (Jan 10, 2009)

I would like to clean up my computer as far as having things on there that I do not use. For instance I still have several QT Lite (quick time lite) and Steam files and folders with *A LOT* of things in them, even though they are not listed in my add or remove programs list. I'm weary to just drag all these files to my recycle bin because I know that a lot of times this doesn't actually remove the program from my computer. Is there a way to safely remove all this stuff?


----------



## Cookiegal (Aug 27, 2003)

You are doing too many things yourself and by doing system restores for no reason you may have restored malware. I believe the only way you will be happy with your system is to back up any important data, photos, music, etc. then wipe the hard drive and reload the operating system. Then you will start fresh and can load only the programs you want to have running.


----------



## hewwo2u2 (Jan 10, 2009)

I'm sorry- I did not restore back to before we had changed anything. I restored to where I would have combofix back so that I could remove it correctly in case that error came up because something messed up. I did not think it would be harmful because you had said the logs looked clear and nothing else had been removed. I guess I didn't think I would restore malware because I hadn't removed any.

I do not know how to "wipe the hard drive" and we have spent so much time doing this stuff that I didn't want to have done it all for nothing. :/ I suppose I could ask someone to help me do this. I'm sorry.


----------



## hewwo2u2 (Jan 10, 2009)

I am going to have to wait until I have someone here that will help me do this. Until then can you tell me what I need to do in order to correctly remove combofix. Should I run this combofix /u again? and can you please answer my question concerning the zip files?


----------



## hewwo2u2 (Jan 10, 2009)

I uninstalled combofix again and this time i didn't get the error message


----------



## Cookiegal (Aug 27, 2003)

This is the content of the regfix for the autoruns. You can compare your registry and see if you have these keys and values.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:00000000
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:00000000
"NoDriveTypeAutoRun"=dword:00000000


----------



## hewwo2u2 (Jan 10, 2009)

thanks!

do you by any chance know why my javascript and adobe flash player are not working? Are these disabled as well?


----------



## Cookiegal (Aug 27, 2003)

hewwo2u2 said:


> thanks!
> 
> do you by any chance know why my javascript and adobe flash player are not working? Are these disabled as well?


No they are not. You should be able to redownload those programs. They may be damaged.


----------



## hewwo2u2 (Jan 10, 2009)

Cookiegal,

I believe I have both of these programs, however, no websites see to think I do. They all say to download and install them, but to make sure I uninstall the ones I have first. The only problem is, when I go to the support site to see how to uninstall them correctly, it tells me that "java script must be enabled to view the content". I checked my firefox settings and java _is_ enabled. What do I do? And what causes this to happen? Everything was working fine not too long ago.


----------



## hewwo2u2 (Jan 10, 2009)

I looked on some other forums to see if anyone else was having the same problem and it appears that they are and it has happened within the last few days too.  Have you been hearing from people with this problem too?


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## hewwo2u2 (Jan 10, 2009)

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9.1
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 6
Apple Software Update
ATI Uninstaller
avast! Antivirus
BigFix
Browser Address Error Redirector
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Gateway Recovery Center Installer
Google Talk Plugin
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart Essential 2.01
HP Product Assistant
HP Smart Web Printing
HP Solution Center 9.0
HP Update
Java(TM) 6 Update 13
Kodak DIGITAL GEM Airbrush Professional Plug-In 1.0.1
Logitech QuickCam
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
Marvell(R) Wireless Card Software Package
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Money 2006
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
PDF Settings
Pet Vet 3D Animal Hospital
Power2Go 5.0
QuickTime
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
SigmaTel Audio
Spelling Dictionaries Support For Adobe Reader 9
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Windows Media Player Firefox Plugin


----------



## Cookiegal (Aug 27, 2003)

Have you tried using IE to install those programs rather than Firefox?


----------



## hewwo2u2 (Jan 10, 2009)

I did not try reinstalling yet. They were working just fine a while ago and I know I never removed them. I will reinstall them, but I am supposed to uninstall first according to the website. The only thing is, when I click on the link that has the directions for correctly uninstalling and reinstalling, it requires one of these players I think, because I cannot see what it says.

I never use IE though. I've been using Firefox for a very long time now, and never had a problem with flash or java in the past...

here is a link to the article that is supposed to tell me how to "completely" remove flash in order to re-install. The problem is that nothing comes up on my computer to view it! can you see anything? 
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_14157

I also just checked in IE and found that the programs are working correctly with this browser. Something is going on in Firefox that is not letting me use my Flash and Java...what do I do?


----------



## hewwo2u2 (Jan 10, 2009)

I have a folder called "Combo-Fix" listed under Local Disc (C: ). Within this folder there is a single application icon called "Nircmd". Is this folder safe to delete? It wasn't removed when I uninstalled.


----------



## hewwo2u2 (Jan 10, 2009)

as for what I said about IE explorer working, I take that back. It crashed on me and said the flash ad-on caused i to encounter a problem and had to close.  But I AM able to view videos on IE that I cannot view with Firefox...


----------



## Cookiegal (Aug 27, 2003)

hewwo2u2 said:


> I have a folder called "Combo-Fix" listed under Local Disc (C: ). Within this folder there is a single application icon called "Nircmd". Is this folder safe to delete? It wasn't removed when I uninstalled.


Yes, you can delete the Combo-Fix folder.


----------



## Cookiegal (Aug 27, 2003)

I suggest you start a new thread for help with the Java and Flash as that's not my area of expertise. As I mentioned before, you would probably be best with a complete reformat and start from scratch.

I can't get the link you posted for Flash to load either. I get a "null" something or other error.


----------



## hewwo2u2 (Jan 10, 2009)

Ok. I plan on reformatting as soon as I get someone over here to help me do it. Thank you for your help


----------



## Cookiegal (Aug 27, 2003)

You're welcome and good luck.


----------



## hewwo2u2 (Jan 10, 2009)

Hi cookiegal, do you still recommend I delete my old restore points? I just remembered that I still hadn't done that. And after I went restore crazy and all, I was afraid to do it.


----------



## hewwo2u2 (Jan 10, 2009)

ugh this is just getting weirder and weirder. Now when I go to my control panel, the icons that are displayed are very large when they were always small before. I had not messed with any of the settings to cause this either. I changed them back to the small icons, but after I restarted my computer just now (I uninstalled flash and wanted to restart and then check my add/remove programs to see if it was gone) the icons in my control panel were huge again! You ever heard of that happenin?

I still have to wait at least 2 weeks before I can get someone here to help me reformat btw. :/


----------



## hewwo2u2 (Jan 10, 2009)

My flash player is working in firefox now. It appears to have been that NoScript addon causing the problems. Apparantly it left something behind when it was uninstalled (just like everything else seems to be doing when I uninstall them from my computer!). Anyway, I had uninstalle and reinstalled Flash and it still didn't work, so I reinstalled NoScript and then disabled it and Flash is working now!


----------



## Cookiegal (Aug 27, 2003)

hewwo2u2 said:


> Hi cookiegal, do you still recommend I delete my old restore points? I just remembered that I still hadn't done that. And after I went restore crazy and all, I was afraid to do it.


Yes, you should flush old restore points out.


----------



## hewwo2u2 (Jan 10, 2009)

Cookiegal said:


> Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:
> 
> To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
> Click the *System Restore* tab.
> ...


I am having difficulty finding "my computer > properties > system restore tab" to turn it off on Vista. Are these directions specific to XP?

I tried computer > system properties > system protection > system restore,
but there is no option here to turn it off...any advice?


----------



## Cookiegal (Aug 27, 2003)

Here are the Vista instructions.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

Click on the Start button to open your Start Menu. 
Click on the Control Panel menu option.
Click on the System and Maintenance menu option.
Click on the System menu option.
Click on System Protection in the left-hand task list. 

You will now be at the System Protection tab in the System control panel. 

Clear the check box next to the disk to turn off System Protection, and then click OK. This will flush out all previous restore points.

Now select the check box next to the disk, and then click OK to turn system restore back on.

Now create a new restore point. Click on the Create button. When you press this button a prompt will appear asking you to provide a title for this manual restore point.

Type in a title for the manual restore point and press the Create button. Vista will now create a manual restore point, and when completed, display a notice saying that it was created successfully.


----------



## hewwo2u2 (Jan 10, 2009)

alright. done!


----------



## Cookiegal (Aug 27, 2003)

That's good.


----------

