Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Driven Restart Cycle Virus [side Issue: Smitfraud (or Like Problem) -- Trusted Anti Virus]


  • This topic is locked This topic is locked
16 replies to this topic

#1 Quinnton

Quinnton

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 05 December 2007 - 09:20 PM

Operating system: Windows XP

My friend is having serious problems with his computer. At first his computer all at once his computer started posting these messages that his computer needed to update his security or that his anti spyware was out of date (sorry he can’t recall anything out of the ordinary that he was doing to start this). Later his computer went into a restart cycle showing at first the blue screen of death for a couple of seconds then going blank it then restarting it goes up until his profile Icon appears and then it restarts again. In a flurry I said "Maybe its Internet driven. Take out your Ethernet!" – and sure enough the cycle stopped however the messages or the alerts that he needed to buy this or that in order to free his computer of a virus were still going around. There are four messages that pop up

1 From the toolbar (from the Icon which opens to the security Center
Your computer might be at risk
Your anti virus software might be out of date
Click this balloon to fix this problem

(I realize this might be normal as his antivirus software probably is out of date)

2 From the toolbar
Updates are ready to install on your computer
Click here to install these updates
(Again normal looking – however the computer is not connected to the internet so where would it get the update FROM?)

3 Symantec Anti virus – A rectangle with yellow background pops up from the tool bar
Auto Protect is Disabled

4 was a Windows security Alert which popped up as its own window and would do so every 2 hours or so (it would overlap itself)

Obviously this is the most vital one to quote however it seems to not pop up after every search and clean program that this computer has been through. Some things I can remember about it -- it said that we should buy an Anti virus program. it ended with "..." and had a Yes or No option. My friend clicked yes the first time it showed up and it brought him to some Trusted Anti Virus program that he needed to buy in order for it to do anything. In fact, after checking his Firefox History, it brought him TO the payment page of this site. cited here: hxxps://sale.trustedantivirus.com/payment/?...b5050010a435a48

I knew already about Ad-Aware and Spybot: Search and Destroy so I suggested we started with that (he did not have these programs). However he could not log on to the internet to get these. So I used a memory stick to bring what I had over there. My first few attempts were unsuccessful in getting them installed. Because Spybot seemed to need to connect to the internet to receive the updates to run a scan and Ad-aware (2007) wasn’t working at all. In desperation I tried moving the entire program from my computer to his. Spybot S&D worked however Ad-aware did not. It seemed almost as though a virus was targeting the opening of this program it said:
“System error: 1814 has occurred. Description: Could not login to service. Are you running this application as another user? Application terminates”
But, my friends computer does not have ANY other users
I found later that Ad-aware SE did work but still could not receive any updates.

After researching I found a list of things to do in order to beat aggressive viruses here – http://www.askmehelpdesk.com/computers-beg...way-153999.html Under a posting by “invisibleman_productions” I found this exact list in many other (more reputable) places and started following it.
Obviously connecting the actual computer to the internet was not possible so some of this lists points could not be covered (as well as a few of this forums checkpoints namely 5,7, and 8). However I put Vundofix on this computer and it didn’t find anything – this made sense I found because the computer was not displaying the symptoms Vundofix was supposed to fix. I researched about the actual symptoms and found that what this computer might have is Smitfraud. So I installed Smitfraudfix and ran it. It found a few things however after a restart the pop ups still come and Smitfraudfix finds nothing.

I then found this site and followed the checklist to the best of his computers ability and Ad-Aware found a lot more than before some 10 Warning points (perhaps Smitfraudfix did help) and the same with Spybot S&D -113 found. However the pop-ups did not go away. And when I tried to connect to the internet it did the same thing as before what with the Blue Screen of Death and the restarting cycle. I actually had already known about Hijackthis but I knew it was a last resort. So, there is obviously something eschew with his computer. Can you guys find anything out of order in this Logfile?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:31 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Gordon Hofheins\Desktop\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
R3 - URLSearchHook: free-downloads.net Toolbar - {d3e23b4b-f153-4687-82c2-816319dd3c5a} - C:\Program Files\free-downloads\tbfre1.dll
F2 - REG:system.ini: UserInit=userinit.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/ig"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: free-downloads.net Toolbar - {d3e23b4b-f153-4687-82c2-816319dd3c5a} - C:\Program Files\free-downloads\tbfre1.dll
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mspoolz.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: free-downloads.net Toolbar - {d3e23b4b-f153-4687-82c2-816319dd3c5a} - C:\Program Files\free-downloads\tbfre1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - S-1-5-18 Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B89C714D-A6A6-4C8E-A61C-D25DA17A64EA}: NameServer = 198.60.22.2,198.60.22.22
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol698.txt
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6997 bytes


Now that I look at it head on it actually seems to be two issues. This TrustedAntiVirus thing and the restart cycle. Sorry about that but I really do think that they're connected.

Thank you so much,
Quinnton


Mod Edit: Disabled active link to malware site.~ TMacK

Edited by TMacK, 07 December 2007 - 01:37 AM.


BC AdBot (Login to Remove)

 


#2 Quinnton

Quinnton
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 07 December 2007 - 12:57 AM

Actually it is most likely that Smitfraudfix did fix the bad/fake pop-up seeing as # 4 on my list of popups is not showing up any more (the other three -more normal looking ones- still are showing up). So any suggestions for the restart cycle that is going on from the log?

#3 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 14 December 2007 - 02:57 PM

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply


#4 Quinnton

Quinnton
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 14 December 2007 - 07:16 PM

On an additional note my friend had already deleated Hijackthis from his computer. So dss.exe had to run without that.

Main.txt

Deckard's System Scanner v20071014.68
Run by Gordon Hofheins on 2007-12-14 17:05:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-14 17:08:00
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\PharosSystems\Core\CTskMstr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Gordon Hofheins\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBHO.dll
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mspoolz.dll (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{B89C714D-A6A6-4C8E-A61C-D25DA17A64EA}: NameServer = 198.60.22.2,198.60.22.22
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol698.txt
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\Program Files\PharosSystems\Core\CTskMstr.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 7591 bytes

-- File Associations -----------------------------------------------------------

.scr - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R0 TVALD (Toshiba ACPI-Based Value Added Logical Device Driver) - c:\windows\system32\drivers\tvald.sys <Not Verified; Toshiba Corporation; Toshiba ACPI-Compliant Value Added Logical Device>
R0 TVALDX (Toshiba ACPI-Based Value Added Logical Device Extension Driver) - c:\windows\system32\drivers\tvaldx.sys <Not Verified; Toshiba Corporation; Toshiba ACPI-Compliant Value Added Logical Device Extension>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set>

S0 tosrfec (Bluetooth ACPI from Toshiba) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>
S2 ntio256 (Input and output operations) - c:\windows\system32\ntio256.sys (file missing)
S3 EraserUtilRebootDrv - c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys (file missing)
S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 sscdbus (SAMSUNG USB Composite Device driver (WDM)) - c:\windows\system32\drivers\sscdbus.sys (file missing)
S3 sscdmdfl (SAMSUNG CDMA Modem Filter) - c:\windows\system32\drivers\sscdmdfl.sys (file missing)
S3 sscdmdm (SAMSUNG CDMA Modem Drivers) - c:\windows\system32\drivers\sscdmdm.sys (file missing)
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Pharos Systems ComTaskMaster - "c:\progra~1\pharos~1\core\ctskmstr.exe" <Not Verified; Pharos Systems International; PHAROS>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 52\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-06 22:42:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-14 and 2007-12-14 -----------------------------

2007-12-14 16:14:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-14 16:13:51 0 d-------- C:\Program Files\Security Task Manager
2007-12-14 12:17:42 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-12-14 12:17:41 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-12-14 12:16:14 0 d-------- C:\Program Files\Sygate
2007-12-10 21:22:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-10 20:07:05 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Printer Info Cache
2007-12-10 11:52:20 1569 --a------ C:\WINDOWS\system32\mssfcnhh.dll
2007-12-09 14:53:12 0 d-------- C:\Program Files\Spyware Doctor
2007-12-09 14:53:12 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\PC Tools
2007-12-09 14:50:25 0 d-------- C:\Program Files\Enigma Software Group
2007-12-05 08:22:55 3042 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-05 08:22:00 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-05 08:22:00 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-12-05 08:22:00 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-12-05 08:22:00 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-05 08:21:59 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-12-04 18:15:49 0 d-------- C:\VundoFix Backups
2007-12-03 22:16:27 71 --a------ C:\WINDOWS\mgglp.bat
2007-12-03 22:16:11 162917 --a------ C:\WINDOWS\bakidg.exe
2007-12-03 21:01:33 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Lavasoft
2007-12-03 17:31:00 138240 --a------ C:\WINDOWS\xnnnav.exe
2007-12-02 01:28:00 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2007-12-01 20:51:06 87552 --a------ C:\WINDOWS\system32\spoolc.exe
2007-12-01 20:51:06 291328 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-12-01 20:51:05 383488 --a------ C:\WINDOWS\ddubbv.exe
2007-11-20 13:14:35 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-18 14:28:10 0 d-------- C:\Documents and Settings\LocalService\Desktop


-- Find3M Report ---------------------------------------------------------------

2007-12-12 11:44:44 0 d-------- C:\Program Files\Common Files
2007-12-12 01:55:16 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\U3
2007-12-06 18:03:28 0 d-------- C:\Program Files\free-downloads
2007-12-02 01:09:17 0 d-------- C:\Program Files\Symantec AntiVirus
2007-12-02 01:07:07 0 d-------- C:\Program Files\Symantec
2007-12-02 01:04:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-02 13:32:38 0 d-------- C:\Program Files\Starcraft
2007-11-02 08:50:14 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Hamachi
2007-11-01 16:57:48 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Symantec
2007-11-01 10:47:58 0 d-------- C:\Program Files\Norton 360
2007-11-01 10:23:07 0 d-------- C:\Program Files\Google
2007-10-28 14:16:45 35382 --a------ C:\WINDOWS\scunin.dat
2007-10-28 14:16:44 967 --a------ C:\WINDOWS\ScUnin.pif
2007-10-28 14:16:44 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-10-28 13:51:15 0 d-------- C:\Program Files\Alcohol Soft
2007-10-21 12:31:58 0 d-------- C:\Program Files\iTunes
2007-10-21 12:30:37 0 d-------- C:\Program Files\iPod
2007-09-17 11:15:40 11264 --a------ C:\WINDOWS\system32\PSS4563C.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:08:29 11264 --a------ C:\WINDOWS\system32\PSS43C13.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:11 11264 --a------ C:\WINDOWS\system32\PSS42C4B.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:11 11264 --a------ C:\WINDOWS\system32\PSS42C49.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C42.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C40.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C3D.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C3B.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C39.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C36.DLL <Not Verified; Pharos Systems International; PHAROS>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DABCE839-3831-3818-AF3A-3837BCD324D2}]
C:\WINDOWS\system32\mspoolz.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/04/2004 08:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 01:42 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 06:54 PM]
"dumprep"="C:\WINDOWS\system32\spoolc.exe" [12/01/2007 08:51 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 08:33 PM]
"TrustedAntivirus"="C:\Program Files\TrustedAntivirus\pgs.exe" []
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [11/02/2007 05:24 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [07/02/2007 03:22 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\sol698.txt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=C:\WINDOWS\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
C:\WINDOWS\System32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
C:\Program Files\NetZero\exec.exe regrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCD Autorun]
E:\autorun.exe restart TIMER_SEQUENCE first

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe /Type 01

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
c:\toshiba\sysstability\tsyssmon.exe /detect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"ImapiService"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468110a5-6d11-11dc-90ba-0000396f12c9}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{595ce3b1-524e-11dc-907f-0000396f12c9}]
AutoRun\command- I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45107b0-9648-11dc-9112-0000396f12c9}]
AutoRun\command- G:\LaunchU3.exe -a

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-12-14 17:10:40 ------------








extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 511.48 MiB / 213.68 MiB
Pagefile Memory (total/avail): 1247.86 MiB / 850.74 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.89 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 7.23 GiB free.
D: is Removable (No Media)
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (FAT)

\\.\PHYSICALDRIVE1 - TOSHIBA MK4018GAP - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

\\.\PHYSICALDRIVE0 - Toshiba Sm Host Driver SCSI Disk Device

\\.\PHYSICALDRIVE2 - SanDisk Cruzer Micro USB Device - 486.34 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 488.14 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation) Disabled Outdated
AV: Symantec AntiVirus Corporate Edition v10.1.5.5000 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabled:Pharos Com Task Master "
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe:*:Enabled:Microsoft Broadband Network Utility"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe:*:Enabled:Microsoft Broadband Networking Tray"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe:*:Enabled:Microsoft Broadband Networking Setup"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe:*:Enabled:Microsoft Broadband Networking Update"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\toshiba\\ivp\\NetInt\\Netint.exe"="C:\\toshiba\\ivp\\NetInt\\Netint.exe:*:Disabled:NIE - Network Interface Engine"
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat:*:Enabled:The Battle for Middle-earth ™"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabled:Pharos Com Task Master "
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Symantec AntiVirus\\rtvscan.exe"="C:\\Program Files\\Symantec AntiVirus\\rtvscan.exe:128.187.21.147/255.255.255.255,128.187.21.148/255.255.255.255:Enabled:VirusScan(rtvscan.exe)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Gordon Hofheins\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TOSHIBALAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Gordon Hofheins
LOGONSERVER=\\TOSHIBALAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\PharosSystems\OutputManagement;C:\Program Files\PharosSystems\Core
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\GORDON~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\GORDON~1\LOCALS~1\Temp
USERDOMAIN=TOSHIBALAPTOP
USERNAME=Gordon Hofheins
USERPROFILE=C:\Documents and Settings\Gordon Hofheins
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Gordon Hofheins (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
allTunes --> C:\PROGRA~1\allTunes\UNWISE.EXE C:\PROGRA~1\allTunes\INSTALL.LOG
AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
GearDrvs --> MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
HijackThis 2.0.2 --> "C:\Documents and Settings\Gordon Hofheins\Desktop\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Lotus NotesSQL 3.01 driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{113EECD6-9A04-11D4-811D-00805F923B86}\Setup.exe" -uninst
Lotus SmartSuite - English --> MsiExec.exe /I{536D6172-7453-7569-7465-392E37300409}
Microsoft Broadband Networking --> MsiExec.exe /I{8CC15633-2327-43F4-BA85-B83FDB4B59BE}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
Network Device Switch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0C7D85B0-8569-11D4-91EA-00003914300F}\Setup.exe"
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_3_0_24\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Pharos --> C:\PROGRA~1\Pharos\bin\Local.EXE
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ScanModule V5.1 --> C:\WINDOWS\RunUnDrv.exe C:\WINDOWS\Twain_32\S3000\PmxScan.INF DefaultUnInstall.USB.NTX86
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
STV0680 Camera v112 Installation Files --> C:\PROGRA~1\STMICR~1\STV680~1\UNWISE.EXE C:\PROGRA~1\STMICR~1\STV680~1\INSTALL.LOG
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
Symantec AntiVirus --> MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics TouchPad --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TextBridge Language Packs --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LangPack.INF,DefaultUnInstall
TextBridge Pro 8.0 --> "C:\Program Files\TextBridge Pro 8.0\bin\setup.exe" -funinst.ins
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -uninst
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe"
Toshiba Hotkey Utility for Display Devices --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TFNF5Wxp.inf,DefaultUninstall,5
TOSHIBA MEDIA PLAYER V1.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1C5CFE4-F3E3-422F-85C3-232B06BC80B1}\Setup.exe"
Toshiba On the Web and Support Menu --> C:\PROGRA~1\TOSHIB~1\UNWISE.EXE C:\PROGRA~1\TOSHIB~1\INSTALL.LOG
TOSHIBA Satellite Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFC7912B-D965-4C15-A2A3-65FFE7F17205}\SETUP.EXE"
Toshiba Screensaver --> C:\WINDOWS\System32\TOSHIB~1.SCR /UNINSTALL "C:\WINDOWS\System32\Toshiba Screensaver.log"
TOSHIBA Software Modem --> Tosmreg -U
Toshiba Software Upgrades --> C:\toshiba\ivp\swupdate\UNWISE.EXE C:\toshiba\ivp\swupdate\INSTALL.LOG
Toshiba System Stability Program --> C:\toshiba\SYSSTA~1\UNWISE.EXE C:\toshiba\SYSSTA~1\INSTALL.LOG
Toshiba Tbiosdrv Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Toshiba Tbiosdrv Driver\Tbiosdrv.isu"
TOSHIBA Utilities --> tutildel.exe
Trader Workstation 4.0 --> C:\Jts\UNWISE.EXE C:\Jts\INSTALL.LOG
TurboCAD Professional v6 --> C:\WINDOWS\IsUninst.exe -fC:\IMSI\TCWP60\Uninst.isu
TurboCAD v6 Symbols --> C:\WINDOWS\IsUninst.exe -fC:\IMSI\TCWP60\Symbols\Uninst.isu
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Volo View Express --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Volo View Express\DeIsL1.isu"
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wireless Hotkey --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7862BAD8-A379-4128-8AA1-EFD5A9603C53}\Setup.exe"
YAMAHA AC-XG WDM --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3663DDE0-D8AE-11D3-9850-00C04F7AC096}\setup.exe" maintenance


-- Application Event Log -------------------------------------------------------

Event Record #/Type8493 / Error
Event Submitted/Written: 12/14/2007 00:39:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application startdrv.exe, version 0.0.0.0, faulting module startdrv.exe, version 0.0.0.0, fault address 0x00001044.
Processing media-specific event for [startdrv.exe!ws!]

Event Record #/Type8484 / Error
Event Submitted/Written: 12/14/2007 00:32:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application startdrv.exe, version 0.0.0.0, faulting module startdrv.exe, version 0.0.0.0, fault address 0x00001044.
Processing media-specific event for [startdrv.exe!ws!]

Event Record #/Type8476 / Error
Event Submitted/Written: 12/14/2007 00:27:50 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application startdrv.exe, version 0.0.0.0, faulting module startdrv.exe, version 0.0.0.0, fault address 0x00001044.
Processing media-specific event for [startdrv.exe!ws!]

Event Record #/Type8463 / Error
Event Submitted/Written: 12/14/2007 00:02:55 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error

Initialization of the COM subsystem failed. Error code: 0x8007041D

Event Record #/Type8460 / Error
Event Submitted/Written: 12/14/2007 11:57:14 AM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error

Initialization of the COM subsystem failed. Error code: 0x8007041D



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11931 / Error
Event Submitted/Written: 12/14/2007 00:40:02 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000007e, parameter1 c0000005, parameter2 804da4f8, parameter3 f8b35bdc, parameter4 f8b358d8.

Event Record #/Type11919 / Error
Event Submitted/Written: 12/14/2007 00:38:49 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
tosrfec

Event Record #/Type11918 / Error
Event Submitted/Written: 12/14/2007 00:38:32 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Input and output operations service failed to start due to the following error:
%%2

Event Record #/Type11917 / Error
Event Submitted/Written: 12/14/2007 00:38:32 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Symantec Settings Manager service to connect.

Event Record #/Type11916 / Warning
Event Submitted/Written: 12/14/2007 00:38:24 PM
Event ID/Source: 2511 / Server
Event Description:
The server service was unable to recreate the share Brandon's because the directory C:\Documents and Settings\Brandon's no longer exists. Please run "net share Brandon's /delete" to delete the share, or recreate the directory C:\Documents and Settings\Brandon's.



-- End of Deckard's System Scanner: finished at 2007-12-14 17:10:40 ------------

Edited by Quinnton, 14 December 2007 - 07:18 PM.


#5 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 15 December 2007 - 08:10 AM

I need you to reinstall HijackThis before we can continue

Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


#6 Quinnton

Quinnton
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 15 December 2007 - 02:07 PM

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:48 AM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
F2 - REG:system.ini: UserInit=userinit.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/ig"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mspoolz.dll (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - S-1-5-18 Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B89C714D-A6A6-4C8E-A61C-D25DA17A64EA}: NameServer = 198.60.22.2,198.60.22.22
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol698.txt
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7388 bytes











And for good measure Here is the Main.txt of Deckard (it no longer opened an extra.txt)
Deckard's System Scanner v20071014.68
Run by Gordon Hofheins on 2007-12-15 12:02:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Gordon Hofheins.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:02 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Gordon Hofheins\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\GORDON~1.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
F2 - REG:system.ini: UserInit=userinit.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/ig"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mspoolz.dll (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - S-1-5-18 Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B89C714D-A6A6-4C8E-A61C-D25DA17A64EA}: NameServer = 198.60.22.2,198.60.22.22
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol698.txt
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7402 bytes

-- Files created between 2007-11-15 and 2007-12-15 -----------------------------

2007-12-15 11:53:00 0 d-------- C:\Program Files\Trend Micro
2007-12-14 16:14:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-14 16:13:51 0 d-------- C:\Program Files\Security Task Manager
2007-12-14 12:17:42 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-12-14 12:17:41 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-12-14 12:16:14 0 d-------- C:\Program Files\Sygate
2007-12-10 21:22:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-10 20:07:05 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Printer Info Cache
2007-12-10 11:52:20 1569 --a------ C:\WINDOWS\system32\mssfcnhh.dll
2007-12-09 14:53:12 0 d-------- C:\Program Files\Spyware Doctor
2007-12-09 14:53:12 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\PC Tools
2007-12-09 14:50:25 0 d-------- C:\Program Files\Enigma Software Group
2007-12-05 08:22:55 3042 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-05 08:22:00 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-05 08:22:00 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-12-05 08:22:00 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-12-05 08:22:00 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-05 08:21:59 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-12-04 18:15:49 0 d-------- C:\VundoFix Backups
2007-12-03 22:16:27 71 --a------ C:\WINDOWS\mgglp.bat
2007-12-03 22:16:11 162917 --a------ C:\WINDOWS\bakidg.exe
2007-12-03 21:01:33 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Lavasoft
2007-12-03 17:31:00 138240 --a------ C:\WINDOWS\xnnnav.exe
2007-12-02 01:28:00 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2007-12-01 20:51:06 87552 --a------ C:\WINDOWS\system32\spoolc.exe
2007-12-01 20:51:06 291328 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-12-01 20:51:05 383488 --a------ C:\WINDOWS\ddubbv.exe
2007-11-20 13:14:35 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-18 14:28:10 0 d-------- C:\Documents and Settings\LocalService\Desktop


-- Find3M Report ---------------------------------------------------------------

2007-12-12 11:44:44 0 d-------- C:\Program Files\Common Files
2007-12-12 01:55:16 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\U3
2007-12-06 18:03:28 0 d-------- C:\Program Files\free-downloads
2007-12-02 01:09:17 0 d-------- C:\Program Files\Symantec AntiVirus
2007-12-02 01:07:07 0 d-------- C:\Program Files\Symantec
2007-12-02 01:04:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-02 13:32:38 0 d-------- C:\Program Files\Starcraft
2007-11-02 08:50:14 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Hamachi
2007-11-01 16:57:48 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Symantec
2007-11-01 10:47:58 0 d-------- C:\Program Files\Norton 360
2007-11-01 10:23:07 0 d-------- C:\Program Files\Google
2007-10-28 14:16:45 35382 --a------ C:\WINDOWS\scunin.dat
2007-10-28 14:16:44 967 --a------ C:\WINDOWS\ScUnin.pif
2007-10-28 14:16:44 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-10-28 13:51:15 0 d-------- C:\Program Files\Alcohol Soft
2007-10-21 12:31:58 0 d-------- C:\Program Files\iTunes
2007-10-21 12:30:37 0 d-------- C:\Program Files\iPod
2007-09-17 11:15:40 11264 --a------ C:\WINDOWS\system32\PSS4563C.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:08:29 11264 --a------ C:\WINDOWS\system32\PSS43C13.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:11 11264 --a------ C:\WINDOWS\system32\PSS42C4B.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:11 11264 --a------ C:\WINDOWS\system32\PSS42C49.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C42.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C40.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C3D.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C3B.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C39.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C36.DLL <Not Verified; Pharos Systems International; PHAROS>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DABCE839-3831-3818-AF3A-3837BCD324D2}]
C:\WINDOWS\system32\mspoolz.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/04/2004 08:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 01:42 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 06:54 PM]
"dumprep"="C:\WINDOWS\system32\spoolc.exe" [12/01/2007 08:51 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 08:33 PM]
"TrustedAntivirus"="C:\Program Files\TrustedAntivirus\pgs.exe" []
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [11/02/2007 05:24 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [07/02/2007 03:22 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\sol698.txt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=C:\WINDOWS\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
C:\WINDOWS\System32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
C:\Program Files\NetZero\exec.exe regrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCD Autorun]
E:\autorun.exe restart TIMER_SEQUENCE first

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe /Type 01

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
c:\toshiba\sysstability\tsyssmon.exe /detect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"ImapiService"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468110a5-6d11-11dc-90ba-0000396f12c9}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{595ce3b1-524e-11dc-907f-0000396f12c9}]
AutoRun\command- I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45107b0-9648-11dc-9112-0000396f12c9}]
AutoRun\command- G:\LaunchU3.exe -a

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-12-15 12:04:26 ------------

#7 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 15 December 2007 - 03:12 PM

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mspoolz.dll (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol698.txt

Then close all windows except HijackThis and click Fix Checked

Restart

Use windows explorer to find and delete these files:

C:\WINDOWS\system32\spoolc.exe
C:\WINDOWS\system32\sol698.txt
C:\WINDOWS\system32\mssfcnhh.dll
C:\WINDOWS\mgglp.bat
C:\WINDOWS\bakidg.exe
C:\WINDOWS\xnnnav.exe
C:\WINDOWS\ddubbv.exe

And these folders:

C:\Program Files\TrustedAntivirus\
C:\VundoFix Backups\

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


Go to Start > Run... and copy/paste the text below into the Runbox:

"%userprofile%\desktop\dss.exe" /config

A window will open. Click on Check All, then click Scan!.

When it has finished, Deckard's System Scanner will open two Notepad files: main.txt and extra.txt- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply

#8 Quinnton

Quinnton
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 15 December 2007 - 07:35 PM

Side effect/ issue. Upon restart a message comes up saying that startdrv.exe has an error and it asks me if I want to send this information to Windows. I clicked "don't send"

Deckard Scan:
Main.txt

Deckard's System Scanner v20071014.68
Run by Gordon Hofheins on 2007-12-15 15:57:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-12-15 22:57:53 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2007-12-15 22:36:47 UTC - RP3 - Installed Java™ 6 Update 3
2: 2007-12-15 22:13:59 UTC - RP2 - Removed Java 2 Runtime Environment, SE v1.4.2_04
1: 2007-12-15 00:06:39 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Gordon Hofheins.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:19 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Gordon Hofheins\desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\GORDON~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
F2 - REG:system.ini: UserInit=userinit.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/ig"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - S-1-5-18 Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B89C714D-A6A6-4C8E-A61C-D25DA17A64EA}: NameServer = 198.60.22.2,198.60.22.22
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7141 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071215-154227-127 O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
backup-20071215-154227-178 O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
backup-20071215-154227-644 O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mspoolz.dll (file missing)
backup-20071215-154227-789 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20071215-154227-907 O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
backup-20071215-154228-393 O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
backup-20071215-154229-983 O20 - AppInit_DLLs: C:\WINDOWS\system32\sol698.txt

-- File Associations -----------------------------------------------------------

.scr - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R0 TVALD (Toshiba ACPI-Based Value Added Logical Device Driver) - c:\windows\system32\drivers\tvald.sys <Not Verified; Toshiba Corporation; Toshiba ACPI-Compliant Value Added Logical Device>
R0 TVALDX (Toshiba ACPI-Based Value Added Logical Device Extension Driver) - c:\windows\system32\drivers\tvaldx.sys <Not Verified; Toshiba Corporation; Toshiba ACPI-Compliant Value Added Logical Device Extension>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set>

S0 tosrfec (Bluetooth ACPI from Toshiba) - c:\windows\system32\drivers\tosrfec.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth EC Driver>
S2 ntio256 (Input and output operations) - c:\windows\system32\ntio256.sys (file missing)
S3 EraserUtilRebootDrv - c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys (file missing)
S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 sscdbus (SAMSUNG USB Composite Device driver (WDM)) - c:\windows\system32\drivers\sscdbus.sys (file missing)
S3 sscdmdfl (SAMSUNG CDMA Modem Filter) - c:\windows\system32\drivers\sscdmdfl.sys (file missing)
S3 sscdmdm (SAMSUNG CDMA Modem Drivers) - c:\windows\system32\drivers\sscdmdm.sys (file missing)
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Pharos Systems ComTaskMaster - "c:\progra~1\pharos~1\core\ctskmstr.exe" <Not Verified; Pharos Systems International; PHAROS>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 52\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 744)
2007-11-01 15:46:30 99328 --a------ C:\Program Files\Spyware Doctor\klg.dat <Not Verified; PC Tools; Spyware Doctor>

C:\WINDOWS\system32\svchost.exe (pid 964)
2007-11-01 15:46:30 99328 --a------ C:\Program Files\Spyware Doctor\klg.dat <Not Verified; PC Tools; Spyware Doctor>

C:\WINDOWS\system32\svchost.exe (pid 1032)
2007-11-01 15:46:30 99328 --a------ C:\Program Files\Spyware Doctor\klg.dat <Not Verified; PC Tools; Spyware Doctor>

C:\WINDOWS\system32\svchost.exe (pid 1104)
2007-11-01 15:46:30 99328 --a------ C:\Program Files\Spyware Doctor\klg.dat <Not Verified; PC Tools; Spyware Doctor>

C:\WINDOWS\explorer.exe (pid 1368)
2007-02-22 14:33:06 167936 --a------ C:\Program Files\PharosSystems\Core\PrnTrack.dll <Not Verified; Pharos Systems International; PHAROS>
2007-02-22 14:33:06 109568 --a------ C:\WINDOWS\system32\MadCHook.dll <Not Verified; www.madshi.net; madCHook>
2007-11-01 15:46:30 99328 --a------ C:\Program Files\Spyware Doctor\klg.dat <Not Verified; PC Tools; Spyware Doctor>
2007-09-26 13:42:04 43008 --a------ C:\Program Files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll <Not Verified; Apple Inc.; iTunes>
2007-09-26 13:42:04 129536 --a------ C:\Program Files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll <Not Verified; Apple Inc.; iTunes>

C:\WINDOWS\system32\svchost.exe (pid 1452)
2007-11-01 15:46:30 99328 --a------ C:\Program Files\Spyware Doctor\klg.dat <Not Verified; PC Tools; Spyware Doctor>

C:\WINDOWS\system32\svchost.exe (pid 1484)
2007-11-01 15:46:30 99328 --a------ C:\Program Files\Spyware Doctor\klg.dat <Not Verified; PC Tools; Spyware Doctor>

C:\WINDOWS\system32\svchost.exe (pid 624)
2007-11-01 15:46:30 99328 --a------ C:\Program Files\Spyware Doctor\klg.dat <Not Verified; PC Tools; Spyware Doctor>


-- Scheduled Tasks -------------------------------------------------------------

2007-12-06 22:42:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-15 and 2007-12-15 -----------------------------

2007-12-15 15:36:56 0 d-------- C:\Program Files\Common Files\Java
2007-12-15 11:53:00 0 d-------- C:\Program Files\Trend Micro
2007-12-14 16:14:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-14 16:13:51 0 d-------- C:\Program Files\Security Task Manager
2007-12-14 12:17:42 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-12-14 12:17:41 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-12-14 12:16:14 0 d-------- C:\Program Files\Sygate
2007-12-10 21:22:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-10 20:07:05 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Printer Info Cache
2007-12-09 14:53:12 0 d-------- C:\Program Files\Spyware Doctor
2007-12-09 14:53:12 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\PC Tools
2007-12-09 14:50:25 0 d-------- C:\Program Files\Enigma Software Group
2007-12-05 08:22:55 3042 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-05 08:22:00 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-05 08:22:00 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-12-05 08:22:00 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-12-05 08:22:00 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-05 08:21:59 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-12-03 21:01:33 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Lavasoft
2007-12-02 01:28:00 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2007-12-01 20:51:06 291328 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-11-20 13:14:35 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-18 14:28:10 0 d-------- C:\Documents and Settings\LocalService\Desktop


-- Find3M Report ---------------------------------------------------------------

2007-12-15 15:38:18 0 d-------- C:\Program Files\Java
2007-12-15 15:36:56 0 d-------- C:\Program Files\Common Files
2007-12-12 01:55:16 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\U3
2007-12-06 18:03:28 0 d-------- C:\Program Files\free-downloads
2007-12-02 01:09:17 0 d-------- C:\Program Files\Symantec AntiVirus
2007-12-02 01:07:07 0 d-------- C:\Program Files\Symantec
2007-12-02 01:04:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-02 13:32:38 0 d-------- C:\Program Files\Starcraft
2007-11-02 08:50:14 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Hamachi
2007-11-01 16:57:48 0 d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Symantec
2007-11-01 10:47:58 0 d-------- C:\Program Files\Norton 360
2007-11-01 10:23:07 0 d-------- C:\Program Files\Google
2007-10-28 14:16:45 35382 --a------ C:\WINDOWS\scunin.dat
2007-10-28 14:16:44 967 --a------ C:\WINDOWS\ScUnin.pif
2007-10-28 14:16:44 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-10-28 13:51:15 0 d-------- C:\Program Files\Alcohol Soft
2007-10-21 12:31:58 0 d-------- C:\Program Files\iTunes
2007-10-21 12:30:37 0 d-------- C:\Program Files\iPod
2007-09-17 11:15:40 11264 --a------ C:\WINDOWS\system32\PSS4563C.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:08:29 11264 --a------ C:\WINDOWS\system32\PSS43C13.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:11 11264 --a------ C:\WINDOWS\system32\PSS42C4B.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:11 11264 --a------ C:\WINDOWS\system32\PSS42C49.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C42.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C40.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C3D.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C3B.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C39.DLL <Not Verified; Pharos Systems International; PHAROS>
2007-09-17 11:04:10 11264 --a------ C:\WINDOWS\system32\PSS42C36.DLL <Not Verified; Pharos Systems International; PHAROS>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/04/2004 08:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 01:42 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 06:54 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 08:33 PM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [11/02/2007 05:24 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [07/02/2007 03:22 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=C:\WINDOWS\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
C:\WINDOWS\System32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
C:\Program Files\NetZero\exec.exe regrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCD Autorun]
E:\autorun.exe restart TIMER_SEQUENCE first

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe /Type 01

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
c:\toshiba\sysstability\tsyssmon.exe /detect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"ImapiService"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468110a5-6d11-11dc-90ba-0000396f12c9}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{595ce3b1-524e-11dc-907f-0000396f12c9}]
AutoRun\command- I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45107b0-9648-11dc-9112-0000396f12c9}]
AutoRun\command- G:\LaunchU3.exe -a

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-12-15 16:04:19 ------------

extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 511.48 MiB / 189.47 MiB
Pagefile Memory (total/avail): 1247.8 MiB / 823.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.71 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 7.12 GiB free.
D: is Removable (No Media)
E: is CDROM (No Media)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE1 - TOSHIBA MK4018GAP - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

\\.\PHYSICALDRIVE0 - Toshiba Sm Host Driver SCSI Disk Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation) Disabled Outdated
AV: Symantec AntiVirus Corporate Edition v10.1.5.5000 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabled:Pharos Com Task Master "
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe:*:Enabled:Microsoft Broadband Network Utility"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe:*:Enabled:Microsoft Broadband Networking Tray"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe:*:Enabled:Microsoft Broadband Networking Setup"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe:*:Enabled:Microsoft Broadband Networking Update"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\toshiba\\ivp\\NetInt\\Netint.exe"="C:\\toshiba\\ivp\\NetInt\\Netint.exe:*:Disabled:NIE - Network Interface Engine"
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat:*:Enabled:The Battle for Middle-earth ™"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabled:Pharos Com Task Master "
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Symantec AntiVirus\\rtvscan.exe"="C:\\Program Files\\Symantec AntiVirus\\rtvscan.exe:128.187.21.147/255.255.255.255,128.187.21.148/255.255.255.255:Enabled:VirusScan(rtvscan.exe)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Gordon Hofheins\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TOSHIBALAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Gordon Hofheins
LOGONSERVER=\\TOSHIBALAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\PharosSystems\OutputManagement;C:\Program Files\PharosSystems\Core
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\GORDON~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\GORDON~1\LOCALS~1\Temp
USERDOMAIN=TOSHIBALAPTOP
USERNAME=Gordon Hofheins
USERPROFILE=C:\Documents and Settings\Gordon Hofheins
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Gordon Hofheins (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
allTunes --> C:\PROGRA~1\allTunes\UNWISE.EXE C:\PROGRA~1\allTunes\INSTALL.LOG
AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
GearDrvs --> MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
HijackThis 2.0.2 --> "C:\Documents and Settings\Gordon Hofheins\Desktop\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Lotus NotesSQL 3.01 driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{113EECD6-9A04-11D4-811D-00805F923B86}\Setup.exe" -uninst
Lotus SmartSuite - English --> MsiExec.exe /I{536D6172-7453-7569-7465-392E37300409}
Microsoft Broadband Networking --> MsiExec.exe /I{8CC15633-2327-43F4-BA85-B83FDB4B59BE}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
Network Device Switch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0C7D85B0-8569-11D4-91EA-00003914300F}\Setup.exe"
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_3_0_24\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Pharos --> C:\PROGRA~1\Pharos\bin\Local.EXE
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ScanModule V5.1 --> C:\WINDOWS\RunUnDrv.exe C:\WINDOWS\Twain_32\S3000\PmxScan.INF DefaultUnInstall.USB.NTX86
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
STV0680 Camera v112 Installation Files --> C:\PROGRA~1\STMICR~1\STV680~1\UNWISE.EXE C:\PROGRA~1\STMICR~1\STV680~1\INSTALL.LOG
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
Symantec AntiVirus --> MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics TouchPad --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TextBridge Language Packs --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LangPack.INF,DefaultUnInstall
TextBridge Pro 8.0 --> "C:\Program Files\TextBridge Pro 8.0\bin\setup.exe" -funinst.ins
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -uninst
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe"
Toshiba Hotkey Utility for Display Devices --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\TFNF5Wxp.inf,DefaultUninstall,5
TOSHIBA MEDIA PLAYER V1.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1C5CFE4-F3E3-422F-85C3-232B06BC80B1}\Setup.exe"
Toshiba On the Web and Support Menu --> C:\PROGRA~1\TOSHIB~1\UNWISE.EXE C:\PROGRA~1\TOSHIB~1\INSTALL.LOG
TOSHIBA Satellite Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFC7912B-D965-4C15-A2A3-65FFE7F17205}\SETUP.EXE"
Toshiba Screensaver --> C:\WINDOWS\System32\TOSHIB~1.SCR /UNINSTALL "C:\WINDOWS\System32\Toshiba Screensaver.log"
TOSHIBA Software Modem --> Tosmreg -U
Toshiba Software Upgrades --> C:\toshiba\ivp\swupdate\UNWISE.EXE C:\toshiba\ivp\swupdate\INSTALL.LOG
Toshiba System Stability Program --> C:\toshiba\SYSSTA~1\UNWISE.EXE C:\toshiba\SYSSTA~1\INSTALL.LOG
Toshiba Tbiosdrv Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Toshiba\Toshiba Tbiosdrv Driver\Tbiosdrv.isu"
TOSHIBA Utilities --> tutildel.exe
Trader Workstation 4.0 --> C:\Jts\UNWISE.EXE C:\Jts\INSTALL.LOG
TurboCAD Professional v6 --> C:\WINDOWS\IsUninst.exe -fC:\IMSI\TCWP60\Uninst.isu
TurboCAD v6 Symbols --> C:\WINDOWS\IsUninst.exe -fC:\IMSI\TCWP60\Symbols\Uninst.isu
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Volo View Express --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Volo View Express\DeIsL1.isu"
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wireless Hotkey --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7862BAD8-A379-4128-8AA1-EFD5A9603C53}\Setup.exe"
YAMAHA AC-XG WDM --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3663DDE0-D8AE-11D3-9850-00C04F7AC096}\setup.exe" maintenance


-- Application Event Log -------------------------------------------------------

Event Record #/Type8558 / Error
Event Submitted/Written: 12/15/2007 03:45:57 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application startdrv.exe, version 0.0.0.0, faulting module startdrv.exe, version 0.0.0.0, fault address 0x00001044.
Processing media-specific event for [startdrv.exe!ws!]

Event Record #/Type8547 / Error
Event Submitted/Written: 12/15/2007 03:31:05 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application startdrv.exe, version 0.0.0.0, faulting module startdrv.exe, version 0.0.0.0, fault address 0x00001044.
Processing media-specific event for [startdrv.exe!ws!]

Event Record #/Type8493 / Error
Event Submitted/Written: 12/14/2007 00:39:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application startdrv.exe, version 0.0.0.0, faulting module startdrv.exe, version 0.0.0.0, fault address 0x00001044.
Processing media-specific event for [startdrv.exe!ws!]

Event Record #/Type8484 / Error
Event Submitted/Written: 12/14/2007 00:32:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application startdrv.exe, version 0.0.0.0, faulting module startdrv.exe, version 0.0.0.0, fault address 0x00001044.
Processing media-specific event for [startdrv.exe!ws!]

Event Record #/Type8476 / Error
Event Submitted/Written: 12/14/2007 00:27:50 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application startdrv.exe, version 0.0.0.0, faulting module startdrv.exe, version 0.0.0.0, fault address 0x00001044.
Processing media-specific event for [startdrv.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12419 / Error
Event Submitted/Written: 12/15/2007 03:45:38 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
tosrfec

Event Record #/Type12418 / Error
Event Submitted/Written: 12/15/2007 03:45:21 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Input and output operations service failed to start due to the following error:
%%2

Event Record #/Type12417 / Error
Event Submitted/Written: 12/15/2007 03:45:21 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Symantec Settings Manager service to connect.

Event Record #/Type12416 / Warning
Event Submitted/Written: 12/15/2007 03:45:13 PM
Event ID/Source: 2511 / Server
Event Description:
The server service was unable to recreate the share Brandon's because the directory C:\Documents and Settings\Brandon's no longer exists. Please run "net share Brandon's /delete" to delete the share, or recreate the directory C:\Documents and Settings\Brandon's.

Event Record #/Type12390 / Error
Event Submitted/Written: 12/15/2007 03:30:39 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
tosrfec



-- End of Deckard's System Scanner: finished at 2007-12-15 16:04:19 ------------

#9 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 16 December 2007 - 05:34 PM

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#10 Quinnton

Quinnton
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 17 December 2007 - 12:02 AM

combofix.log
ComboFix 07-12-16.4 - Gordon Hofheins 2007-12-16 20:48:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.117 [GMT -7:00]
Running from: C:\Documents and Settings\Gordon Hofheins\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\Gordon Hofheins\ResErrors.log
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\QIJ33.sys
C:\WINDOWS\system32\drivers\symavc32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTL_W32
-------\LEGACY_NTIO256
-------\LEGACY_QIJ33
-------\LEGACY_RUNTIME
-------\nm
-------\ntio256


((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-15 21:40 . 2007-12-15 21:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-15 15:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-15 15:36 . 2007-12-15 15:36 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-15 12:02 . 2007-12-15 12:02 <DIR> d-------- C:\Deckard
2007-12-15 11:53 . 2007-12-15 11:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 16:14 . 2007-12-14 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-14 16:13 . 2007-12-14 16:13 <DIR> d-------- C:\Program Files\Security Task Manager
2007-12-14 12:17 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-14 12:17 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-14 12:17 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-14 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-12-14 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-14 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-12-14 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-14 12:16 . 2007-12-14 12:16 <DIR> d-------- C:\Program Files\Sygate
2007-12-10 21:35 . 2007-12-16 21:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-10 21:35 . 2007-12-10 21:35 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 21:22 . 2007-12-10 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-10 20:07 . 2007-12-10 20:07 <DIR> d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Printer Info Cache
2007-12-09 14:53 . 2007-12-09 15:14 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-09 14:53 . 2007-12-09 14:53 <DIR> d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\PC Tools
2007-12-09 14:53 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-09 14:53 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-09 14:53 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-09 14:53 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-09 14:52 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-09 14:50 . 2007-12-10 21:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-05 08:22 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-05 08:22 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-05 08:22 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-05 08:22 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-05 08:22 . 2007-12-05 23:44 3,042 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-05 08:21 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-04 14:58 . 2007-12-04 18:04 161 --a------ C:\WINDOWS\wininit.ini
2007-12-03 21:01 . 2007-12-15 21:41 <DIR> d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Lavasoft
2007-12-03 17:33 . 2007-12-03 17:33 29 --a------ C:\WINDOWS\system32\ayygqhht.tmp
2007-12-01 20:57 . 2007-12-01 20:57 42,496 --a------ C:\9A1.tmp
2007-12-01 20:57 . 2007-12-01 20:57 2 --a------ C:\9A2.tmp
2007-12-01 20:51 . 2007-12-01 20:51 291,328 --a------ C:\WINDOWS\system32\libcurl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 00:35 --------- d-----w C:\Program Files\Norton 360
2007-12-15 22:38 --------- d-----w C:\Program Files\Java
2007-12-12 08:55 --------- d-----w C:\Documents and Settings\Gordon Hofheins\Application Data\U3
2007-12-07 01:03 --------- d-----w C:\Program Files\free-downloads
2007-12-04 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-02 08:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-02 08:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-02 08:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-02 08:07 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-02 08:07 --------- d-----w C:\Program Files\Symantec
2007-12-02 08:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-30 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-02 20:32 --------- d-----w C:\Program Files\Starcraft
2007-11-02 15:50 --------- d-----w C:\Documents and Settings\Gordon Hofheins\Application Data\Hamachi
2007-11-02 06:19 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-01 23:57 --------- d-----w C:\Documents and Settings\Gordon Hofheins\Application Data\Symantec
2007-11-01 17:23 --------- d-----w C:\Program Files\Google
2007-10-28 21:16 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2007-10-28 20:51 --------- d-----w C:\Program Files\Alcohol Soft
2007-10-28 20:42 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-21 19:31 --------- d-----w C:\Program Files\iTunes
2007-10-21 19:30 --------- d-----w C:\Program Files\iPod
2003-12-08 21:04 827,392 ----a-w C:\Program Files\NPSWF32.dll
2003-07-15 17:35 1,262 ----a-w C:\Program Files\INSTALL.LOG
1998-02-11 01:34 128,000 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2007-07-02 03:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-04 20:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 18:54]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-10 12:33]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=C:\WINDOWS\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
2001-10-04 11:40 212992 --a------ C:\WINDOWS\System32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2001-10-17 12:50 655360 --a------ C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
C:\Program Files\NetZero\exec.exe regrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCD Autorun]
E:\autorun.exe restart TIMER_SEQUENCE first

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
1998-12-10 12:33 23040 --a------ C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2001-08-16 13:18 376832 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2001-08-16 13:19 94208 --a------ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe /Type 01

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
2001-07-25 22:45 45056 --a------ C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
c:\toshiba\sysstability\tsyssmon.exe /detect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"ImapiService"=3 (0x3)

R0 pciSm;pciSm;C:\WINDOWS\system32\DRIVERS\tossmpci.sys
R0 tosrfec;Bluetooth ACPI from Toshiba;C:\WINDOWS\system32\DRIVERS\tosrfec.sys
R0 TVALDX;Toshiba ACPI-Based Value Added Logical Device Extension Driver;C:\WINDOWS\system32\DRIVERS\TVALDX.SYS
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxg.sys
S1 ctl_w32;ctl_w32;C:\WINDOWS\system32\drivers\ctl_w32.sys
S3 MSW;Microsoft Broadband Networking Driver;C:\WINDOWS\system32\DRIVERS\MN520-51.sys
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys
S3 pmxscan;USB ScanModule V5.1 Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468110a5-6d11-11dc-90ba-0000396f12c9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{595ce3b1-524e-11dc-907f-0000396f12c9}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45107b0-9648-11dc-9112-0000396f12c9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 05:42:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 21:02:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-16 21:05:34 - machine was rebooted
.
2007-12-07 17:48:02 --- E O F ---














hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:17 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/ig"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - S-1-5-18 Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B89C714D-A6A6-4C8E-A61C-D25DA17A64EA}: NameServer = 198.60.22.2,198.60.22.22
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6913 bytes

#11 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 17 December 2007 - 03:07 PM

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    File::
    C:\WINDOWS\system32\ayygqhht.tmp
    C:\9A1.tmp
    C:\9A2.tmp
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#12 Quinnton

Quinnton
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 17 December 2007 - 03:41 PM

Additional actions: I found out how to download the updates for Spybot search and destroy and Ad-Aware Se and upload them manually. Ad-aware found nothing new (except for some tracking cookies) and Spybot Search and Destroy found something called Telekom and deleted it.

Combofix's log.txt:

ComboFix 07-12-16.4 - Gordon Hofheins 2007-12-17 13:18:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.223 [GMT -7:00]
Running from: C:\Documents and Settings\Gordon Hofheins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gordon Hofheins\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\9A1.tmp
C:\9A2.tmp
C:\WINDOWS\system32\ayygqhht.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\9A1.tmp
C:\9A2.tmp
C:\WINDOWS\system32\ayygqhht.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\ctl_w32


((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-15 21:40 . 2007-12-15 21:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-15 15:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-15 15:36 . 2007-12-15 15:36 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-15 12:02 . 2007-12-15 12:02 <DIR> d-------- C:\Deckard
2007-12-15 11:53 . 2007-12-15 11:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 16:14 . 2007-12-14 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-14 16:13 . 2007-12-14 16:13 <DIR> d-------- C:\Program Files\Security Task Manager
2007-12-14 12:17 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-14 12:17 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-14 12:17 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-14 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-12-14 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-14 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-12-14 12:17 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-14 12:16 . 2007-12-14 12:16 <DIR> d-------- C:\Program Files\Sygate
2007-12-10 21:35 . 2007-12-17 13:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-10 21:35 . 2007-12-10 21:35 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 21:22 . 2007-12-10 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-10 20:07 . 2007-12-10 20:07 <DIR> d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Printer Info Cache
2007-12-09 14:53 . 2007-12-09 15:14 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-09 14:53 . 2007-12-09 14:53 <DIR> d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\PC Tools
2007-12-09 14:53 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-09 14:53 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-09 14:53 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-09 14:53 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-09 14:52 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-09 14:50 . 2007-12-10 21:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-05 08:22 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-05 08:22 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-05 08:22 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-05 08:22 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-05 08:22 . 2007-12-05 23:44 3,042 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-05 08:21 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-04 14:58 . 2007-12-04 18:04 161 --a------ C:\WINDOWS\wininit.ini
2007-12-03 21:01 . 2007-12-15 21:41 <DIR> d-------- C:\Documents and Settings\Gordon Hofheins\Application Data\Lavasoft
2007-12-01 20:51 . 2007-12-01 20:51 291,328 --a------ C:\WINDOWS\system32\libcurl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 00:35 --------- d-----w C:\Program Files\Norton 360
2007-12-15 22:38 --------- d-----w C:\Program Files\Java
2007-12-12 08:55 --------- d-----w C:\Documents and Settings\Gordon Hofheins\Application Data\U3
2007-12-07 01:03 --------- d-----w C:\Program Files\free-downloads
2007-12-04 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-02 08:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-02 08:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-02 08:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-02 08:07 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-02 08:07 --------- d-----w C:\Program Files\Symantec
2007-12-02 08:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-30 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-02 20:32 --------- d-----w C:\Program Files\Starcraft
2007-11-02 15:50 --------- d-----w C:\Documents and Settings\Gordon Hofheins\Application Data\Hamachi
2007-11-02 06:19 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-01 23:57 --------- d-----w C:\Documents and Settings\Gordon Hofheins\Application Data\Symantec
2007-11-01 17:23 --------- d-----w C:\Program Files\Google
2007-10-28 21:16 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2007-10-28 20:51 --------- d-----w C:\Program Files\Alcohol Soft
2007-10-28 20:42 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-21 19:31 --------- d-----w C:\Program Files\iTunes
2007-10-21 19:30 --------- d-----w C:\Program Files\iPod
2003-12-08 21:04 827,392 ----a-w C:\Program Files\NPSWF32.dll
2003-07-15 17:35 1,262 ----a-w C:\Program Files\INSTALL.LOG
1998-02-11 01:34 128,000 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" [2007-07-02 03:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-04 20:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 18:54]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-10 12:33]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=C:\WINDOWS\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
2001-10-04 11:40 212992 --a------ C:\WINDOWS\System32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2001-10-17 12:50 655360 --a------ C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3]
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetZero_uoltray]
C:\Program Files\NetZero\exec.exe regrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCD Autorun]
E:\autorun.exe restart TIMER_SEQUENCE first

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
1998-12-10 12:33 23040 --a------ C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2001-08-16 13:18 376832 --a------ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2001-08-16 13:19 94208 --a------ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe /Type 01

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
2001-07-25 22:45 45056 --a------ C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
TPWRTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSysSMon]
c:\toshiba\sysstability\tsyssmon.exe /detect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"ImapiService"=3 (0x3)

R0 pciSm;pciSm;C:\WINDOWS\system32\DRIVERS\tossmpci.sys
R0 tosrfec;Bluetooth ACPI from Toshiba;C:\WINDOWS\system32\DRIVERS\tosrfec.sys
R0 TVALDX;Toshiba ACPI-Based Value Added Logical Device Extension Driver;C:\WINDOWS\system32\DRIVERS\TVALDX.SYS
R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxg.sys
S3 MSW;Microsoft Broadband Networking Driver;C:\WINDOWS\system32\DRIVERS\MN520-51.sys
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys
S3 pmxscan;USB ScanModule V5.1 Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468110a5-6d11-11dc-90ba-0000396f12c9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{595ce3b1-524e-11dc-907f-0000396f12c9}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a45107b0-9648-11dc-9112-0000396f12c9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 05:42:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 13:27:01
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 13:31:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-16 21:05
.
2007-12-07 17:48:02 --- E O F ---








hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:00 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/ig"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GORDON HOFHEINS\Application Data\Mozilla\Profiles\default\c5x6p2lm.slt\prefs.js)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - S-1-5-18 Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{B89C714D-A6A6-4C8E-A61C-D25DA17A64EA}: NameServer = 198.60.22.2,198.60.22.22
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6913 bytes

#13 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 18 December 2007 - 05:45 PM

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems


#14 Quinnton

Quinnton
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 19 December 2007 - 02:15 AM

Actions: Upon seeing that this computer could connect to the internet without immediately going to the Blue Screen of Death I proceeded to finish the preparation guide for the Hijackthis logs. Number 5 was the only one I was not able to complete so I started with HouseCall Anti Virus. However Internet explorer seemed to not allow it to run. When I tried to open Firefox it said that it could not start be cause Js3250.dll could not be found. Upon reinstallation it was able to open.

House call Anti virus found two pretty nasty sounding things. I believe one was a rootkit and the other was labeled malware. There was another vulnerability that was posted and it had a strange name (three letters and around five numbers after that) but it said that an error had occurred when trying to upload the information.

Pandasoftware- ran and disinfected one virus. I deleted most every thing else except for things that were marked “potentially unwanted programs”

BitDefender- said that it would not be able to scan because it detected Service Pack 2 or something but after following the prompts it started scanning. (it deleted several files in the backups for various Antivirus programs)

::Restart::

Eset Online Scanner

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2732 (20071219)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=f56b97f2f6f06447ba68009ec15eaf2f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-12-19 07:01:29
# local_time=2007-12-19 12:01:29 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=242241
# found=3
# scan_time=5120
C:\qoobox\Quarantine\catchme2007-12-16_210158.00.zip a variant of Win32/Rootkit.Agent.HU trojan 58FF475BA37E3505C7944A1FC94580AF
C:\qoobox\Quarantine\catchme2007-12-16_210158.00.zip »ZIP »symavc32.sys a variant of Win32/Rootkit.Agent.HU trojan 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Qij33.sys.vir a variant of Win32/Rootkit.Agent.HU trojan 617A90F5E7A8D0A0BB85EC17FE4FE536



Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:16 AM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r4.attbi.com:8000
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\GORDON HOFHEINS\\APPLICATION DATA\\Mozilla\\Profiles\\default\\c5x6p2lm.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Gordon Hofheins\\Desktop\\Church");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://www.google.com/ig");
user_pref("browser.startup.homepage_override.mstone",
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\GORDON HOFHEINS\\APPLICATION DATA\\Mozilla\\Profiles\\default\\c5x6p2lm.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Gordon Hofheins\\Desktop\\Church");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://www.google.com/ig");
user_pref("browser.startup.homepage_override.mstone",
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - S-1-5-18 Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B89C714D-A6A6-4C8E-A61C-D25DA17A64EA}: NameServer = 198.60.22.2,198.60.22.22
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9154 bytes

Other issues: Spygate (my firewall) noted one critical problem here is the log:
Application Hijacking has been detected
The application: C:\Program Files\Spyware Doctor\swdsvc.exe try to launch another application: C:\Program Files\Spyware Doctor\Update.exe to go to remote host www.symantec.com

Also the icon for My Computer appears as a Shortcut.

#15 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 19 December 2007 - 11:30 AM

The Sygate firewall warning is about sypware doctor, so it should be safe to allow

For the my computer icon shortcut, try the instructions here:

http://xona.com/2004/07/16-2.html

All the ESET scan found was in the C:\qoobox\ folder, which is the quarantine folder for combofix
You should delete the C:\qoobox\ folder and delete combofix.exe from your desktop

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users