Jump to content


Photo

Concern about keylogger


  • This topic is locked This topic is locked
15 replies to this topic

#1 computer2

computer2

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 June 2009 - 02:34 PM

Hi

I am running XP SP3 and MBAM found libsubtitle_plugin.dll in VLC player to be a trojan.

That seems odd to me.

I also am having a problem with explorer.exe crashes when dragging and dropping files or copying. Especially with USB drives. I feel the issues are related.

I was having the explorer.exe crashing issue (far worse) in my previous XP install (which is why I just did a full XP reinstall, update, etc within the last week). It is troubling to see that the same issue that came up in my previous install is starting to show itself again.

Makes me think some Trojan has replicated itself from my old install to my new install.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Documents and Settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\FreeMeter\FreeMeter.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9f014803ae3c8) (gupdate1c9f014803ae3c8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Belkin\F5D7000v8\jswpsapi.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7760 bytes

Edited by computer2, 25 June 2009 - 03:29 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 28 June 2009 - 03:26 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 computer2

computer2

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 June 2009 - 08:05 AM

Update: I think I have fixed part of the explorer crashing issue by removing things from the right-click context menu. Drag and drop still causes crashes though.

So at this point I really see two things: that 'trojan' within the install of VLC (false positive?) and the drag/drop explorer.exe issue.

Thanks

#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 30 June 2009 - 09:37 AM

Hi,
I'm nasdaq and will be helping you.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Open HijackThis
Click: None of the above, just start the program.
Click: Config
Click: Misc Tools
Click: Open Process Manager. Look for both this process and click on Kill Process button.
C:\WINDOWS\system32\javaw.exe

Restart the computer normally.
===

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.

Please make sure you include the HijackThis log header. It will look like this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:55 AM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 computer2

computer2

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 July 2009 - 10:31 AM

Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:54 AM, on 01/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\FreeMeter\FreeMeter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9f014803ae3c8) (gupdate1c9f014803ae3c8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Belkin\F5D7000v8\jswpsapi.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 7588 bytes


ComboFix

ComboFix 09-06-30.03 - OfficePC 01/07/2009 10:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1664 [GMT -4:00]
Running from: c:\documents and settings\OfficePC\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-06-26 06:03 . 2009-06-26 06:03 -------- d-----w- C:\spoolerlogs
2009-06-26 05:40 . 2009-06-26 05:40 -------- d-----w- c:\program files\Bonjour
2009-06-26 02:55 . 2009-06-26 02:55 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Help
2009-06-26 02:52 . 2009-06-26 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-26 00:36 . 2009-06-16 22:27 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-25 20:24 . 2009-06-25 20:24 -------- d-----w- c:\program files\Trend Micro
2009-06-25 15:56 . 2008-11-20 19:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-06-25 15:56 . 2008-11-20 19:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-06-25 15:55 . 2009-06-25 15:55 -------- d-----w- c:\windows\system32\IOSUBSYS
2009-06-25 15:21 . 2005-05-04 13:20 53248 ------w- c:\windows\system32\wdmioctl.dll
2009-06-25 15:21 . 2001-09-11 19:20 1285632 ------w- c:\windows\system32\SMMedia.dll
2009-06-25 15:21 . 2009-06-25 15:22 -------- d-----w- c:\program files\Analog Devices
2009-06-25 15:21 . 2005-09-26 20:20 49152 ----a-w- c:\windows\system32\DSndUp.exe
2009-06-25 15:21 . 2002-04-17 19:05 45056 ------w- c:\windows\system32\CleanUp.exe
2009-06-25 15:19 . 2005-10-06 05:21 141312 ----a-w- c:\windows\system32\drivers\ADIHdAud.sys
2009-06-25 15:19 . 2005-08-12 01:49 393088 ----a-w- c:\windows\system32\drivers\senfilt.sys
2009-06-25 15:19 . 2005-06-22 22:11 23552 ----a-w- c:\windows\system32\PostProc.dll
2009-06-25 15:19 . 2005-03-05 08:53 127872 ----a-w- c:\windows\system32\drivers\aeaudio.sys
2009-06-25 15:19 . 2001-09-20 01:47 765952 ----a-w- c:\windows\system\crlds3d.dll
2009-06-25 15:19 . 2003-08-20 07:36 65536 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2009-06-25 15:19 . 2003-08-20 07:36 65536 ----a-w- c:\windows\system32\a3d.dll
2009-06-25 14:56 . 2009-06-25 14:56 -------- d-----w- c:\documents and settings\OfficePC\Application Data\gtopala
2009-06-24 19:21 . 2009-06-24 19:21 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-23 15:24 . 2001-01-12 22:04 46352 ----a-w- c:\windows\setdebug.exe
2009-06-23 15:24 . 2001-01-12 22:04 171280 ----a-w- c:\windows\system32\jit.dll
2009-06-23 15:24 . 2001-01-12 22:04 139536 ----a-w- c:\windows\system32\javaee.dll
2009-06-23 15:24 . 2001-01-12 20:10 6550 ----a-w- c:\windows\jautoexp.dat
2009-06-23 15:24 . 2001-01-12 20:09 313856 ----a-w- c:\windows\system32\dx3j.dll
2009-06-23 15:22 . 2001-10-25 13:34 1683529 ----a-r- c:\windows\system32\InetClnt.dll
2009-06-23 15:22 . 2009-06-23 15:22 -------- d-----w- c:\program files\Intuit
2009-06-23 15:22 . 2009-06-23 15:22 -------- d-----w- c:\program files\Common Files\Intuit
2009-06-23 15:22 . 2001-09-14 18:57 446464 ----a-w- c:\windows\system32\hhactivex.dll
2009-06-23 15:22 . 2000-10-20 06:05 25088 ----a-w- c:\windows\system32\msxml3a.dll
2009-06-23 15:22 . 1999-05-10 05:00 1694992 ----a-w- c:\windows\system32\vba6.dll
2009-06-23 15:19 . 2009-06-23 15:19 -------- d-----w- c:\windows\Intuit
2009-06-23 15:04 . 2009-06-23 15:05 -------- d-----w- c:\program files\QuickTime
2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Apple
2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\program files\Apple Software Update
2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-23 15:04 . 2009-06-23 15:04 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Apple Computer
2009-06-23 14:59 . 2001-10-26 21:16 16384 ----a-w- c:\windows\system32\FileOps.exe
2009-06-23 14:48 . 2009-06-23 14:59 -------- d-----w- c:\windows\system32\Adobe
2009-06-23 14:44 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-06-23 14:36 . 2009-06-23 14:36 -------- d-----w- c:\program files\Common Files\WexTech Shared
2009-06-23 14:36 . 2009-06-23 14:36 -------- d-----w- c:\program files\Common Files\Lhspf
2009-06-23 14:34 . 2009-06-23 14:34 -------- d-----w- c:\documents and settings\OfficePC\Application Data\Visio
2009-06-23 14:33 . 2009-06-23 14:36 -------- d-----w- c:\program files\Visio
2009-06-23 14:30 . 2009-06-23 14:38 -------- d-----w- c:\program files\Common Files\Visio Shared
2009-06-23 02:36 . 2009-06-23 02:36 -------- d-----w- c:\program files\LAME
2009-06-23 02:19 . 2009-06-23 02:19 -------- d-----w- c:\program files\7-Zip
2009-06-23 02:14 . 2009-06-23 02:47 -------- d-----w- c:\documents and settings\OfficePC\Application Data\AccurateRip
2009-06-23 02:14 . 2009-06-23 02:14 -------- d-----w- c:\program files\Exact Audio Copy
2009-06-23 01:57 . 2009-06-23 02:14 -------- d-----w- c:\program files\Common Files\Mediafour
2009-06-23 01:53 . 2009-06-23 01:57 -------- d-----w- c:\program files\Mediafour
2009-06-22 12:52 . 2009-06-22 12:52 -------- d-----w- c:\program files\Belkin
2009-06-22 12:52 . 2007-08-29 01:46 57344 ------w- c:\windows\system32\drivers\jswscimd.sys
2009-06-22 12:52 . 2009-06-22 12:52 -------- d-----w- c:\windows\{4000033D-F337-41A1-ADA3-3D23635CFA0A}
2009-06-19 18:35 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-06-19 17:45 . 2009-06-23 01:54 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Adobe
2009-06-19 17:44 . 2009-06-19 17:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-19 17:33 . 2009-06-19 17:33 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-19 17:32 . 2008-04-07 09:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-06-19 17:32 . 2008-04-07 09:38 45392 ----a-r- c:\windows\system32\AdobePDF.dll
2009-06-19 17:26 . 2009-06-23 14:59 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-19 16:18 . 2009-06-22 12:25 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-06-19 15:46 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-19 15:46 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-06-18 16:05 . 2009-06-18 16:05 -------- d-----w- c:\documents and settings\OfficePC\Application Data\KeePass
2009-06-18 15:42 . 2009-06-18 15:42 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-18 12:58 . 2009-06-18 12:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-18 12:58 . 2009-06-25 15:55 -------- d-----w- c:\program files\Google
2009-06-18 12:58 . 2009-06-18 12:58 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Deployment
2009-06-18 04:08 . 2009-03-24 18:43 43008 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-06-18 04:08 . 2009-03-24 18:43 43008 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-06-18 04:08 . 2009-03-24 18:43 235520 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-06-18 04:08 . 2009-03-24 18:43 338432 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-06-18 04:08 . 2009-03-24 18:42 235008 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-06-18 04:08 . 2009-03-24 18:42 345088 ----a-w- c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-06-18 03:38 . 2009-06-18 03:38 -------- d-----w- c:\windows\vnDrvBas
2009-06-18 03:38 . 2009-06-18 03:38 -------- d-----r- c:\windows\AsDmiHtm
2009-06-18 03:30 . 2009-06-18 03:30 -------- d-----w- c:\program files\VIA
2009-06-18 03:29 . 2004-08-12 10:56 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys
2009-06-18 03:29 . 2009-06-18 03:29 -------- d-----w- c:\windows\ASUSInstAll
2009-06-18 03:29 . 2004-04-26 15:26 5824 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS
2009-06-18 03:02 . 2001-08-17 17:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-06-18 02:43 . 2009-06-18 02:43 -------- d-----w- c:\program files\CodeStuff
2009-06-18 02:22 . 2009-06-18 02:22 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\WinZip
2009-06-18 02:21 . 2009-06-18 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-06-18 02:11 . 2009-06-18 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-06-18 02:11 . 2009-06-18 02:11 -------- d-----w- c:\program files\CyberLink
2009-06-18 02:11 . 2009-06-25 15:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-18 02:10 . 2009-06-25 15:20 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-18 02:05 . 2009-06-26 20:23 1 ----a-w- c:\documents and settings\OfficePC\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-18 02:04 . 2009-06-18 02:04 -------- d-----w- c:\documents and settings\OfficePC\Application Data\OpenOffice.org
2009-06-18 01:42 . 2009-06-18 01:42 -------- d-----w- c:\documents and settings\OfficePC\Application Data\FileMaker
2009-06-18 01:41 . 2009-06-18 01:41 -------- d-----w- c:\documents and settings\OfficePC\Application Data\Symantec
2009-06-18 01:40 . 2009-06-18 01:40 -------- d-----w- c:\program files\FileMaker
2009-06-18 01:28 . 2009-06-18 01:28 -------- d-----w- c:\program files\FreeMeter
2009-06-17 19:56 . 2001-09-07 19:48 26624 ----a-w- c:\windows\GetIe.dll
2009-06-17 19:56 . 2009-07-01 14:14 -------- d-----w- C:\Jts
2009-06-17 19:22 . 2009-06-17 19:44 -------- d-----w- c:\documents and settings\OfficePC\Application Data\TrueCrypt
2009-06-17 19:13 . 2009-06-17 19:13 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-06-17 19:13 . 2009-06-17 19:13 -------- d-----w- c:\program files\TrueCrypt
2009-06-17 18:31 . 2009-06-17 18:31 -------- d-----w- c:\program files\KeePass Password Safe
2009-06-16 22:41 . 2009-06-16 22:41 -------- d-----w- c:\documents and settings\OfficePC\Application Data\vlc
2009-06-16 22:38 . 2009-06-16 22:38 -------- d-----w- c:\program files\VideoLAN
2009-06-16 22:35 . 2009-06-16 22:35 -------- d-----w- c:\documents and settings\OfficePC\Application Data\Malwarebytes
2009-06-16 22:35 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-16 22:35 . 2009-06-24 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-16 22:35 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 22:35 . 2009-06-16 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-16 22:34 . 2009-06-18 04:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 22:34 . 2009-06-16 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-16 22:27 . 2009-06-16 22:26 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-16 22:24 . 2009-06-16 22:24 -------- d-----w- c:\program files\Lavasoft
2009-06-16 22:19 . 2009-06-25 16:01 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Google
2009-06-16 22:18 . 2009-06-16 22:18 -------- d--h--w- c:\windows\PIF
2009-06-16 22:17 . 2009-06-16 22:17 -------- d-----w- c:\documents and settings\OfficePC\Application Data\Windows Search
2009-06-16 20:43 . 2009-06-16 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-16 20:43 . 2005-08-25 23:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-06-16 20:43 . 2009-06-16 20:43 -------- d-----w- c:\program files\SpywareBlaster
2009-06-16 20:20 . 2009-06-16 22:19 -------- d-----w- c:\documents and settings\OfficePC\Local Settings\Application Data\Eraser
2009-06-16 20:20 . 2009-06-10 13:22 83344 ----a-w- c:\windows\system32\Erasext.dll
2009-06-16 20:20 . 2009-06-10 13:22 307088 ----a-w- c:\windows\system32\Eraser.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-23 15:25 . 2009-06-23 15:25 2232 ----a-w- c:\windows\java\Packages\Data\MJJ133ZL.DAT
2009-06-23 15:25 . 2009-06-23 15:25 155995 ----a-w- c:\windows\java\Packages\9RBHVRFZ.ZIP
2009-06-23 15:25 . 2009-06-23 15:25 2678 ----a-w- c:\windows\java\Packages\Data\5RJTVF7J.DAT
2009-06-23 15:24 . 2009-06-23 15:24 2678 ----a-w- c:\windows\java\Packages\Data\YEWQS4WM.DAT
2009-06-23 15:24 . 2009-06-23 15:24 2678 ----a-w- c:\windows\java\Packages\Data\RZ9RVBJN.DAT
2009-06-23 15:24 . 2009-06-23 15:24 2678 ----a-w- c:\windows\java\Packages\Data\9NLBXB3L.DAT
2009-06-23 15:24 . 2009-06-23 15:24 2678 ----a-w- c:\windows\java\Packages\Data\6LB7J1JV.DAT
2009-06-16 22:27 . 2009-06-16 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-16 22:27 . 2009-06-16 22:27 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-16 22:27 . 2009-06-16 22:27 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-16 22:26 . 2009-06-16 22:26 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-16 22:26 . 2009-06-16 22:26 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-16 22:26 . 2009-06-16 22:26 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-16 22:25 . 2009-06-16 22:25 152576 ----a-w- c:\documents and settings\OfficePC\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-16 22:24 . 2009-06-16 22:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-16 15:01 . 2009-06-16 02:22 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-16 02:23 . 2009-06-16 02:23 -------- d-----w- c:\program files\microsoft frontpage
2009-06-16 02:20 . 2009-06-16 02:20 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-05 22:08 . 2009-06-16 16:31 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-16 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-08 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"Mediafour Mac Volume Notifications"="c:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-17 61440]
"MDDiskProtect.exe"="c:\program files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 106496]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\OfficePC\Start Menu\Programs\Startup\
FreeMeter.lnk - c:\program files\FreeMeter\FreeMeter.exe [2009-6-17 614400]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [16/06/2009 6:27 PM 64160]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [30/04/2006 10:57 AM 16640]
R1 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [13/09/2006 2:53 PM 213888]
R2 MLPTDR_B;MLPTDR_B;c:\windows\system32\MLPTDR_B.SYS [02/09/2003 3:03 PM 20064]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [18/09/2008 12:09 PM 111112]
R3 es1969;ESS 1969 Audio Driver (WDM);c:\windows\system32\drivers\es1969.sys [15/06/2009 5:54 PM 72704]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [22/06/2009 8:52 AM 57344]
S2 gupdate1c9f014803ae3c8;Google Update Service (gupdate1c9f014803ae3c8);c:\program files\Google\Update\GoogleUpdate.exe [18/06/2009 8:58 AM 133104]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [20/01/2009 7:16 PM 172032]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Belkin\F5D7000v8\jswpsapi.exe [29/10/2007 11:34 PM 352338]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 3:06 PM 1003344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 12:58]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 12:58]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1682526488-839522115-1004Core.job
- c:\documents and settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 22:19]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1682526488-839522115-1004UA.job
- c:\documents and settings\OfficePC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 22:19]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\OfficePC\Application Data\Mozilla\Firefox\Profiles\28syv1ba.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - google.ca
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\OfficePC\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 11:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-01 11:03
ComboFix-quarantined-files.txt 2009-07-01 15:03

Pre-Run: 32,190,402,560 bytes free
Post-Run: 32,358,907,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

262 --- E O F --- 2009-06-16 17:13


OTHER NOTABLES:
1. Directly after running ComboFix I rebooted. Upon reboot 'Freemeter' tried to reinstall (and failed) and MacDrive 6 went through a reinstall process (even though it is already installed
2. Also: I tried right clicking on desktop item and got explorer.exe hang // Also dragging/dropping desktop item causes hang
3. I installed a printer (Magicolor 2300DL) using Bonjour (I have an Apple airport) and though everything with the install seemed to go ok, anytime I print the program fails (notepad etc) and the spooler.exe hangs

Thanks so much for your help!

Have a nice day.

Edited by computer2, 01 July 2009 - 10:33 AM.


#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 01 July 2009 - 01:34 PM

Your logs are clean.

How long ago did you upgrade to Explorer 8?

Was everything working fine after the upgrade?
===
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#7 computer2

computer2

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 02 July 2009 - 10:16 AM

I upgraded to IE 8 after the XP reinstall.

Other info: today's boot up featured a crash during boot, a reboot, prompt to start in safe mode (etc) and then checkdisc ran. After the reboot and checkdisc it started fine but the BitDefender 'activity window' (the little live graph that shows file activity on the computer in real time) reappeared (I had disabled it.

Note also that crashes can occur during drag/drop OR right click on desktop but doing these things do not always crash the system

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 02 July 2009 - 12:24 PM

I hope this scan will reveal something.

Let's use this online scanner (don't worry, it doesn't delete anything, it only detects).

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

p.s. When your computer crashes do you get a error message that may help identify the culprit.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 computer2

computer2

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 03 July 2009 - 03:07 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 3, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 03, 2009 15:16:59
Records in database: 2419886
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 72720
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 05:25:48


File name / Threat name / Threats count
C:\Documents and Settings\OfficePC\Desktop\Utils to install\System\specialfoldersview\SpecialFoldersView.exe Infected: not-a-virus:PSWTool.Win32.NetPass.hd 1
C:\Documents and Settings\OfficePC\Desktop\Utils to install\System\SysinternalsSuite.zip Infected: not-a-virus:RiskTool.Win32.PsKill.ba 1

The selected area was scanned.


Hi - not too much to see here - just what seems like a false positive...

When the crash happens there is no error message... I have to CTRL-ALT-DEL to manually kill the non-responding explorer.exe.

The more I think of it, the more I think this has to do with some kind of USB conflict or driver issue or something like this. What do you think?

Thank you

#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 04 July 2009 - 07:57 AM

I also am having a problem with explorer.exe crashes when dragging and dropping files or copying. Especially with USB drives


Do you crash when you when you copy and paste the files?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 computer2

computer2

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 06 July 2009 - 11:13 AM

It does not seem to crash when using CTRL-C + CTRL-V

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 07 July 2009 - 08:19 AM

I also suspect that it may be some driver issues.

I just want to confirm if the values in bold are set in your registry.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_EnableDragDrop"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoChangeStartMenu"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]

"180D"=dword:00000000


Download the Registry Search Tool from here:
http://www.billsway....les/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:
Start_EnableDragDrop

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Repeat the search for these string.

NoChangeStartMenu

and

180D


Post the results.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 computer2

computer2

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 08 July 2009 - 02:26 PM

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "Start_EnableDragDrop" 08/07/2009 3:10:40 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\EnableDragDrop]
"ValueName"="Start_EnableDragDrop"

[HKEY_USERS\S-1-5-21-299502267-1682526488-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_EnableDragDrop"=dword:00000001

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "NoChangeStartMenu" 08/07/2009 3:12:31 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\Policy\NoChangeStartMenu]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu\StartMenuChange\Policy\NoChangeStartMenu]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\EnableDragDrop\Policy\NoChangeStartMenu]

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "180D" 08/07/2009 3:25:56 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6EE3853E-DDEF-3F29-8F1B-1ED7180D9229}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6EE3853E-DDEF-3F29-8F1B-1ED7180D9229}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6EE3853E-DDEF-3F29-8F1B-1ED7180D9229}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6EE3853E-DDEF-3F29-8F1B-1ED7180D9229}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAEF4300-9FB3-306F-8F67-180DEB8DDFB7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAEF4300-9FB3-306F-8F67-180DEB8DDFB7}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAEF4300-9FB3-306F-8F67-180DEB8DDFB7}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAEF4300-9FB3-306F-8F67-180DEB8DDFB7}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5F7A2664-4778-3D72-A78F-D38B6B00180D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5F7A2664-4778-3D72-A78F-D38B6B00180D}\1.0.5000.0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{5F7A2664-4778-3D72-A78F-D38B6B00180D}\2.0.0.0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{26587AE9-6807-6F2D-9D9B-180D28486489}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{390180D5-9039-50AF-793D-071EBDECCE91}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9691BB180DB841D46929F94B7A7AACB7]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EE180D26BAADE5D4C8D798332457E359]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
"180D"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
"180D"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
"180D"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
"180D"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
"180D"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"180D"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"180D"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"180D"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"180D"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"180d"=dword:00000001

[HKEY_USERS\S-1-5-21-299502267-1682526488-839522115-1004\Software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0]
"2edd7538c2b180d3"=hex:2c,00,41,00,70,00,70,00,45,00,76,00,65,00,6e,00,74,00,\

[HKEY_USERS\S-1-5-21-299502267-1682526488-839522115-1004\Software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map]
"2edd7538c2b180d3"=",33,HKCU,AppEvents\\Schemes\\Apps\\Explorer\\FeedDiscovered,,"

"PMDisplayName"="My Computer [Protected Mode]"
"180D"=dword:00000000

"PMDisplayName"="Local intranet [Protected Mode]"
"180D"=dword:00000000

"PMDisplayName"="Trusted sites [Protected Mode]"
"180D"=dword:00000000

"PMDisplayName"="Internet [Protected Mode]"
"180D"=dword:00000001

"PMDisplayName"="Restricted sites [Protected Mode]"
"180D"=dword:00000001

#14 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 08 July 2009 - 03:54 PM

It sure look like a driver issue. Nothing suspicious found.

I do not (never used the drag and drop to copy files)

When I want to copy a file from a (folder) I allways use the right mouse click ( copy the file ) navigate to the folder and use the right click mouse click to paste the file into the folder.

Can you leave with this?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 computer2

computer2

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 09 July 2009 - 03:12 PM

I guess I have to -- glad to hear its not a keylogger etc.

I wish there was some kind of freeware out there that dealt with USB conflicts and/or driver issues.

Anyway, thank you for your help

#16 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 23 July 2009 - 07:46 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button