• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
computer2

Concern about keylogger

16 posts in this topic

Hi

 

I am running XP SP3 and MBAM found libsubtitle_plugin.dll in VLC player to be a trojan.

 

That seems odd to me.

 

I also am having a problem with explorer.exe crashes when dragging and dropping files or copying. Especially with USB drives. I feel the issues are related.

 

I was having the explorer.exe crashing issue (far worse) in my previous XP install (which is why I just did a full XP reinstall, update, etc within the last week). It is troubling to see that the same issue that came up in my previous install is starting to show itself again.

 

Makes me think some Trojan has replicated itself from my old install to my new install.

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE

C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Documents and Settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\FreeMeter\FreeMeter.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\javaw.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto

O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe

O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1c9f014803ae3c8) (gupdate1c9f014803ae3c8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Belkin\F5D7000v8\jswpsapi.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

 

--

End of file - 7760 bytes

Edited by computer2

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Update: I think I have fixed part of the explorer crashing issue by removing things from the right-click context menu. Drag and drop still causes crashes though.

 

So at this point I really see two things: that 'trojan' within the install of VLC (false positive?) and the drag/drop explorer.exe issue.

 

Thanks

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Open HijackThis

Click: None of the above, just start the program.

Click: Config

Click: Misc Tools

Click: Open Process Manager. Look for both this process and click on Kill Process button.

C:\WINDOWS\system32\javaw.exe

 

Restart the computer normally.

===

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

Link 3

 

* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
     
  • Double click on ComboFix.exe & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.

 

Please make sure you include the HijackThis log header. It will look like this.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:46:55 AM, on 5/3/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Share this post


Link to post
Share on other sites

Hijack:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:23:54 AM, on 01/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE

C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\Program Files\FreeMeter\FreeMeter.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto

O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe

O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1c9f014803ae3c8) (gupdate1c9f014803ae3c8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Belkin\F5D7000v8\jswpsapi.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

 

--

End of file - 7588 bytes

 

 

ComboFix

 

ComboFix 09-06-30.03 - OfficePC 01/07/2009 10:56.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1664 [GMT -4:00]

Running from: c:\documents and settings\OfficePC\Desktop\ComboFix.exe

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\winhelp.ini

 

.

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))

.

 

2009-06-26 06:03 . 2009-06-26 06:03 -------- d-----w- C:\spoolerlogs

2009-06-26 05:40 . 2009-06-26 05:40 -------- d-----w- c:\program files\Bonjour

2009-06-26 02:55 . 2009-06-26 02:55 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Help

2009-06-26 02:52 . 2009-06-26 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-06-26 00:36 . 2009-06-16 22:27 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-06-25 20:24 . 2009-06-25 20:24 -------- d-----w- c:\program files\Trend Micro

2009-06-25 15:56 . 2008-11-20 19:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2009-06-25 15:56 . 2008-11-20 19:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2009-06-25 15:55 . 2009-06-25 15:55 -------- d-----w- c:\windows\system32\IOSUBSYS

2009-06-25 15:21 . 2005-05-04 13:20 53248 ------w- c:\windows\system32\wdmioctl.dll

2009-06-25 15:21 . 2001-09-11 19:20 1285632 ------w- c:\windows\system32\SMMedia.dll

2009-06-25 15:21 . 2009-06-25 15:22 -------- d-----w- c:\program files\Analog Devices

2009-06-25 15:21 . 2005-09-26 20:20 49152 ----a-w- c:\windows\system32\DSndUp.exe

2009-06-25 15:21 . 2002-04-17 19:05 45056 ------w- c:\windows\system32\CleanUp.exe

2009-06-25 15:19 . 2005-10-06 05:21 141312 ----a-w- c:\windows\system32\drivers\ADIHdAud.sys

2009-06-25 15:19 . 2005-08-12 01:49 393088 ----a-w- c:\windows\system32\drivers\senfilt.sys

2009-06-25 15:19 . 2005-06-22 22:11 23552 ----a-w- c:\windows\system32\PostProc.dll

2009-06-25 15:19 . 2005-03-05 08:53 127872 ----a-w- c:\windows\system32\drivers\aeaudio.sys

2009-06-25 15:19 . 2001-09-20 01:47 765952 ----a-w- c:\windows\system\crlds3d.dll

2009-06-25 15:19 . 2003-08-20 07:36 65536 -c--a-w- c:\windows\system32\dllcache\a3d.dll

2009-06-25 15:19 . 2003-08-20 07:36 65536 ----a-w- c:\windows\system32\a3d.dll

2009-06-25 14:56 . 2009-06-25 14:56 -------- d-----w- c:\documents and settings\OfficePC\Application Data\gtopala

2009-06-24 19:21 . 2009-06-24 19:21 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-23 15:24 . 2001-01-12 22:04 46352 ----a-w- c:\windows\setdebug.exe

2009-06-23 15:24 . 2001-01-12 22:04 171280 ----a-w- c:\windows\system32\jit.dll

2009-06-23 15:24 . 2001-01-12 22:04 139536 ----a-w- c:\windows\system32\javaee.dll

2009-06-23 15:24 . 2001-01-12 20:10 6550 ----a-w- c:\windows\jautoexp.dat

2009-06-23 15:24 . 2001-01-12 20:09 313856 ----a-w- c:\windows\system32\dx3j.dll

2009-06-23 15:22 . 2001-10-25 13:34 1683529 ----a-r- c:\windows\system32\InetClnt.dll

2009-06-23 15:22 . 2009-06-23 15:22 -------- d-----w- c:\program files\Intuit

2009-06-23 15:22 . 2009-06-23 15:22 -------- d-----w- c:\program files\Common Files\Intuit

2009-06-23 15:22 . 2001-09-14 18:57 446464 ----a-w- c:\windows\system32\hhactivex.dll

2009-06-23 15:22 . 2000-10-20 06:05 25088 ----a-w- c:\windows\system32\msxml3a.dll

2009-06-23 15:22 . 1999-05-10 05:00 1694992 ----a-w- c:\windows\system32\vba6.dll

2009-06-23 15:19 . 2009-06-23 15:19 -------- d-----w- c:\windows\Intuit

2009-06-23 15:04 . 2009-06-23 15:05 -------- d-----w- c:\program files\QuickTime

2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Apple

2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\program files\Apple Software Update

2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Apple Computer

2009-06-23 14:59 . 2001-10-26 21:16 16384 ----a-w- c:\windows\system32\FileOps.exe

2009-06-23 14:48 . 2009-06-23 14:59 -------- d-----w- c:\windows\system32\Adobe

2009-06-23 14:44 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe

2009-06-23 14:36 . 2009-06-23 14:36 -------- d-----w- c:\program files\Common Files\WexTech Shared

2009-06-23 14:36 . 2009-06-23 14:36 -------- d-----w- c:\program files\Common Files\Lhspf

2009-06-23 14:34 . 2009-06-23 14:34 -------- d-----w- c:\documents and settings\OfficePC\Application Data\Visio

2009-06-23 14:33 . 2009-06-23 14:36 -------- d-----w- c:\program files\Visio

2009-06-23 14:30 . 2009-06-23 14:38 -------- d-----w- c:\program files\Common Files\Visio Shared

2009-06-23 02:36 . 2009-06-23 02:36 -------- d-----w- c:\program files\LAME

2009-06-23 02:19 . 2009-06-23 02:19 -------- d-----w- c:\program files\7-Zip

2009-06-23 02:14 . 2009-06-23 02:47 -------- d-----w- c:\documents and settings\OfficePC\Application Data\AccurateRip

2009-06-23 02:14 . 2009-06-23 02:14 -------- d-----w- c:\program files\Exact Audio Copy

2009-06-23 01:57 . 2009-06-23 02:14 -------- d-----w- c:\program files\Common Files\Mediafour

2009-06-23 01:53 . 2009-06-23 01:57 -------- d-----w- c:\program files\Mediafour

2009-06-22 12:52 . 2009-06-22 12:52 -------- d-----w- c:\program files\Belkin

2009-06-22 12:52 . 2007-08-29 01:46 57344 ------w- c:\windows\system32\drivers\jswscimd.sys

2009-06-22 12:52 . 2009-06-22 12:52 -------- d-----w- c:\windows\{4000033D-F337-41A1-ADA3-3D23635CFA0A}

2009-06-19 18:35 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2009-06-19 17:45 . 2009-06-23 01:54 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Adobe

2009-06-19 17:44 . 2009-06-19 17:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2009-06-19 17:33 . 2009-06-19 17:33 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-06-19 17:32 . 2008-04-07 09:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll

2009-06-19 17:32 . 2008-04-07 09:38 45392 ----a-r- c:\windows\system32\AdobePDF.dll

2009-06-19 17:26 . 2009-06-23 14:59 -------- d-----w- c:\program files\Common Files\Adobe

2009-06-19 16:18 . 2009-06-22 12:25 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-06-19 15:46 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll

2009-06-19 15:46 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll

2009-06-18 16:05 . 2009-06-18 16:05 -------- d-----w- c:\documents and settings\OfficePC\Application Data\KeePass

2009-06-18 15:42 . 2009-06-18 15:42 -------- d-----w- c:\program files\Microsoft Silverlight

2009-06-18 12:58 . 2009-06-18 12:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-06-18 12:58 . 2009-06-25 15:55 -------- d-----w- c:\program files\Google

2009-06-18 12:58 . 2009-06-18 12:58 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Deployment

2009-06-18 04:08 . 2009-03-24 18:43 43008 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll

2009-06-18 04:08 . 2009-03-24 18:43 43008 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2009-06-18 04:08 . 2009-03-24 18:43 235520 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll

2009-06-18 04:08 . 2009-03-24 18:43 338432 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2009-06-18 04:08 . 2009-03-24 18:42 235008 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll

2009-06-18 04:08 . 2009-03-24 18:42 345088 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2009-06-18 03:38 . 2009-06-18 03:38 -------- d-----w- c:\windows\vnDrvBas

2009-06-18 03:38 . 2009-06-18 03:38 -------- d-----r- c:\windows\AsDmiHtm

2009-06-18 03:30 . 2009-06-18 03:30 -------- d-----w- c:\program files\VIA

2009-06-18 03:29 . 2004-08-12 10:56 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys

2009-06-18 03:29 . 2009-06-18 03:29 -------- d-----w- c:\windows\ASUSInstAll

2009-06-18 03:29 . 2004-04-26 15:26 5824 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS

2009-06-18 03:02 . 2001-08-17 17:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys

2009-06-18 02:43 . 2009-06-18 02:43 -------- d-----w- c:\program files\CodeStuff

2009-06-18 02:22 . 2009-06-18 02:22 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\WinZip

2009-06-18 02:21 . 2009-06-18 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2009-06-18 02:11 . 2009-06-18 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2009-06-18 02:11 . 2009-06-18 02:11 -------- d-----w- c:\program files\CyberLink

2009-06-18 02:11 . 2009-06-25 15:21 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-18 02:10 . 2009-06-25 15:20 -------- d-----w- c:\program files\Common Files\InstallShield

2009-06-18 02:05 . 2009-06-26 20:23 1 ----a-w- c:\documents and settings\OfficePC\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-06-18 02:04 . 2009-06-18 02:04 -------- d-----w- c:\documents and settings\OfficePC\Application Data\OpenOffice.org

2009-06-18 01:42 . 2009-06-18 01:42 -------- d-----w- c:\documents and settings\OfficePC\Application Data\FileMaker

2009-06-18 01:41 . 2009-06-18 01:41 -------- d-----w- c:\documents and settings\OfficePC\Application Data\Symantec

2009-06-18 01:40 . 2009-06-18 01:40 -------- d-----w- c:\program files\FileMaker

2009-06-18 01:28 . 2009-06-18 01:28 -------- d-----w- c:\program files\FreeMeter

2009-06-17 19:56 . 2001-09-07 19:48 26624 ----a-w- c:\windows\GetIe.dll

2009-06-17 19:56 . 2009-07-01 14:14 -------- d-----w- C:\Jts

2009-06-17 19:22 . 2009-06-17 19:44 -------- d-----w- c:\documents and settings\OfficePC\Application Data\TrueCrypt

2009-06-17 19:13 . 2009-06-17 19:13 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys

2009-06-17 19:13 . 2009-06-17 19:13 -------- d-----w- c:\program files\TrueCrypt

2009-06-17 18:31 . 2009-06-17 18:31 -------- d-----w- c:\program files\KeePass Password Safe

2009-06-16 22:41 . 2009-06-16 22:41 -------- d-----w- c:\documents and settings\OfficePC\Application Data\vlc

2009-06-16 22:38 . 2009-06-16 22:38 -------- d-----w- c:\program files\VideoLAN

2009-06-16 22:35 . 2009-06-16 22:35 -------- d-----w- c:\documents and settings\OfficePC\Application Data\Malwarebytes

2009-06-16 22:35 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-16 22:35 . 2009-06-24 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-16 22:35 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-16 22:35 . 2009-06-16 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-16 22:34 . 2009-06-18 04:11 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-06-16 22:34 . 2009-06-16 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-16 22:27 . 2009-06-16 22:26 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-06-16 22:24 . 2009-06-16 22:24 -------- d-----w- c:\program files\Lavasoft

2009-06-16 22:19 . 2009-06-25 16:01 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Google

2009-06-16 22:18 . 2009-06-16 22:18 -------- d--h--w- c:\windows\PIF

2009-06-16 22:17 . 2009-06-16 22:17 -------- d-----w- c:\documents and settings\OfficePC\Application Data\Windows Search

2009-06-16 20:43 . 2009-06-16 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2009-06-16 20:43 . 2005-08-25 23:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL

2009-06-16 20:43 . 2009-06-16 20:43 -------- d-----w- c:\program files\SpywareBlaster

2009-06-16 20:20 . 2009-06-16 22:19 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Eraser

2009-06-16 20:20 . 2009-06-10 13:22 83344 ----a-w- c:\windows\system32\Erasext.dll

2009-06-16 20:20 . 2009-06-10 13:22 307088 ----a-w- c:\windows\system32\Eraser.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-23 15:25 . 2009-06-23 15:25 2232 ----a-w- c:\windows\java\Packages\Data\MJJ133ZL.DAT

2009-06-23 15:25 . 2009-06-23 15:25 155995 ----a-w- c:\windows\java\Packages\9RBHVRFZ.ZIP

2009-06-23 15:25 . 2009-06-23 15:25 2678 ----a-w- c:\windows\java\Packages\Data\5RJTVF7J.DAT

2009-06-23 15:24 . 2009-06-23 15:24 2678 ----a-w- c:\windows\java\Packages\Data\YEWQS4WM.DAT

2009-06-23 15:24 . 2009-06-23 15:24 2678 ----a-w- c:\windows\java\Packages\Data\RZ9RVBJN.DAT

2009-06-23 15:24 . 2009-06-23 15:24 2678 ----a-w- c:\windows\java\Packages\Data\9NLBXB3L.DAT

2009-06-23 15:24 . 2009-06-23 15:24 2678 ----a-w- c:\windows\java\Packages\Data\6LB7J1JV.DAT

2009-06-16 22:27 . 2009-06-16 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-06-16 22:27 . 2009-06-16 22:27 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-06-16 22:27 . 2009-06-16 22:27 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2009-06-16 22:26 . 2009-06-16 22:26 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2009-06-16 22:26 . 2009-06-16 22:26 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-06-16 22:26 . 2009-06-16 22:26 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2009-06-16 22:25 . 2009-06-16 22:25 152576 ----a-w- c:\documents and settings\OfficePC\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-16 22:24 . 2009-06-16 22:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-06-16 15:01 . 2009-06-16 02:22 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-06-16 02:23 . 2009-06-16 02:23 -------- d-----w- c:\program files\microsoft frontpage

2009-06-16 02:20 . 2009-06-16 02:20 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr

2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2009-03-05 22:08 . 2009-06-16 16:31 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-16 133104]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-08 778240]

"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]

"Mediafour Mac Volume Notifications"="c:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-17 61440]

"MDDiskProtect.exe"="c:\program files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 106496]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\OfficePC\Start Menu\Programs\Startup\

FreeMeter.lnk - c:\program files\FreeMeter\FreeMeter.exe [2009-6-17 614400]

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

 

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [16/06/2009 6:27 PM 64160]

R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [30/04/2006 10:57 AM 16640]

R1 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [13/09/2006 2:53 PM 213888]

R2 MLPTDR_B;MLPTDR_B;c:\windows\system32\MLPTDR_B.SYS [02/09/2003 3:03 PM 20064]

R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [18/09/2008 12:09 PM 111112]

R3 es1969;ESS 1969 Audio Driver (WDM);c:\windows\system32\drivers\es1969.sys [15/06/2009 5:54 PM 72704]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [22/06/2009 8:52 AM 57344]

S2 gupdate1c9f014803ae3c8;Google Update Service (gupdate1c9f014803ae3c8);c:\program files\Google\Update\GoogleUpdate.exe [18/06/2009 8:58 AM 133104]

S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [20/01/2009 7:16 PM 172032]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Belkin\F5D7000v8\jswpsapi.exe [29/10/2007 11:34 PM 352338]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 3:06 PM 1003344]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

 

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 12:58]

 

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 12:58]

 

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1682526488-839522115-1004Core.job

- c:\documents and settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 22:19]

 

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1682526488-839522115-1004UA.job

- c:\documents and settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 22:19]

.

- - - - ORPHANS REMOVED - - - -

 

ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)

 

 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.ca/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - google.ca

FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll

FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll

FF - plugin: c:\documents and settings\OfficePC\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-01 11:01

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2009-07-01 11:03

ComboFix-quarantined-files.txt 2009-07-01 15:03

 

Pre-Run: 32,190,402,560 bytes free

Post-Run: 32,358,907,904 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

 

262 --- E O F --- 2009-06-16 17:13

 

 

OTHER NOTABLES:

1. Directly after running ComboFix I rebooted. Upon reboot 'Freemeter' tried to reinstall (and failed) and MacDrive 6 went through a reinstall process (even though it is already installed

2. Also: I tried right clicking on desktop item and got explorer.exe hang // Also dragging/dropping desktop item causes hang

3. I installed a printer (Magicolor 2300DL) using Bonjour (I have an Apple airport) and though everything with the install seemed to go ok, anytime I print the program fails (notepad etc) and the spooler.exe hangs

 

Thanks so much for your help!

 

Have a nice day.

Edited by computer2

Share this post


Link to post
Share on other sites

Your logs are clean.

 

How long ago did you upgrade to Explorer 8?

 

Was everything working fine after the upgrade?

===

Share this post


Link to post
Share on other sites

I upgraded to IE 8 after the XP reinstall.

 

Other info: today's boot up featured a crash during boot, a reboot, prompt to start in safe mode (etc) and then checkdisc ran. After the reboot and checkdisc it started fine but the BitDefender 'activity window' (the little live graph that shows file activity on the computer in real time) reappeared (I had disabled it.

 

Note also that crashes can occur during drag/drop OR right click on desktop but doing these things do not always crash the system

Share this post


Link to post
Share on other sites

I hope this scan will reveal something.

 

Let's use this online scanner (don't worry, it doesn't delete anything, it only detects).

 

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

 

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended

      [*]Scan Options:

      • Scan Archives

      • Scan Mail Bases

    [*] Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Kas-SaveReport-1.gif

Kas-Savetxt.gif

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

 

p.s. When your computer crashes do you get a error message that may help identify the culprit.

Share this post


Link to post
Share on other sites

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Friday, July 3, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Friday, July 03, 2009 15:16:59

Records in database: 2419886

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

C:\

D:\

 

Scan statistics:

Files scanned: 72720

Threat name: 2

Infected objects: 2

Suspicious objects: 0

Duration of the scan: 05:25:48

 

 

File name / Threat name / Threats count

C:\Documents and Settings\OfficePC\Desktop\Utils to install\System\specialfoldersview\SpecialFoldersView.exe Infected: not-a-virus:PSWTool.Win32.NetPass.hd 1

C:\Documents and Settings\OfficePC\Desktop\Utils to install\System\SysinternalsSuite.zip Infected: not-a-virus:RiskTool.Win32.PsKill.ba 1

 

The selected area was scanned.

 

 

Hi - not too much to see here - just what seems like a false positive...

 

When the crash happens there is no error message... I have to CTRL-ALT-DEL to manually kill the non-responding explorer.exe.

 

The more I think of it, the more I think this has to do with some kind of USB conflict or driver issue or something like this. What do you think?

 

Thank you

Share this post


Link to post
Share on other sites
I also am having a problem with explorer.exe crashes when dragging and dropping files or copying. Especially with USB drives

 

Do you crash when you when you copy and paste the files?

Share this post


Link to post
Share on other sites

I also suspect that it may be some driver issues.

 

I just want to confirm if the values in bold are set in your registry.

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"Start_EnableDragDrop"=dword:00000001

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoChangeStartMenu"=dword:00000000

 

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

 

"180D"=dword:00000000

 

 

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

 

Unzip to your Desktop and double click on regsrch.vbs

(if you have script protection, please allow this to run)

 

In the dialog that opens enter the following:

Start_EnableDragDrop

 

Press 'OK'

 

The search will run for a while then alert you when it is finished.

 

Press 'OK' and copy the contents of the WordPad window and post in this thread.

 

Repeat the search for these string.

 

NoChangeStartMenu

 

and

 

180D

 

Post the results.

Share this post


Link to post
Share on other sites

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "Start_EnableDragDrop" 08/07/2009 3:10:40 PM

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\EnableDragDrop]

"ValueName"="Start_EnableDragDrop"

 

[HKEY_USERS\S-1-5-21-299502267-1682526488-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

"Start_EnableDragDrop"=dword:00000001

 

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "NoChangeStartMenu" 08/07/2009 3:12:31 PM

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\Policy\NoChangeStartMenu]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu\StartMenuChange\Policy\NoChangeStartMenu]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\EnableDragDrop\Policy\NoChangeStartMenu]

 

REGEDIT4

; RegSrch.vbs © Bill James

 

; Registry search results for string "180D" 08/07/2009 3:25:56 PM

 

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6EE3853E-DDEF-3F29-8F1B-1ED7180D9229}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6EE3853E-DDEF-3F29-8F1B-1ED7180D9229}\ProxyStubClsid]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6EE3853E-DDEF-3F29-8F1B-1ED7180D9229}\ProxyStubClsid32]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6EE3853E-DDEF-3F29-8F1B-1ED7180D9229}\TypeLib]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAEF4300-9FB3-306F-8F67-180DEB8DDFB7}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAEF4300-9FB3-306F-8F67-180DEB8DDFB7}\ProxyStubClsid]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAEF4300-9FB3-306F-8F67-180DEB8DDFB7}\ProxyStubClsid32]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAEF4300-9FB3-306F-8F67-180DEB8DDFB7}\TypeLib]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5F7A2664-4778-3D72-A78F-D38B6B00180D}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5F7A2664-4778-3D72-A78F-D38B6B00180D}\1.0.5000.0]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5F7A2664-4778-3D72-A78F-D38B6B00180D}\2.0.0.0]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{26587AE9-6807-6F2D-9D9B-180D28486489}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{390180D5-9039-50AF-793D-071EBDECCE91}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9691BB180DB841D46929F94B7A7AACB7]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EE180D26BAADE5D4C8D798332457E359]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]

"180D"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]

"180D"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]

"180D"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]

"180D"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]

"180D"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

"180D"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

"180D"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

"180D"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

"180D"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

"180d"=dword:00000001

 

[HKEY_USERS\S-1-5-21-299502267-1682526488-839522115-1004\Software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0]

"2edd7538c2b180d3"=hex:2c,00,41,00,70,00,70,00,45,00,76,00,65,00,6e,00,74,00,\

 

[HKEY_USERS\S-1-5-21-299502267-1682526488-839522115-1004\Software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map]

"2edd7538c2b180d3"=",33,HKCU,AppEvents\\Schemes\\Apps\\Explorer\\FeedDiscovered,,"

 

"PMDisplayName"="My Computer [Protected Mode]"

"180D"=dword:00000000

 

"PMDisplayName"="Local intranet [Protected Mode]"

"180D"=dword:00000000

 

"PMDisplayName"="Trusted sites [Protected Mode]"

"180D"=dword:00000000

 

"PMDisplayName"="Internet [Protected Mode]"

"180D"=dword:00000001

 

"PMDisplayName"="Restricted sites [Protected Mode]"

"180D"=dword:00000001

Share this post


Link to post
Share on other sites

It sure look like a driver issue. Nothing suspicious found.

 

I do not (never used the drag and drop to copy files)

 

When I want to copy a file from a (folder) I allways use the right mouse click ( copy the file ) navigate to the folder and use the right click mouse click to paste the file into the folder.

 

Can you leave with this?

Share this post


Link to post
Share on other sites

I guess I have to -- glad to hear its not a keylogger etc.

 

I wish there was some kind of freeware out there that dealt with USB conflicts and/or driver issues.

 

Anyway, thank you for your help

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0