Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unable to use Search function and Install Programs [Solved]

Started by Graye , Feb 02 2009 05:41 PM

  • This topic is locked This topic is locked

#1
Graye
Posted 02 February 2009 - 05:41 PM

Graye

    Member

  • Member
  • PipPip
  • 17 posts
I was referred here after having initially posted in the Windows XP forum by wannabe1. After following said individuals advice, which concerned running through the Malware Cleaning Guide, I am seeking further aid herein.

First, my issue is as follows: when attempting to utilize the "search" function of Windows XP, either via the Start button or through Windows Explorer, I encounter an error which reads "Windows Explorer has encountered an error and needs to close. We are sorry for the inconvenience." I am then prompted to either forward the error to Microsoft or not, however, either option leads to the search window freezing and then closing. Furthermore, this same error is encountered if I attempt to install any new programs. An install attempt from the desktop, however, leads to a complete system freeze. Furthermore, on occasion, a Dr Watsons Postmortem Debugger error is also reported.
This too, may be pertinent: all of the errors report that such is related to the entapi.dll file (which is listed as EntAPI.dll in the system32 directory).

Now, my results of running through the Malware Cleaning Guide are as follows:
1. I successfully downloaded and ran the ATFCleaner. This resulted in ATFCleaner freeing 1,312 kbs. Prior to having run ATFCleaner, I had already manually cleaned my computer of temporary files and the like.
2. A new System Restore point was created with SysRestore
3. The registry was backed up with ERUNT.
4. Attempting to install Malwarebyte's Anti-Malware system was unsuccessful. I immediately encountered a "Windows Explorer has encountered an error..." pop-up, followed swiftly by a DrWatson Postmortem Debugger error, followed by a non-responsive program error. The Windows Explorer window through which I had navigated to the file had to be shut down via the Windows Task Manager. I then sought to execute the program via a download to the Desktop, which resulted in Windows freezing. Technically, I was unable to interact with any of the interface elements that were already open (including the Start button), however, the Task Manager could still be accessed. A re-start was necessary in order to clear such, as no amount of waiting led to the computer becoming accessible. Renaming the application had no affect on its ability to be executed.
5. I was unable to install any of the anti-spy/malware programs.
6. The Windows Updates option is set to Automatic download and install. To the best of my knowledge, all pertinent updates have been installed.
7. I was unable to install HiJackThis via the installer or executable, however, downloading the archive direct to the Desktop and then unzipping it to a new folder, opening said folder and running the executable therein worked. The logs contents are pasted below and, lest they are incomplete, the file is attached as well.
Thanks for your time...

---------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:10 PM, on 2/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\windows\system32\LEXPPS.EXE
C:\Program Files\RelevantKnowledge\rlvknlg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system32\RUNDLL32.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\FRU\Remind32.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\windows\system32\hpoipm07.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\oodag.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\drwtsn32.exe
C:\windows\system32\drwtsn32.exe
C:\windows\system32\drwtsn32.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\drwtsn32.exe
C:\windows\system32\drwtsn32.exe
C:\windows\explorer.exe
C:\Documents and Settings\Computer User\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.freeze.com...a...amp;s=&ipc=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: HelloWorldBHO - {D88E1558-7C2D-407A-953A-C044F5607CEA} - C:\Program Files\Mjcore\Mjcore.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Internet_Explorer.exe] C:\Windows\System32\Internet_Explorer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RelevantKnowledge] C:\Program Files\RelevantKnowledge\rlvknlg.exe -boot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\FRU\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.runaware.com
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135821608875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139344944843
O20 - Winlogon Notify: RelevantKnowledge - C:\Program Files\RelevantKnowledge\rlls.dll
O20 - Winlogon Notify: urqPJbAT - urqPJbAT.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\windows\system32\oodag.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--
End of file - 9373 bytes

Attached Files


  • 0

Advertisements

#2
JSntgRvr
Posted 02 February 2009 - 05:54 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, Graye :)

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
Graye
Posted 02 February 2009 - 06:56 PM

Graye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Wow, you guys are really swift to respond. Thank you, I appreciate that immensely!
I followed the steps exactly and, superficially at least, it seems to have resolved the problem. The search function now works. The ComboFix log and new HijackThis log are attached below. Their contents are pasted between the "====" lines.
I should note that Combofix did encounter one issue, a "Boot Partition cannot be enumerated correctly" error, which, I believe, is the result of a faulty install my son attempted a year or two ago of a separate OS.

==================================================================

ComboFix 09-02-02.04 - Computer User 2009-02-02 16:37:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1438 [GMT -8:00]
Running from: c:\documents and settings\Computer User\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Computer User\Application Data\SpeedRunner
c:\documents and settings\Computer User\Application Data\SpeedRunner\config.cfg
c:\documents and settings\Computer User\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\inetget2
c:\program files\Mjcore
c:\program files\Mozilla Firefox\plugins\npclntax.dll
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll
c:\windows\Tasks\startt.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-02 16:37 . 2009-02-02 16:37 <DIR> d-------- C:\quarantine
2009-02-02 15:09 . 2009-02-02 15:09 <DIR> d-------- c:\program files\ERUNT
2009-01-30 19:52 . 2009-01-30 19:51 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-30 19:51 . 2009-01-30 20:34 <DIR> d-------- c:\documents and settings\Computer User\.housecall6.6
2009-01-14 23:18 . 2009-01-14 23:18 118 --a------ c:\windows\system32\MRT.INI
2009-01-13 17:06 . 2009-01-13 17:06 302 --a------ c:\program files\temp995.bat
2009-01-11 20:09 . 2009-01-11 20:10 98,304 --a------ C:\all the kings m.mdb
2009-01-11 20:09 . 2009-01-11 20:09 94,208 --a------ C:\all the kings m_Backup.mdb
2009-01-07 16:57 . 2009-01-07 16:57 28,718 --a------ C:\dkk copy.jpg
2009-01-07 16:46 . 2009-01-07 16:46 24,883 --a------ C:\dkk.aspx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 22:24 39,094 ----a-w c:\documents and settings\Computer User\Application Data\wklnhst.dat
2009-01-31 17:13 --------- d-----w c:\documents and settings\Computer User\Application Data\AVG7
2009-01-29 21:42 --------- d-----w c:\program files\TaxCut2005
2009-01-21 07:02 --------- d-----w c:\program files\mIRC
2009-01-15 07:18 --------- d-----w c:\program files\Webtools
2009-01-10 00:00 --------- d-----w c:\program files\Common Files\Adobe
2009-01-04 05:55 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-12-30 05:55 --------- d-----w c:\documents and settings\Computer User\Application Data\FrostWire
2008-12-26 21:56 106,496 ----a-w c:\windows\DUMP7668.tmp
2008-12-26 21:54 106,496 ----a-w c:\windows\DUMP757e.tmp
2008-12-26 21:51 106,496 ----a-w c:\windows\DUMP75db.tmp
2008-12-26 21:49 106,496 ----a-w c:\windows\DUMP761a.tmp
2008-12-24 02:36 --------- d-----w c:\documents and settings\Administrator.COMPUTER-DC10C8.000\Application Data\AVG7
2008-12-24 01:49 --------- d-----w c:\documents and settings\Administrator.COMPUTER-DC10C8.000\Application Data\Lavasoft
2008-12-23 23:23 106,496 ----a-w c:\windows\DUMP6198.tmp
2008-12-23 23:20 106,496 ----a-w c:\windows\DUMP6215.tmp
2008-12-23 23:17 106,496 ----a-w c:\windows\DUMP7167.tmp
2008-12-23 23:14 106,496 ----a-w c:\windows\DUMP6244.tmp
2008-12-23 23:11 106,496 ----a-w c:\windows\DUMP72af.tmp
2008-12-23 23:08 106,496 ----a-w c:\windows\DUMP6179.tmp
2008-12-23 23:06 106,496 ----a-w c:\windows\DUMP61f7.tmp
2008-12-23 23:03 106,496 ----a-w c:\windows\DUMP6169.tmp
2008-12-23 23:00 106,496 ----a-w c:\windows\DUMP6205.tmp
2008-12-23 21:21 106,496 ----a-w c:\windows\DUMP6774.tmp
2008-12-23 21:09 106,496 ----a-w c:\windows\DUMP613a.tmp
2008-12-23 21:07 106,496 ----a-w c:\windows\DUMP62f1.tmp
2008-12-23 21:03 106,496 ----a-w c:\windows\DUMP638c.tmp
2008-12-23 21:00 106,496 ----a-w c:\windows\DUMP62f0.tmp
2008-12-23 20:35 106,496 ----a-w c:\windows\DUMP6541.tmp
2008-12-23 20:31 106,496 ----a-w c:\windows\DUMP6188.tmp
2008-12-23 20:28 106,496 ----a-w c:\windows\DUMP61f6.tmp
2008-12-23 20:25 106,496 ----a-w c:\windows\DUMP6253.tmp
2008-12-23 20:22 106,496 ----a-w c:\windows\DUMP6409.tmp
2008-12-15 23:54 106,496 ----a-w c:\windows\DUMP5d23.tmp
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 00:24 106,496 ----a-w c:\windows\DUMP5f56.tmp
2008-12-10 23:47 106,496 ----a-w c:\windows\DUMP5f46.tmp
2008-12-08 05:10 --------- d-----w c:\program files\FrostWire
2008-12-08 04:38 --------- d-----w c:\program files\Java
2008-12-05 18:22 --------- d-----w c:\program files\Hewlett-Packard
2008-12-05 18:22 --------- d-----w c:\documents and settings\Computer User\Application Data\Share-to-Web Upload Folder
2008-12-03 21:52 --------- d-----w c:\program files\RelevantKnowledge
2008-11-14 00:54 60,744 ----a-w c:\documents and settings\Computer User\g2mdlhlpx.exe
2006-02-04 13:02 18,088 ----a-w c:\documents and settings\Computer User\Application Data\GDIPFONTCACHEV1.DAT
2004-08-04 12:00 94,784 --sh--w c:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 00:11 1,028,096 --sh--w c:\windows\system32\mfc42.dll
2008-04-14 00:12 57,344 --sh--w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sh--w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sh--w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sh--w c:\windows\system32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 219136]

c:\documents and settings\Computer User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-04 113664]
Hewlett-Packard Recorder.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\FRU\Remind32.exe [2000-08-24 67584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-04 113664]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-05-24 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.vp31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\program files\\relevantknowledge\\rlvknlg.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6060:TCP"= 6060:TCP:Port 6060

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-12-28 58048]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2007-01-17 120320]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [2007-01-17 78848]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
S3 o1394bul;o1394bul;\??\c:\docume~1\COMPUT~1\LOCALS~1\Temp\o1394bul.sys --> c:\docume~1\COMPUT~1\LOCALS~1\Temp\o1394bul.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ed6bc2e-dfc8-11db-bbd3-000cf1d31bb0}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-Internet_Explorer.exe - c:\windows\System32\Internet_Explorer.exe
Notify-urqPJbAT - urqPJbAT.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.freeze.com/?AcquisitionID=5a5fea5e-be78-4694-9cb0-54237fe403a8&s=&ipc=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Search - http://edits.mywebse...html?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com
Trusted Zone: runaware.com
FF - ProfilePath - c:\documents and settings\Computer User\Application Data\Mozilla\Firefox\Profiles\ntnloipf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\RelevantKnowledge\components\rlxg.dll
FF - plugin: c:\documents and settings\Computer User\Application Data\Mozilla\Firefox\Profiles\ntnloipf.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\documents and settings\Computer User\Application Data\Mozilla\Firefox\Profiles\ntnloipf.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np_fastbid2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 16:42:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-73586283-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bb,41,10,8a,e2,e6,b5,15,0e,38,0b,3a,b9,68,53,b7,3c,2b,a4,36,90,96,c3,
c0,ba,d1,97,55,89,56,9d,e6,af,d4,de,2d,0e,ac,b9,ab,4f,14,23,91,bd,4f,42,6a,\
"??"=hex:e2,d3,25,ee,c6,51,67,34,0f,68,8f,b7,da,4e,4b,79

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:c2,cd,65,ab,9c,61,fa,01,ae,96,b0,fb,3a,df,da,8d,5e,d2,4b,30,1c,
5e,4d,d0,f0,1e,cd,e9,3e,76,b3,e8,07,37,b5,8b,49,28,84,40,39,e4,9d,05,92,2f,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="D1462C380222358F3E5C91C94C787F904619EF3D54757C954023CE10722C35BD1C253392152
F43C19CA71F6E296E3B405C765CC5C6A45D21A7951A5DB35899082947D8D2316967DAD925A7EA1F2A
68CB54452F6CEB195C8662F08E8751166558EC698A526CB09F79B24205531910825F4E43CE1C21559
39994E240733F24F0C9334B288D71AA2026B4EE855C15C2380841319663DA204F11379EB727850DC3
DD9BAF07A57B3F51C84520E9DF252CF03973D5D676218113099B5BEE51401B1F7917DDEF5FDB99CCA
E1CCD695CEE794347037AD02A8D489201E052D940215DF4E2EE242125F8AA6308C4752EF22E9CFC6F
E06CBD7A5108385BFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CF
EBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6171C11EC38DE3DA6
A0AC4980AC79330C620AC59A6B1B9FA0589C02A6C83AFBE29D8A5995681C75DC0CD0C06D9D1C0B812
09769831E7DC22DD98461ACED281485B758BCBFDDA5D49D3B56CB639DFD3E700307EC30D851FE2868
3DE021E157DC38BFFAB7D3769D6AC41B96CB18881B435B1F3C4B53A21BE5F96AB5D12CCEE991E90E0
F188F9C5F38E69279A400AB30061A8D0CA03349926EDDC9D12C0823B5D05A7C25CB420180A96A8D5B
DE1D162C5A5AEAC0302ADFA5F36773678A0511C21E20E94168D015C5890AFA0F280A1C33F219D899D
FA63875B2F8DA41AB060E5161A5B85A24B2112B88D450D6D173569B6B2CFA46B7A96E53CECC739F72
01D3CF65A74FDDDCF5705E3B2C046F4F9CA0723FBA79EF68CA5D4BCDEDB7B3E504E2E5D9B819AA91B
8F0C199481103BA581C7651BF812D4234A8981B3FA5A7302C7BEB523F0595E530176B81B3F7B35011
AB9A668CC48E3B24B3AA8474BF13212DA3EFC5728466222429A7314D3C1672C4F78727C3F5956DEC2
7273B178807ABCEA63410630ED7B172B273CDC666B3A3836C18A25DCF3896F3F1E6D7038D85E66C11
2DF0F09D1D25898281DF2980890E73B9DB49A58DDF9834C4F55368D9068CF3B6058A53B1D6AF6FAC3
9D4CC1B087E4C5595F03B6F6AF93D93150DCD80F3FBE9AD186613CB9FA9BA0834FA61C99566DCF5BE
5293BBAAE32E19B7468A952E3965CE79EC8DF3818E18AE41096A2409598617818BF4BAE62440D0872
64D3307E812396E70F4B37DFEC80063963EC63112BD7ABE1DFBB7582EBC7DE0B69479C6D8AE4EEE22
CF9A083F9F20D01E864FCDEC8CA3086D98052D9581A354E6B60727F50F35AA1B763B88B507F573034
36395680FDAA5460E750895010C2789DA02D7D219D681D5182B5AEF792CEA084729B02D772C93D2F4
E37E0DC1C34F530095FB2849E20A32B5854F9B87B20956B84D3B810BE6012637AA1A7C5E9CFB5FF46
EAACFAE4B8DF2266A2A0FD43C54F8"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:2b,ec,e0,11,a9,75,fd,9f,f9,44,2e,e2,24,15,eb,65,ba,d4,91,d5,91,
68,3a,d5,34,1d,e9,8d,f7,c7,fb,6d,7d,36,8a,07,0a,46,54,0d,ba,81,12,c6,c9,56,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LexBceS.exe
c:\windows\system32\Lexpps.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\system32\oodag.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-02-02 16:48:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-03 00:48:31

Pre-Run: 37,351,718,912 bytes free
Post-Run: 37,513,875,456 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
237 --- E O F --- 2009-01-15 07:19:10


========================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:51 PM, on 2/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\windows\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\RUNDLL32.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\FRU\Remind32.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\oodag.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\windows\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\windows\system32\hpoipm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Documents and Settings\Computer User\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.freeze.com...a...amp;s=&ipc=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\FRU\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.runaware.com
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135821608875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139344944843
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\windows\system32\oodag.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--
End of file - 8378 bytes

Attached Files


  • 0

#4
JSntgRvr
Posted 02 February 2009 - 08:10 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, Graye :)

Seems you are running two antivirus. That could bring you problems. By default, only one antivirus must be active.

Remove RelevantKnowledge from your programs and the following folder:

c:\program files\RelevantKnowledge

Download OTScanit2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanit2 on your desktop. OTScanit2 can be detected as malware by your firewall and Ativirus. Chose Ignore on any warning alert.
  • Close any open browsers.
  • Open the OTScanit2 folder and double-click on OTScanit2.exe to start the program.
  • Leave all settings as they appear as default, except for the following:
  • Under Drivers, select "All".
  • Under Rootkit Search, select Yes
  • Under additional Scan select the following:
    • Reg - ControlSets
    • Reg - Disabled MS Config Items
    • Reg - File Associations
    • Reg - Security Center Settings
    • Reg - Tcpip Persistent Routes
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).
  • 0

#5
Graye
Posted 02 February 2009 - 08:52 PM

Graye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I ran into something of a problem while attempting to follow your instructions, JSntgRvr, in that I cannot see the options in OTScanit2. After following steps one and two, I ended up with an application window like so:
Posted Image
What should I do?
  • 0

#6
JSntgRvr
Posted 03 February 2009 - 09:17 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Click the Start button and type Services.msc on the search box and hit on Enter. Scroll down to Plug and Play. See if the service is started.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the Seek.bat file. Post the resulting report.

I will consult this behavior with the developer.
  • 0

#7
Graye
Posted 03 February 2009 - 03:27 PM

Graye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Done.
The Plug and Play service is listed as "Automatic" and "Started" under the Services panel.
The results of the Seek.bat file are posted below:

----------------------------------------------------------------------------------------------------------
----a-w 229,376 2008-09-29 19:27:40 c:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
----a-w 1,077,336 2002-12-20 21:02:44 c:\Windows\system32\MSCOMCTL.OCX

Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 1,306,712 Blocks: 2,553

----a-w 417,792 2007-12-18 14:32:13 C:\Windows\$hf_mig$\KB944338\SP2QFE\vbscript.dll
----a-w 430,080 2008-05-09 10:45:16 C:\Windows\$hf_mig$\KB951978\SP3QFE\vbscript.dll
-c----w 417,792 2007-12-18 14:40:58 C:\Windows\$NtServicePackUninstall$\vbscript.dll
-c----w 417,792 2004-08-04 12:00:00 C:\Windows\$NtUninstallKB944338$\vbscript.dll
-c----w 434,176 2008-04-14 00:12:08 C:\Windows\$NtUninstallKB951978$\vbscript.dll
------w 434,176 2008-04-14 00:12:08 C:\Windows\ServicePackFiles\i386\vbscript.dll
----a-w 430,080 2008-05-09 10:53:40 C:\Windows\system32\vbscript.dll
-c----w 430,080 2008-05-09 10:53:40 C:\Windows\system32\dllcache\vbscript.dll

Entries: 8 (8)
Directories: 0 Files: 8
Bytes: 3,411,968 Blocks: 6,664

----a-w 450,560 2006-05-18 05:37:43 C:\Windows\$hf_mig$\KB917344\SP2QFE\jscript.dll
----a-w 450,560 2007-11-14 07:18:03 C:\Windows\$hf_mig$\KB942840\SP2QFE\jscript.dll
----a-w 450,560 2007-12-18 14:32:13 C:\Windows\$hf_mig$\KB944338\SP2QFE\jscript.dll
----a-w 512,000 2008-05-09 10:45:15 C:\Windows\$hf_mig$\KB951978\SP3QFE\jscript.dll
-c----w 450,560 2007-12-18 14:40:58 C:\Windows\$NtServicePackUninstall$\jscript.dll
-c----w 450,560 2004-08-04 12:00:00 C:\Windows\$NtUninstallKB917344$\jscript.dll
-c----w 450,560 2006-05-18 05:24:25 C:\Windows\$NtUninstallKB942840$\jscript.dll
-c----w 450,560 2007-11-14 07:26:56 C:\Windows\$NtUninstallKB944338$\jscript.dll
-c----w 512,000 2008-04-14 00:11:56 C:\Windows\$NtUninstallKB951978$\jscript.dll
------w 512,000 2008-04-14 00:11:56 C:\Windows\ServicePackFiles\i386\jscript.dll
----a-w 512,000 2008-05-09 10:53:39 C:\Windows\system32\jscript.dll
-c----w 512,000 2008-05-09 10:53:39 C:\Windows\system32\dllcache\jscript.dll

Entries: 12 (12)
Directories: 0 Files: 12
Bytes: 5,713,920 Blocks: 11,160

Total Entries: 22 (22)
Total Directories: 0 Files: 22
Total Bytes: 10,432,600 Blocks: 20,377
  • 0

#8
JSntgRvr
Posted 03 February 2009 - 03:52 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Go to Start -> Run, type CDM and click OK. The MSDOS window will be displayed. Copy and paste each of these command at the prompt and press Enter:

regsvr32 /s jscript.dll
regsvr32 /s vbscript.dll
regsvr32 /s MSCOMCTL.OCX
Exit

Restart the computer and attempt OTScanIt again. If you need to download a fresh copy, please do so.

Let me know the outcome.
  • 0

#9
Graye
Posted 03 February 2009 - 04:41 PM

Graye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I entered all commands as noted above, restarted the computer, then ran a newly downloaded copy of OTScanIt2 (after having closed Firefox and all other open windows). The result, I am afraid, is the same: I still cannot see any text in the gray selection areas.
  • 0

#10
JSntgRvr
Posted 03 February 2009 - 05:53 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
The consensus is that there is a possibility that some of the Common Control files may be missing. If you have a Windows Installation CD, please run the following command: (Start ->Run, copy and paste the command and click OK)

SFC /ScanNow

Let me know if anything is restored.
  • 0

Advertisements

#11
Graye
Posted 03 February 2009 - 06:32 PM

Graye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
My apologies for the delay, that took awhile to complete.
I initially received a pop-up that read as follows: Files that are required for Windows to run properly must be copied to the DLL Cache. However, switching the optical disc to a different drive seemed to resolve the issue. That is not to say that anything was restored, as there was no indicator that anything happened. The progress bar was eventually filled, but if any list of restored files was meant to appear, none did.
It might be worth noting that the installation disc I inserted may not be the same that was used to install the OS on this computer.
  • 0

#12
JSntgRvr
Posted 03 February 2009 - 07:19 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Any effect on OTScanIt2?
  • 0

#13
Graye
Posted 03 February 2009 - 07:23 PM

Graye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
None. The boxes are still gray.
  • 0

#14
JSntgRvr
Posted 03 February 2009 - 07:28 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Anyway, the settings should look as follows:



Set the radio buttons as above, select the Additional Scans as requested and click on Run Scan.

Attach the report to a reply.
  • 0

#15
Graye
Posted 03 February 2009 - 07:41 PM

Graye

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Finished. Report as follows...

Attached Files


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP