You are here:
- Home
- Computing/Technology
- Internet/Network Security
- Computer Security & Viruses
- Win32:Sinowal removal
Computer Security & Viruses/Win32:Sinowal removal
Advertisement
Question
QUESTION: Hi Brian,
I have been trying for a long time now to remove sinowal and am have no luck. Can you help me please!!
Here is HJT log. I also have a combofix log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:01 PM, on 25/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Armstrong\Desktop\HiJackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11custreg?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: uninstall.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.proxy2.lib.umanitoba.ca/lib/umanitoba/support/plugins/ebr
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} - https://bonfire.puretracks.com/en/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v50/chess/chess.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 12870 bytes
Here is the combofix log.
ComboFix 09-08-10.06 - Armstrong 16/08/2009 0:30.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.536 [GMT -5:00]
Running from: c:\documents and settings\Armstrong\Desktop\ComboFix.exe
AV: avast! antivirus 4.7.1098 [VPS 090815-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\asdf.exe
c:\documents and settings\All Users\Start Menu\Programs\Windows Live Messenger .lnk
c:\documents and settings\Armstrong\Local Settings\Temporary Internet Files\sph264.dll
c:\documents and settings\Armstrong\Local Settings\Temporary Internet Files\spmpeg4.dll
c:\documents and settings\Armstrong\Local Settings\Temporary Internet Files\sptheo.dll
c:\documents and settings\Armstrong\Local Settings\Temporary Internet Files\StreamPlug.dll
c:\windows\system32\tmp.reg
.
((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.
2009-08-16 03:42 . 2009-08-16 03:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-16 03:42 . 2009-08-16 03:42 152576 ----a-w- c:\documents and settings\Armstrong\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-16 03:37 . 2009-08-16 03:37 -------- d-----w- c:\documents and settings\Armstrong\Application Data\Malwarebytes
2009-08-16 03:37 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 03:37 . 2009-08-16 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 03:37 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-16 03:37 . 2009-08-16 03:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 03:30 . 2009-08-16 03:32 -------- d-----w- c:\documents and settings\Armstrong\.SunDownloadManager
2009-08-16 02:29 . 2009-08-16 02:30 -------- d-----w- c:\windows\system32\NtmsData
2009-08-12 08:02 . 2009-08-12 08:02 -------- d-----w- c:\windows\ServicePackFiles
2009-08-12 06:33 . 2009-08-12 06:33 -------- d-----w- c:\program files\iPod
2009-08-12 06:33 . 2009-08-12 06:33 -------- d-----w- c:\program files\iTunes
2009-08-12 06:33 . 2009-08-12 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-12 06:31 . 2009-08-12 06:31 -------- d-----w- c:\program files\QuickTime
2009-08-12 06:26 . 2009-08-12 06:26 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-11 02:30 . 2009-08-11 02:30 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-09 08:26 . 2009-08-09 08:26 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-09 08:26 . 2009-08-09 08:26 -------- d-----w- c:\program files\MSBuild
2009-08-09 08:26 . 2009-08-09 08:26 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 08:25 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 08:25 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-09 08:25 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 08:25 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-09 08:25 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 08:25 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-09 08:25 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 08:17 . 2009-08-09 08:17 -------- d-----w- c:\program files\MSXML 6.0
2009-07-17 18:55 . 2009-07-17 18:55 58880 ------w- c:\windows\system32\dllcache\atl.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 03:42 . 2005-08-06 06:08 -------- d-----w- c:\program files\Java
2009-08-12 06:33 . 2007-09-11 05:04 -------- d-----w- c:\program files\Common Files\Apple
2009-08-12 06:28 . 2007-09-11 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-12 06:25 . 2007-10-12 22:47 -------- d-----w- c:\program files\AirPort
2009-08-11 02:30 . 2006-07-17 02:17 -------- d-----w- c:\program files\DivX
2009-08-10 06:32 . 2005-08-16 00:13 26752 -c--a-w- c:\documents and settings\Armstrong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-08 02:43 . 2007-02-12 09:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 21:52 . 2007-11-09 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth
2009-08-07 21:35 . 2009-02-13 01:48 -------- d-----w- c:\documents and settings\Armstrong\Application Data\DNA
2009-08-07 18:15 . 2009-02-13 01:48 -------- d-----w- c:\program files\DNA
2009-08-07 08:46 . 2007-09-26 20:19 -------- d-----w- c:\program files\Blubster
2009-08-05 09:11 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 17:16 . 2009-03-16 02:02 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-09 17:16 . 2007-09-11 05:04 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-29 16:12 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-10 18:01 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-10 17:51 1290752 ----a-w- c:\windows\system32\quartz.dll
2007-02-12 09:07 . 2004-05-14 20:15 4354084 ----a-w- c:\program files\spybotsd13.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-10-06 20992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-01 4636672]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-12-01 921600]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2004-10-06 14848]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-04-03 364544]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
uninstall.exe [2009-8-15 421888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\resources\Josie\logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^uninstall.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\uninstall.exe
backup=c:\windows\pss\uninstall.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Armstrong^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Armstrong\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
S1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdrv2.sys --> c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdrv2.sys [?]
S3 cd6a306b-3dd8-4fa9-bb8a-0a684ba689d0;cd6a306b-3dd8-4fa9-bb8a-0a684ba689d0;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]
S3 CTMSFSYN;Creative SoundFont Synth;c:\windows\system32\drivers\CTMSFSYN.SYS [30/09/2004 3:05 AM 158080]
.
Contents of the 'Scheduled Tasks' folder
2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
FF - ProfilePath - c:\documents and settings\Armstrong\Application Data\Mozilla\Firefox\Profiles\n97gfqm4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.stockhouse.com/pfolio.aspx?user=sh
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=56939&p=
FF - component: c:\documents and settings\Armstrong\Application Data\Mozilla\Firefox\Profiles\n97gfqm4.default\extensions\{f02289b7-b23a-49b1-a7da-b60880e69629}\components\Engine.dll
FF - plugin: c:\documents and settings\Armstrong\Application Data\Mozilla\Firefox\Profiles\n97gfqm4.default\extensions\\plugins\NPinfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 00:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1164)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-08-16 0:38
ComboFix-quarantined-files.txt 2009-08-16 05:37
Pre-Run: 6,078,377,984 bytes free
Post-Run: 6,220,001,280 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
196 --- E O F --- 2009-08-12 08:05
Thank you in advance!!!!!
Justin
ANSWER: Hi Justin
Sinowal is difficult to remove because it infects XP's Master Boot Record. I would like for you to download and run SDFix in Safe Mode according to the instructions here:
http://www.bleepingcomputer.com/forums/topic131299.html
When completed, post me that log and a new HJT log. Thanks.
Brian
---------- FOLLOW-UP ----------
QUESTION: Hi Brian,
I ran SDfix and it found an unistall.exe file and deleted it, however once SDfix finished and closed AVG opened with a virus detection....uninstall.exe in the same location. Anyways here are the requested logs!
Thank u again!
[b]SDFix: Version 1.240 [/b]
Run by Armstrong on 26/08/2009 at 07:54 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 21:02:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\Blubster\\Blubster.exe"="C:\\Program Files\\Blubster\\Blubster.exe:*:Enabled:Blubster"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"="C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe:*:Enabled:TVersity Media Server"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\AirPort\\APAgent.exe"="C:\\Program Files\\AirPort\\APAgent.exe:*:Enabled:AirPort"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\\Program Files\\AVG\\AVG8\\avgam.exe"="C:\\Program Files\\AVG\\AVG8\\avgam.exe:*:Enabled:avgam.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiag.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiag.exe:*:Enabled:avgdiag.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
[b]Remaining Files [/b]:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe Found
File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
Fri 11 Jun 2004 49,152 ...H. --- "C:\Program Files\Apoint\ApInst.dll"
Thu 19 Aug 2004 45,056 A..H. --- "C:\Program Files\Apoint\ApntEx.exe"
Thu 14 Oct 2004 1,122,304 A..H. --- "C:\Program Files\Apoint\Apoint.dll"
Mon 13 Sep 2004 155,648 A..H. --- "C:\Program Files\Apoint\Apoint.exe"
Tue 3 Jun 2003 102,400 A..H. --- "C:\Program Files\Apoint\Elprop.dll"
Wed 2 Jun 2004 49,152 A..H. --- "C:\Program Files\Apoint\EzAuto.dll"
Thu 17 Jun 2004 159,744 A..H. --- "C:\Program Files\Apoint\Ezcapt.exe"
Tue 15 Jun 2004 204,800 A..H. --- "C:\Program Files\Apoint\EzLaunch.dll"
Thu 19 Aug 2004 196,608 A..H. --- "C:\Program Files\Apoint\Uninstap.exe"
Mon 16 Jul 2007 961,536 A..H. --- "C:\Program Files\Ares\Ares.exe"
Tue 25 Oct 2005 15,744 A..H. --- "C:\Program Files\Ares\tcpip_patcher.sys"
Mon 10 Sep 2007 62,930 A..H. --- "C:\Program Files\Ares\Uninstall.exe"
Tue 28 Jul 2009 1,548,120 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Fri 21 Dec 2007 2,045 ...H. --- "C:\Documents and Settings\All Users\Application Data\whlprd32a.dll"
Fri 11 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 18 Aug 2004 1,490,944 A..H. --- "C:\Program Files\Broadcom\BACS\BACS.exe"
Wed 18 Aug 2004 118,784 A..H. --- "C:\Program Files\Broadcom\BACS\BacsTray.exe"
Thu 24 Apr 2003 6,025 A..H. --- "C:\Program Files\Broadcom\BACS\BASFND.sys"
Mon 2 Aug 2004 229,376 A..H. --- "C:\Program Files\Broadcom\BACS\BMAPI.dll"
Thu 19 Feb 2004 106,496 A..H. --- "C:\Program Files\Broadcom\BACS\cabw32.dll"
Thu 30 Jan 2003 12,073 A..H. --- "C:\Program Files\Broadcom\BACS\FAD.sys"
Thu 30 Jan 2003 11,904 A..H. --- "C:\Program Files\Broadcom\BACS\FADXP32.sys"
Sun 9 Aug 1998 86,016 A..H. --- "C:\Program Files\Common Files\DESIGNER\MSADDNDR.DLL"
Tue 20 Jan 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 3 Nov 2003 7,671,876 A..H. --- "C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.bak"
Thu 8 Apr 2004 162,214 ...H. --- "C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.EXE"
Wed 1 Oct 2003 94,208 A..H. --- "C:\Program Files\Common Files\Hewlett-Packard\Scanjet\hpgscnsv.dll"
Mon 3 Nov 2003 416,040 A..H. --- "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\pdf.bak"
Mon 3 Nov 2003 225,891 A..H. --- "C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Accessibility.bak"
Mon 3 Nov 2003 1,561,187 A..H. --- "C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Acroform.bak"
Mon 3 Nov 2003 1,352,291 A..H. --- "C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\eBook.bak"
Mon 3 Nov 2003 950,959 A..H. --- "C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Escript.bak"
Mon 3 Nov 2003 1,376,935 A..H. --- "C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\XFA.bak"
Thu 4 Sep 2003 118,784 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodae.dll"
Thu 4 Sep 2003 155,648 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodai.dll"
Thu 4 Sep 2003 77,824 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodaierr.dll"
Thu 4 Sep 2003 65,536 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodaud.dll"
Thu 4 Sep 2003 274,432 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodcore3.dll"
Thu 4 Sep 2003 143,360 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodcpx2.dll"
Thu 4 Sep 2003 180,224 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodcpxe.dll"
Thu 20 Nov 2003 532,480 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodctr.dll"
Thu 4 Sep 2003 180,224 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpoddoh.dll"
Thu 4 Sep 2003 81,920 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpoddrv.dll"
Thu 4 Sep 2003 204,800 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpoddsb.dll"
Thu 4 Sep 2003 57,344 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodexif.dll"
Thu 4 Sep 2003 131,072 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodimg3.dll"
Thu 4 Sep 2003 13,312 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodinet2enu.dll"
Thu 4 Sep 2003 86,016 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodinet2.dll"
Thu 4 Sep 2003 35,328 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodloc3.dll"
Thu 4 Sep 2003 65,536 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodlog3.exe"
Thu 4 Sep 2003 475,136 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\HPODMmc.dll"
Thu 4 Sep 2003 36,864 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodmp.dll"
Thu 4 Sep 2003 69,632 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodmpv.dll"
Thu 4 Sep 2003 319,488 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodmpv_md.dll"
Thu 4 Sep 2003 102,400 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodpc3.dll"
Thu 4 Sep 2003 208,896 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodprt3.dll"
Thu 4 Sep 2003 356,352 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodPrtC.dll"
Thu 4 Sep 2003 815,104 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodprint.dll"
Thu 4 Sep 2003 102,400 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodrend.exe"
Thu 4 Sep 2003 94,208 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\HPODRunTimelineFilter.dll"
Thu 4 Sep 2003 98,304 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodserv.exe"
Thu 4 Sep 2003 110,592 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodskin2.dll"
Thu 4 Sep 2003 57,344 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\HPODSlideVideoMPEG.dll"
Thu 4 Sep 2003 57,344 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodtrk.dll"
Thu 4 Sep 2003 73,728 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodvid.dll"
Thu 20 Nov 2003 720,896 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodwiz3.dll"
Thu 4 Sep 2003 380,928 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodwiz3enu.dll"
Thu 4 Sep 2003 212,992 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\hpodxmlutil.dll"
Thu 4 Sep 2003 118,784 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\HPODXPAT.DLL"
Thu 4 Sep 2003 184,320 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\IPicEnc.dll"
Thu 4 Sep 2003 183,808 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\toolame.dll"
Thu 4 Sep 2003 49,152 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\vcdliba.dll"
Thu 4 Sep 2003 168,960 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\vcdlibb.dll"
Thu 4 Sep 2003 598,016 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\vcdlibm2.dll"
Thu 4 Sep 2003 69,632 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\xanalyze.dll"
Thu 4 Sep 2003 270,336 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\xaudio.dll"
Mon 3 Nov 2003 1,770,157 A..H. --- "C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\Annotations\Annots.bak"
Thu 4 Sep 2003 376,832 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LCODCCMP.DLL"
Thu 4 Sep 2003 30,208 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\lfbmp13n.dll"
Thu 4 Sep 2003 417,280 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LFCMP13n.DLL"
Thu 4 Sep 2003 433,664 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LFCMP13s.DLL"
Thu 4 Sep 2003 73,728 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\lffax13n.dll"
Thu 4 Sep 2003 47,104 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\lfgif13n.dll"
Thu 4 Sep 2003 19,968 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\lfpcd13n.dll"
Thu 4 Sep 2003 65,536 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\Lfpct13n.dll"
Thu 4 Sep 2003 181,760 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\Lfpng13n.dll"
Thu 4 Sep 2003 140,288 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\lftif13n.dll"
Thu 4 Sep 2003 110,592 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LMVClr.dll"
Thu 4 Sep 2003 94,208 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LMVCrop.dll"
Thu 4 Sep 2003 118,784 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LMVRGBxf.dll"
Thu 4 Sep 2003 73,728 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LMVRot.dll"
Thu 4 Sep 2003 94,208 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LMVRsz.dll"
Thu 4 Sep 2003 1,693,696 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LTCLR13n.dll"
Thu 4 Sep 2003 269,312 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LTDIS13n.dll"
Thu 4 Sep 2003 206,336 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\ltefx13n.dll"
Thu 4 Sep 2003 150,528 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\ltfil13n.DLL"
Thu 4 Sep 2003 445,440 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\ltimg13n.dll"
Thu 4 Sep 2003 446,976 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\ltkrn13n.dll"
Thu 4 Sep 2003 225,280 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\LTStlImgRd.dll"
Thu 4 Sep 2003 44,032 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\lttwn13n.dll"
Thu 4 Sep 2003 1,009,664 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\Ltwvc13n.dll"
Thu 4 Sep 2003 212,480 A..H. --- "C:\Program Files\Common Files\HP\Memories Disc\2.0\LeadTools\PCDLIB32.DLL"
Sat 6 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sat 6 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 6 Aug 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
[b]Finished![/b]
HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:10 PM, on 26/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Armstrong\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11custreg?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: uninstall.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.proxy2.lib.umanitoba.ca/lib/umanitoba/support/plugins/ebr
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} - https://bonfire.puretracks.com/en/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v50/chess/chess.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 12659 bytes
ANSWER: Hi Justin
We'll try a manual removal then. Temporarily Disable System Restore:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
Now click Start->Run->then type cleanmgr and hit Enter. This will clear all the temp files.
Next, download Killbox to your desktop from here:
http://download.bleepingcomputer.com/spyware/KillBox.exe
Restart the computer in Safe Mode, then click on Killbox.exe
Type the following in the box:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe
Click to Delete on Reboot
Press the red button with the white X
Now reboot and check for the file by running HJT and looking for:
O4 - Global Startup: uninstall.exe
If it doesn't exist, great...send me the latest log. If it is still there, you may need to try using the Windows Recovery Console and running fixmbr, but let's see first how Killbox works.
Brian
---------- FOLLOW-UP ----------
QUESTION: Hi Brian,
Still there.
This thing is a pain!!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:25 PM, on 26/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Armstrong\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11custreg?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: uninstall.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.proxy2.lib.umanitoba.ca/lib/umanitoba/support/plugins/ebr
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} - https://bonfire.
Hi Justin
I was hoping against hope that it would work. The final step before wiping and reformatting is to run fixmbr from the Windows Recovery Console. Please follow the instructions below:
1. Insert the Windows XP CD into your CD drive and restart your computer. If you are prompted, select any options required to start (boot) from the CD.
2. When the text-based part of Setup begins, follow the prompts. Select the repair or recover option by pressing R.
3. If you have a dual-boot or multiboot system, select the installation that you want to access from the Recovery Console.
4. When you are prompted, type the Administrator password.
5. At the command prompt, type fixmbr and press enter.
6. When finished, take out the XP CD, type exit and press enter.
You're computer will restart. After boot, run a HJT to check for the uninstall.exe file.
Brian
Related Articles
Computer Security & Viruses
Answers by Expert:
Brian Benosky
Expertise
I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.
Experience
I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here:
http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm
I am also a Top Contributor of General Computing answers in Yahoo! Questions.
Education/Credentials
College Educated
Self-taught Computer Skills
©2012 About.com, a part of The New York Times Company. All rights reserved.