Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware And/or Adware Infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 StanW

StanW

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 14 December 2007 - 09:39 PM

I am trying to fix a friend's computer (Win XP Home version 2002 sp2, auto updates on, win firewall was off) but have been unsuccessful.
1. When the computer is shut down an "application failed to close - reg.exe" message appears
2. The screen shows "Please wait ....." for 30 seconds
3. Sometimes on startup screen shows "windows cannot find c:\windows\system32\proper.exe"
4. Slow startup up to 4 minutes (although friend says it has always been slow)
5. For a while there was no control panel or administrator rights or task manager. Ran sdfix.exe and that restored the control manager. The task manager is enabled but selecting it does not bring it up. Still don't have administrator rights.
6. After IE7 starts we get error message "the instruction at "0x77c47740" referenced memory at "0x000000000"..." and then the message "IE has encountered a problem and needs to close...". We just move the messages to the side of the screen and IE seems to run OK.
7. Norton Internet Security with live update has always been installed. A full scan found nothing. Ran ad-aware which found and fixed many problems. Partially ran Trend Micro Housecall (was taking too long).

This is my first post so excuse any omissions. Thanks,
Stan


Here is the hijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:51 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\shovth.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\CMS Peripherals\BounceBack Professional\BBLauncher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartUp] C:\WINDOWS\trayicons.exe /optimize speed
O4 - S-1-5-18 Startup: BounceBack Launcher.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: BounceBack Launcher.lnk = ? (User 'Default user')
O4 - Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.norun
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.dailygraphs.com
O15 - Trusted Zone: http://www.investors.com
O16 - DPF: {03A89EFD-E023-8000-A22D-45F77558EB4C} (ILINCInstall80 Class) - https://lm-learnlinc-7.ilinc.com/download/ilinci80.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.investors.com/member/ocx/WonSearchX.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.investors.com/member/ocx/WonList.ocx
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.investors.com/member/ocx/PFMngr.ocx
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10552 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 15 December 2007 - 09:25 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum StanW
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 StanW

StanW
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 17 December 2007 - 07:21 PM

Richie, thanks for your help. I updated Java, ran Combo fix, and created a new HiJackThis log (pasted below). Internet explorer seems to be running fine now. When I reboot I get a "reg.exe application error - The application failed to initialize properly..." and that goes away quickly. The computer still takes three or four minutes to finally stop working on something in the background (which may be a Norton issue and not a spyware/adware problem), but the windows screen comes up reasonably fast. I also seem to have administrator rights since I can run regedit, add a key, and delete a key.

Stan



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:16 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\shovth.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\CMS Peripherals\BounceBack Professional\BBLauncher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: BounceBack Launcher.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: BounceBack Launcher.lnk = ? (User 'Default user')
O4 - Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.dailygraphs.com
O15 - Trusted Zone: http://www.investors.com
O16 - DPF: {03A89EFD-E023-8000-A22D-45F77558EB4C} (ILINCInstall80 Class) - https://lm-learnlinc-7.ilinc.com/download/ilinci80.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.investors.com/member/ocx/WonSearchX.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.investors.com/member/ocx/WonList.ocx
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.investors.com/member/ocx/PFMngr.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10604 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 17 December 2007 - 07:45 PM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\WINDOWS\system32\shovth.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\system32\winsn.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#5 StanW

StanW
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 18 December 2007 - 06:00 PM

Richie,

Here are the log results. Thanks.



*****************************************************************************************
*****************************************************************************************

MoveIt Results:


c:\windows\system32\shovth.exe moved successfully.
c:\windows\system32\winsos.exe moved successfully.
c:\windows\system32\winsn.exe moved successfully.

Created on 12182007_144025



*****************************************************************************************
*****************************************************************************************


Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-18 14:41:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2007-12-18 22:41:49 UTC - RP1133 - Deckard's System Scanner Restore Point
5: 2007-12-17 23:07:05 UTC - RP1132 - ComboFix created restore point
4: 2007-12-17 23:03:27 UTC - RP1131 - Installed Java™ 6 Update 3
3: 2007-12-17 22:44:03 UTC - RP1130 - Removed Java 2 Runtime Environment, SE v1.4.2
2: 2007-12-17 16:00:37 UTC - RP1129 - System Checkpoint


-- First Restore Point --
1: 2007-12-16 09:21:25 UTC - RP1128 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-18 14:47:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\shovth.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\CMS Peripherals\BounceBack Professional\BBLauncher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\shovth.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: BounceBack Launcher.lnk = C:\Program Files\CMS Peripherals\BounceBack Professional\BBLauncher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.dailygraphs.com (HKCU)
O15 - Trusted Zone: http://www.investors.com (HKCU)
O15 - ProtocolDefaults: Unknown 'LSC-Help' protocol is in My Computer Zone (HKCU)
O16 - DPF: {03A89EFD-E023-8000-A22D-45F77558EB4C} (ILINCInstall80 Class) - https://lm-learnlinc-7.ilinc.com/download/ilinci80.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwa...are/awswaxf.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.investors.com/member/ocx/WonSearchX.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.investors.com/member/ocx/WonList.ocx
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.investors.com/member/ocx/PFMngr.ocx
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


--
End of file - 12493 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 portD (CMS PortIO Service) - c:\windows\system32\drivers\portd2k.sys <Not Verified; CMS Peripherals, Inc.; BounceBack>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PDSched (PDScheduler) - "c:\program files\raxco\perfectdisk\pdsched.exe" <Not Verified; Raxco Software, Inc.; PDSched Module>
R2 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>
R2 Speed Disk service - c:\progra~1\norton~2\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>

S2 Retrospect Helper - "c:\program files\dantz\retrospect\rthlpsvc.exe" <Not Verified; Dantz Development Corporation; Retrospect>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-18 00:00:00 308 --a------ C:\WINDOWS\Tasks\Symantec Drmc.job
2007-12-17 12:13:28 292 -----n--- C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
2007-12-15 05:28:42 564 -----n--- C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job
2006-01-19 13:33:20 300 -----n--- C:\WINDOWS\Tasks\XoftSpy.job


-- Files created between 2007-11-18 and 2007-12-18 -----------------------------

2007-12-18 14:44:05 28929 --a------ C:\WINDOWS\system32\winsos.exe
2007-12-18 14:44:05 89088 ---hs---- C:\WINDOWS\system32\winsn.exe
2007-12-18 14:44:05 89088 ---hs---- C:\WINDOWS\system32\shovth.exe
2007-12-17 18:55:27 89088 ---h----- C:\WINDOWS\system32\system32.exe
2007-12-17 18:45:47 89088 ---h----- C:\WINDOWS\WINDOWS.exe
2007-12-17 15:29:02 0 d-------- C:\HijackThis
2007-12-17 15:15:22 89088 ---h----- C:\.exe
2007-12-14 16:03:37 0 d-------- C:\WINDOWS\ERUNT
2007-12-14 15:23:09 0 d-------- C:\Program Files\Trend Micro
2007-12-14 15:21:29 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-12-14 14:48:30 0 d-------- C:\Program Files\Lavasoft
2007-12-14 14:48:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-14 14:27:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 12:02:03 89088 ---h----- C:\WINDOWS\system32\drivers\drivers.exe
2007-12-14 08:58:20 89088 ---h----- C:\Documents and Settings\Owner\Owner.exe
2007-12-14 08:58:18 89088 ---h----- C:\Documents and Settings\Administrator\Administrator.exe
2007-12-14 08:54:28 89088 ---hs---- C:\F0473636.exe
2007-12-14 08:54:23 89088 -----n--- C:\WINDOWS\wsystmp_fls.exe
2007-12-13 17:37:47 0 d-------- C:\WINDOWS\pss
2007-12-13 15:17:10 3424 -----n--- C:\WINDOWS\system32\tmp.reg
2007-12-13 15:16:51 25600 -----n--- C:\WINDOWS\system32\WS2Fix.exe
2007-12-13 15:16:51 289144 -----n--- C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-12-13 15:16:50 288417 -----n--- C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-12-13 15:16:50 53248 -----n--- C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-12-13 15:16:50 51200 -----n--- C:\WINDOWS\system32\dumphive.exe
2007-12-13 14:48:09 0 d-------- C:\VundoFix Backups
2007-12-13 14:46:05 0 d-------- C:\stan virus fix
2007-12-12 14:30:16 0 d-------- C:\virus check
2007-12-07 09:28:25 21861 -----n--- C:\Documents and Settings\Owner\Application Data\info.dat
2007-12-07 08:53:11 27159 -----n--- C:\WINDOWS\wsystmp_amo.exe
2007-11-21 10:52:56 0 d-------- C:\Program Files\Norton Security Scan


-- Find3M Report ---------------------------------------------------------------

2007-12-18 14:43:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-18 13:51:27 0 d-------- C:\Program Files\Common Files\Lacerte Shared
2007-12-17 15:04:29 0 d-------- C:\Program Files\Java
2007-12-17 12:13:28 0 d-------- C:\Program Files\Norton SystemWorks
2007-12-14 16:36:06 0 d-------- C:\Program Files\Common Files
2007-12-14 16:36:06 0 d-------- C:\Program Files\Ahead
2007-12-14 16:35:20 0 d-------- C:\Program Files\Musicmatch
2007-12-14 11:45:27 0 d-------- C:\Program Files\Symantec
2007-12-14 11:40:53 0 d-------- C:\Program Files\Quicken
2007-12-14 11:11:35 0 d-------- C:\Program Files\Google
2007-11-28 15:07:20 0 d-------- C:\Program Files\06WebSetup
2007-11-21 10:54:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2007-11-21 10:26:47 0 d-------- C:\Program Files\Norton Internet Security
2007-11-19 12:40:06 0 d-------- C:\Program Files\iLinc


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/19/2005 07:59 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/19/2005 07:59 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 06:47 PM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 03:59 AM C:\WINDOWS\BCMSMMSG.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/13/2004 04:04 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/31/2004 11:47 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/12/2004 05:46 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 11:12 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 09:59 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [09/05/2006 05:22 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 07:51 PM]
"sis32"="C:\WINDOWS\system32\winsos.exe" [12/18/2007 02:44 PM]
"winroot"="C:\WINDOWS\system32\winsn.exe" [12/14/2007 08:54 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/10/2007 06:24 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - C:\Program Files\CMS Peripherals\BounceBack Professional\BBLauncher.exe [10/8/2004 8:06:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/12/2005 12:49:24 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [1/22/2007 11:21:00 AM]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [7/29/2003 8:49:48 PM]
Service Manager.norun [11/17/2004 1:16:08 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
C:\WINDOWS\system32\winter.exe

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-12-18 14:48:18 ------------


*****************************************************************************************
*****************************************************************************************


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.66GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 1022 MiB / 384.8 MiB
Pagefile Memory (total/avail): 2460.83 MiB / 1846.94 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.94 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.47 GiB total, 56.33 GiB free.
E: is Fixed (FAT32) - 6.02 GiB total, 0.83 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - FUJITSU MPC3064AT - 6.04 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 6.03 GiB - E:

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
ASLOGDIR=C:\Program Files\Intuit\QuickBooks Basic\
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LEE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\LEE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=LEE
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Installshield Installation Information\{08082021-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082021-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937}
--> C:\Program Files\Yahoo!\Yahoo! Music Jukebox\oggcodecs\uninst.exe
--> MsiExec.exe /I{688A3383-3CE7-4094-9188-9C39D1E4FCB6}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2002 Lacerte Tax --> C:\Lacerte\02tax\W02UNINS.EXE
2003 Lacerte Tax --> C:\Lacerte\03tax\W03UNINS.EXE
2004 Lacerte Tax --> C:\Lacerte\04TAX\W04UNINS.EXE
2005 Final Release - Dual Install --> MsiExec.exe /X{08912C85-CF9A-4224-A427-02291B40CE67}
2005 Lacerte Tax --> C:\Lacerte\05TAX\W05UNINS.EXE
2005 Lacerte Tax Planner --> C:\Lacerte\05taxpln\W05UNINS.EXE
2006 IRS Tax Products CD Final Release --> MsiExec.exe /X{D40157B3-875E-4BA2-9D9D-3C3FDE94ACD3}
2006 Lacerte Tax --> C:\Lacerte\06TAX\W06UNINS.EXE
2007 Lacerte Tax --> C:\Lacerte\07tax\W07UNINS.EXE
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
BounceBack Professional --> C:\WINDOWS\BBUninstall.exe
Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
Broadcom Management Programs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
ccCommon --> MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Connection Keep Alive --> MsiExec.exe /I{77364F85-6219-4CB8-AAA0-6D53368D683D}
Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe" -uninstall
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB910998) --> "C:\WINDOWS\$NtUninstallKB910998$\spuninst\spuninst.exe"
HP Document Viewer 5.3 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Extended Capabilities 5.3 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
hp LaserJet 2300 Uninstaller --> C:\Program Files\Hewlett-Packard\LJ2300\Uninstall\unhp.exe ciuninst.ini
HP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital Imaging\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\setup\hpzscr01.exe" -datfile hposcr06.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (LACERTEDB) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSRedist --> MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Cleanup --> MsiExec.exe /I{CA31120D-2101-484D-9FF1-195DE96FE346}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_0_0_86\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Norton Security Scan --> MsiExec.exe /I{DA15D535-5E1D-4076-B520-8571346D6238}
Norton SystemWorks --> MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66}
Norton SystemWorks 2006 Basic Edition --> MsiExec.exe /I{707D28BF-E145-4a9b-B97E-94FA586D05F3}
Norton SystemWorks 2006 Basic Edition (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}.exe" /X
Norton Utilities --> MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}
NSW_DRM_COLLECTION --> MsiExec.exe /I{900B1884-2D6F-4a70-A3C7-C3F4DA873FDB}
PerfectDisk --> MsiExec.exe /I{0FFCBC14-E43C-4DD8-9F48-7F6997149A3E}
QuickBooks Pro 2006 --> msiexec.exe /I {688A3383-3CE7-4094-9188-9C39D1E4FCB6} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2006" ADDREMOVE=1
Quicken 2004 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Retrospect 6.5 --> MsiExec.exe /I{7448CD45-22B0-44CC-9C65-560FA680DFB2}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Tax Forms Helper 2004 6.5 --> "C:\Program Files\Adams Business Forms\Tax Forms Helper 2004\unins000.exe"
Tax Forms Helper 2005 7.0 --> "C:\Program Files\Adams Business Forms\Tax Forms Helper 2005\unins000.exe"
Tax Forms Helper 2006 7.5 --> "C:\Program Files\Adams Business Forms\Tax Forms Helper 2006\unins000.exe"
TaxTools 2004 --> C:\WINDOWS\IsUninst.exe -fC:\CFSLib\Tt2004\Uninst.isu
TaxTools 2005 --> C:\WINDOWS\IsUninst.exe -fC:\CFSLib\Tt2005\Uninst.isu
TaxTools 2006 --> C:\WINDOWS\IsUninst.exe -fC:\CFSLib\Tt2006\Uninst.isu
TaxTools 2007 --> C:\WINDOWS\IsUninst.exe -fC:\CFSLib\Tt2007\Uninst.isu
Undisker --> C:\WINDOWS\UnGins.exe "C:\Program Files\Undisker\install.log"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Music Jukebox --> MsiExec.exe /X{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type22603 / Warning
Event Submitted/Written: 12/18/2007 00:21:16 PM
Event ID/Source: 317 / WMServer
Event Description:
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XMLInvalid at the top level of the document.
123]>C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML.(2007.12.18 12.21.16)

Event Record #/Type22599 / Error
Event Submitted/Written: 12/18/2007 11:20:44 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application tt2007.exe, version 0.0.0.0, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [tt2007.exe!ws!]

Event Record #/Type22597 / Warning
Event Submitted/Written: 12/18/2007 11:17:08 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{688A3383-3CE7-4094-9188-9C39D1E4FCB6}', feature 'Components_WINSYSDIR' failed during request for component '{D6F2E6DB-027E-42F9-B58D-53489D805BAC}'

Event Record #/Type22596 / Warning
Event Submitted/Written: 12/18/2007 11:17:08 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{688A3383-3CE7-4094-9188-9C39D1E4FCB6}', feature 'Components_WINSYSDIR', component '{C4998D5A-4C7B-4732-B411-04A73578AFE5}' failed. The resource 'C:\WINDOWS\system32\BSZIP.DLL' does not exist.

Event Record #/Type22595 / Warning
Event Submitted/Written: 12/18/2007 08:59:55 AM
Event ID/Source: 19011 / MSSQL$LACERTEDB
Event Description:
(SpnRegister) : Error 1355



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3471432 / Warning
Event Submitted/Written: 12/18/2007 05:35:49 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type3470126 / Warning
Event Submitted/Written: 12/17/2007 06:59:23 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type3470125 / Warning
Event Submitted/Written: 12/17/2007 06:59:23 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type3470124 / Warning
Event Submitted/Written: 12/17/2007 06:59:23 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type3470123 / Warning
Event Submitted/Written: 12/17/2007 06:59:23 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.



-- End of Deckard's System Scanner: finished at 2007-12-18 14:48:18 ------------

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 19 December 2007 - 06:48 AM

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\.exe
C:\WINDOWS\WINDOWS.exe
C:\WINDOWS\system32\drivers\drivers.exe
C:\Documents and Settings\Owner\Owner.exe
C:\Documents and Settings\Administrator\Administrator.exe
C:\F0473636.exe
C:\WINDOWS\wsystmp_fls.exe
C:\WINDOWS\wsystmp_amo.exe
C:\WINDOWS\system32\winsos.exe
C:\WINDOWS\system32\winsn.exe
C:\WINDOWS\system32\shovth.exe
C:\VundoFix Backups

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the information into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sis32"=-
"winroot"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]



Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following if still present,by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O15 - ProtocolDefaults: Unknown 'LSC-Help' protocol is in My Computer Zone (HKCU)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan programs and documents'
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 StanW

StanW
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 21 December 2007 - 04:53 PM

Richie,
Here are the three logs. There were hundreds of problems found. It was hard to believe that there were so many. Every scan program seems to find something wrong. However, everything seems to be running fine. When Windows is shut down there is a quick ccSvcHst.exe error - something beginning with the application referenced memory..., but the message went away too quickly to read it all.

Thanks for your help.
Stan




*****************************************************
*****************************************************
*****************************************************
*****************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/20/2007 at 04:18 PM

Application Version : 3.9.1008

Core Rules Database Version : 3364
Trace Rules Database Version: 1363

Scan type : Complete Scan
Total Scan Time : 01:12:00

Memory items scanned : 174
Memory threats detected : 0
Registry items scanned : 6330
Registry threats detected : 7
File items scanned : 50862
File threats detected : 414

Trojan.Unclassified/SHOVTH
[winroot] C:\WINDOWS\SYSTEM32\WINSN.EXE
C:\WINDOWS\SYSTEM32\WINSN.EXE
C:\PROGRAM FILES\DANTZ\RETROSPECT\RETROSPECT.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Retrospect.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Retrospect.exe#Path
C:\CFSLIB\TT2006\TT2006.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Tt2006.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Tt2006.exe#Path
C:\CFSLIB\TT2007\TT2007.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Tt2007.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Tt2007.exe#Path
C:\.EXE
C:\15E45AFE450613208E20B6DC0F42\15E45AFE450613208E20B6DC0F42.EXE
C:\CFSLIB\TT2003\TUTORIAL\TUTORIAL.EXE
C:\CFSLIB\TT2004\TUTORIAL\TUTORIAL.EXE
C:\CFSLIB\TT2005\TUTORIAL\TUTORIAL.EXE
C:\CFSLIB\TT2006\TUTORIAL\TUTORIAL.EXE
C:\CFSLIB\TT2007\5500SETUP\5500SETUP.EXE
C:\CFSLIB\TT2007\INIS\INIS.EXE
C:\CFSLIB\TT2007\PDF\PDF.EXE
C:\CFSLIB\TT2007\TT2007DB\QUIKACCS\QUIKACCS.EXE
C:\CFSLIB\TT2007\TUTORIAL\TUTORIAL.EXE
C:\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\TEMP.EXE
C:\DECKARD\SYSTEM SCANNER\BACKUP\WINDOWS\DOWNLOADED PROGRAM FILES\DOWNLOADED PROGRAM FILES.EXE
C:\DECKARD\SYSTEM SCANNER\BACKUP\WINDOWS\TEMP\TEMP.EXE
C:\DECKARD\SYSTEM SCANNER\SYSTEM SCANNER.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\ADMINISTRATOR.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\DESKTOP.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\DESKTOP.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\CFS TAX 2006\TAXTOOLS 2006.LNK
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\CFS TAX 2007\TAXTOOLS 2007.LNK
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\RETROSPECT\RETROSPECT 6.5.LNK
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\TAXTOOLS 2007.LNK
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\BACKUPS\BACKUPS.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\DESKTOP.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\VIRUS REPARES\BLEEPING COMPUTER\BLEEPING COMPUTER.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\VIRUS REPARES\REG FIXES\REG FIXES.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\VIRUS REPARES\SMITFRAUDFIX\SMITFRAUDFIX.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\VIRUS REPARES\VIRUS REPARES.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\VIRUS REPARES\VUNDO FIX\VUNDO FIX.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\OWNER.EXE
C:\PROGRAM FILES\UNDISKER\UNDISKER.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\START MENU\PROGRAMS\UNDISKER\UNDISKER.LNK
C:\F0473636.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\IRS_2005_2\HELP_FILES\HELP_FILES.EXE
C:\IRS_2005_2\IRS_2005_2.EXE
C:\IRS_2005_2\PDF_FILES\PDF_FILES.EXE
C:\IRS_2005_2\TAXMAP\FAQS\FAQS.EXE
C:\IRS_2005_2\TAXMAP\FORMS\FORMS.EXE
C:\IRS_2005_2\TAXMAP\GRAPHICS\GRAPHICS.EXE
C:\IRS_2005_2\TAXMAP\ICONS\ICONS.EXE
C:\IRS_2005_2\TAXMAP\INSTR\INSTR.EXE
C:\IRS_2005_2\TAXMAP\PUB17\PUB17.EXE
C:\IRS_2005_2\TAXMAP\PUBS\PUBS.EXE
C:\IRS_2005_2\TAXMAP\TAXMAP.EXE
C:\IRS_2005_2\TAXMAP\TAXTP\TAXTP.EXE
C:\IRS_2005_2\TAXMAP\TS0\TS0.EXE
C:\IRS_2005_2\TAXMAP\WPUBS\WPUBS.EXE
C:\LACERTE\02TAX\02TAX.EXE
C:\LACERTE\02TAX\OPTION02\QUEUE\INFOBASE\OUT\OUT.EXE
C:\LACERTE\03TAX\03TAX.EXE
C:\LACERTE\03TAX\IDATA\IDATA.EXE
C:\LACERTE\03TAX\IDATA\OPTION03\QUEUE\EF\IN\IN.EXE
C:\LACERTE\03TAX\IDATA\OPTION03\QUEUE\EF\OUT\OUT.EXE
C:\LACERTE\03TAX\IDATA\OPTION03\QUEUE\INFOBASE\OUT\OUT.EXE
C:\LACERTE\03TAX\IDATA\OPTION03\QUEUE\REP\IN\IN.EXE
C:\LACERTE\03TAX\IDATA\OPTION03\QUEUE\REP\OUT\OUT.EXE
C:\LACERTE\03TAX\OPTION03\QUEUE\EF\IN\IN.EXE
C:\LACERTE\03TAX\OPTION03\QUEUE\EF\OUT\OUT.EXE
C:\LACERTE\03TAX\OPTION03\QUEUE\INFOBASE\OUT\OUT.EXE
C:\LACERTE\03TAX\OPTION03\QUEUE\REP\IN\IN.EXE
C:\LACERTE\03TAX\OPTION03\QUEUE\REP\OUT\OUT.EXE
C:\LACERTE\04TAX\04TAX.EXE
C:\LACERTE\04TAX\OPTION04\QUEUE\EF\IN\IN.EXE
C:\LACERTE\04TAX\OPTION04\QUEUE\EF\OUT\OUT.EXE
C:\LACERTE\04TAX\OPTION04\QUEUE\EMAIL\IN\IN.EXE
C:\LACERTE\04TAX\OPTION04\QUEUE\INFOBASE\IN\IN.EXE
C:\LACERTE\04TAX\OPTION04\QUEUE\INFOBASE\OUT\OUT.EXE
C:\LACERTE\04TAX\OPTION04\QUEUE\PREP\PREP.EXE
C:\LACERTE\04TAX\OPTION04\QUEUE\REP\IN\IN.EXE
C:\LACERTE\04TAX\OPTION04\QUEUE\REP\OUT\OUT.EXE
C:\LACERTE\05TAX\05TAX.EXE
C:\LACERTE\05TAX\CDATA\CDATA.EXE
C:\LACERTE\05TAX\CDATA\DETAIL\DETAIL.EXE
C:\LACERTE\05TAX\CDATA\NOTES\NOTES.EXE
C:\LACERTE\05TAX\IDATA\IDATA.EXE
C:\LACERTE\05TAX\OPTION05\OPTION05.EXE
C:\LACERTE\05TAX\OPTION05\QUEUE\EF\IN\IN.EXE
C:\LACERTE\05TAX\OPTION05\QUEUE\EF\OUT\OUT.EXE
C:\LACERTE\05TAX\OPTION05\QUEUE\INFOBASE\OUT\OUT.EXE
C:\LACERTE\05TAX\OPTION05\QUEUE\REP\IN\IN.EXE
C:\LACERTE\05TAX\OPTION05\QUEUE\REP\OUT\OUT.EXE
C:\LACERTE\05TAXPLN\05TAXPLN.EXE
C:\LACERTE\06TAX\06TAX.EXE
C:\LACERTE\06TAX\CDATA\CDATA.EXE
C:\LACERTE\06TAX\CDATA\DETAIL\DETAIL.EXE
C:\LACERTE\06TAX\CDATA\NOTES\NOTES.EXE
C:\LACERTE\06TAX\IDATA\DETAIL\DETAIL.EXE
C:\LACERTE\06TAX\IDATA\IDATA.EXE
C:\LACERTE\06TAX\IDATA\NOTES\NOTES.EXE
C:\LACERTE\06TAX\OPTION06\OPTION06.EXE
C:\LACERTE\06TAX\OPTION06\QUEUE\EF\IN\IN.EXE
C:\LACERTE\06TAX\OPTION06\QUEUE\EF\OUT\OUT.EXE
C:\LACERTE\06TAX\OPTION06\QUEUE\INFOBASE\OUT\OUT.EXE
C:\LACERTE\06TAX\OPTION06\QUEUE\REP\IN\IN.EXE
C:\LACERTE\06TAX\OPTION06\QUEUE\REP\OUT\OUT.EXE
C:\LACERTE\06TAX\OPTION06\QUEUE\UPDATES\IN\IN.EXE
C:\LACERTE\06TAX\OPTION06\QUEUE\UPDATES\OUT\OUT.EXE
C:\LACERTE\07TAX\07TAX.EXE
C:\LACERTE\07TAX\IDATA\DETAIL\DETAIL.EXE
C:\LACERTE\07TAX\IDATA\IDATA.EXE
C:\LACERTE\07TAX\IDATA\NOTES\NOTES.EXE
C:\LACERTE\07TAX\OPTION07\OPTION07.EXE
C:\LACERTE\07TAX\OPTION07\QUEUE\INFOBASE\OUT\OUT.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\PLUG_INS\IMAGEVIEWER\IMAGEVIEWER.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\HELP\ENU\ENU.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\HOWTO\ENU\ENU.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\HOWTO\ENU\IMAGES\IMAGES.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\JAVASCRIPTS\JAVASCRIPTS.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\LEGAL\ADOBE READER\7.0.0\EN_US\EN_US.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\MESSAGES\MESSAGES.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\ACROFORM\ACROFORM.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\ANNOTATIONS\STAMPS\ENU\ENU.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\IMAGEVIEWER\EN_US\EN_US.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\IMAGEVIEWER\IMAGEVIEWER.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\PICTURETASKS\HOWTO\HOWTO.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\PICTURETASKS\HOWTO\IMAGES\IMAGES.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\PICTURETASKS\OLS\LOCALE\ENU\ENU.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\PICTURETASKS\OLS\OLS.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\PICTURETASKS\TEMPLATES\TEMPLATES.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\PLUG_INS\PLUG_INS.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\READER.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\UPDATER\UPDATER.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\READER\WEBSEARCH\WEBSEARCH.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\RESOURCE\CMAP\CMAP.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\RESOURCE\FONT\FONT.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\RESOURCE\FONT\PFM\PFM.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\RESOURCE\LINGUISTICS\LANGUAGENAMES\LANGUAGENAMES.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\RESOURCE\LINGUISTICS\PROVIDERS\PROXIMITY\PROXIMITY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 7.0\RESOURCE\RESOURCE.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\2.0.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\APPS\APPS.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\APPS\COMPONENTS\TABLES\TABLES.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\APPS\LEGAL\LEGAL.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\APPS\PLUGINS\PLUGINS.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\AUTHORING_WIZ\AUTHORING_WIZ.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\BITMAPS.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\CUSTOM_WINDOW\CUSTOM_WINDOW.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\EDIT_WINDOW\EDIT_WINDOW.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\MAIN_WINDOW\MAIN_WINDOW.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\MEDIA_PLAYER\MEDIA_PLAYER.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\NAVIGATOR\NAVIGATOR.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\PIM\PIM.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\PROJECT_WINDOW\PROJECT_WINDOW.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\TAG_PALETTE\TAG_PALETTE.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\UPSELL\UPSELL.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\WIDGETS\WIDGETS.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\BITMAPS\WORKFLOW_ICONS\WORKFLOW_ICONS.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\LAYOUTS\LAYOUTS.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\LOCALES\EN_US\BITMAPS\BITMAPS.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\LOCALES\EN_US\EN_US.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\LOCALES\EN_US\GETTING_STARTED\QUICK_GUIDE\OVERVIEW\OVERVIEW.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\LOCALES\EN_US\GETTING_STARTED\QUICK_GUIDE\QUICK_GUIDE.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\LOCALES\EN_US\OLSPLUGINS\OLSPLUGINS.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\2.0\SHARED_ASSETS\SHARED_ASSETS.EXE
C:\PROGRAM FILES\AHEAD\IMAGEDRIVE\IMAGEDRIVE.EXE
C:\PROGRAM FILES\BROADCOM\DRVINST\DRVINST.EXE
C:\PROGRAM FILES\CMS PERIPHERALS\BOUNCEBACK PROFESSIONAL\BOUNCEBACK PROFESSIONAL.EXE
C:\PROGRAM FILES\COMMON FILES\ADOBE\TYPESPT\UNICODE\ICU\ICU.EXE
C:\PROGRAM FILES\COMMON FILES\ADOBE\TYPESPT\UNICODE\MAPPINGS\ADOBE\ADOBE.EXE
C:\PROGRAM FILES\COMMON FILES\ADOBE\TYPESPT\UNICODE\MAPPINGS\MAC\MAC.EXE
C:\PROGRAM FILES\COMMON FILES\ADOBE\TYPESPT\UNICODE\MAPPINGS\WIN\WIN.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\LOG\LOG.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QUICKBOOKS.EXE
C:\PROGRAM FILES\COMMON FILES\JAVA\UPDATE\BASE IMAGES\JRE1.6.0.B105\JRE1.6.0.B105.EXE
C:\PROGRAM FILES\COMMON FILES\JAVA\UPDATE\BASE IMAGES\JRE1.6.0.B105\PATCH-JRE1.6.0_03.B05\PATCH-JRE1.6.0_03.B05.EXE
C:\PROGRAM FILES\COMMON FILES\L&H\SHARED\PHONEME\PHONEME.EXE
C:\PROGRAM FILES\COMMON FILES\LACERTE SHARED\LACERTE SHARED.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\ANTISPAM\SPAMDEFS\SPAMDEFS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\CCPD-LC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\DECOMPOSERS\DECOMPOSERS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\HELP\HELP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMANTEC SHARED.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\UNDODATA\UNDODATA.EXE
C:\PROGRAM FILES\COMMON FILES\WISE INSTALLATION WIZARD\WISE INSTALLATION WIZARD.EXE
C:\PROGRAM FILES\GOOGLE\GOOGLE.EXE
C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\2.0.1121.2472\2.0.1121.2472.EXE
C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\SWG-2.0.1121.2472\SWG-2.0.1121.2472.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\ESUPPORTDIAGS\ESUPPORTDIAGS.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\BIN.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\CRM\CRM.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\EN\EN.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQSCIMG\HPQSCIMG.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQSCLOC\HPQSCLOC.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\NAME\FONT\FONT.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\NAME\NP\NP.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\NAME\RIVER\RIVER.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\NAME\STRIKE\STRIKE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\NAME\SYMBOL\SYMBOL.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\NAME\TILE\TILE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\RANDDATA.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\RELIEF\RELIEF.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\VECTOR\COMPSRC\COMPSRC.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\VECTOR\TEXTSRC\TEXTSRC.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RANDDATA\VECTOR\VECTRSC\VECTRSC.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\RES\RES.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\BMP\BMP.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\CD\CD.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\CUESTATUS\CUESTATUS.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\DATA.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\INSTANTSHARE\INSTANTSHARE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PRINTSUBSYSTEMPLUGINS\PRINTSUBSYSTEMPLUGINS.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSSPECS\PROJECTSSPECS.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\A4\A4.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\A4\CONTEMPORARY\CONTEMPORARY.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\A4\CONTEMPORARY\MONTH\MONTAGE\MONTAGE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\A4\CONTEMPORARY\MONTH\MONTH.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\A4\CONTEMPORARY\MONTH\SINGLE\SINGLE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\A4\CONTEMPORARY\YEAR\MONTAGE\MONTAGE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\A4\CONTEMPORARY\YEAR\SINGLE\SINGLE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\A4\CONTEMPORARY\YEAR\YEAR.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\CALENDARTEMPLATES.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\LETTER\CONTEMPORARY\CONTEMPORARY.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\LETTER\CONTEMPORARY\MONTH\MONTAGE\MONTAGE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\LETTER\CONTEMPORARY\MONTH\MONTH.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\LETTER\CONTEMPORARY\MONTH\SINGLE\SINGLE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\LETTER\CONTEMPORARY\YEAR\MONTAGE\MONTAGE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\LETTER\CONTEMPORARY\YEAR\SINGLE\SINGLE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\LETTER\CONTEMPORARY\YEAR\YEAR.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CALENDARTEMPLATES\LETTER\LETTER.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\CONTENTPACKAGES\CONTENTPACKAGES.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\PROJECTSTEMPLATES\PROJECTSTEMPLATES.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\DATA\TOOLBOX\TOOLBOX.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\CUETOUR\CUETOUR.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\CUETOUR\FSCOMMAND\FSCOMMAND.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\CUETOUR\SHARED\SHARED.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\FLASH\FLASH.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\HELP.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\HELPIMAGES\HELPIMAGES.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\LIBRARY\LIBRARY.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\PLAYER\FSCOMMAND\FSCOMMAND.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\PLAYER\PLAYER.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HELP\XMLMENU\XMLMENU.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HP PHOTOSMART 3200 SERIES\DATA\DATA.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HPIDEAS\COMMON\COMMON.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\HPIDEAS\HPIDEAS.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\PRODUCT ASSISTANT\BIN\BIN.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\HP1\HP1.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\BC\CSS\CSS.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\BC\HTC\HTC.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\BC\IMG\IMG.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\BR\BR.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\CP\CP.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\DV\DV.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\FW\FW.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\IE\IE.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\IS\IS.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\MI\MI.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\OOV1.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\PT\PT.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\ST\ST.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SKINS\OOV1\VT\VT.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\SOURCE\SHARPZIP\SHARPZIP.EXE
C:\PROGRAM FILES\HP\TEMP\{3E386744-10FA-44B2-98C9-DF7A270DECB3}\{3E386744-10FA-44B2-98C9-DF7A270DECB3}.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\DOWNLOADQB16\NEWFEATURES\NEWFEATURES.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\DOWNLOADQB16\PAYROLL\PAYROLL.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\HELP\UPDATES\ONBOARDING_N\ONBOARDING_N.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\HELP\UPDATES\PAY_BASIC_N\PAY_BASIC_N.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\HELP\UPDATES\PAY_DELUXE_N\PAY_DELUXE_N.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\HELP\UPDATES\PAY_EMPLOYEE_N\PAY_EMPLOYEE_N.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\HELP\UPDATES\PAY_N_N\PAY_N_N.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\HELP\UPDATES\PAY_SET_N\PAY_SET_N.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\HELP\UPDATES\PAY_TAX_N\PAY_TAX_N.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\MANIFEST\OFFCYCLE\OFFCYCLE.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\MESSAGES\MESSAGES.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\NAVIGATOR\IMAGES\BNK\BNK.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\NAVIGATOR\IMAGES\CMP\CMP.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\NAVIGATOR\IMAGES\CST\CST.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\NAVIGATOR\IMAGES\CTR\CTR.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\NAVIGATOR\IMAGES\EMP\EMP.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\NAVIGATOR\IMAGES\IMAGES.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\NAVIGATOR\IMAGES\VEN\VEN.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\NAVIGATOR\NAVIGATOR.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\PAGES\RSL\RSL.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\PAYROLL\CPS\CPS.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\PAYROLL\CPS\CPSCONFIG\CPSPTE\CPSPTE.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\PAYROLL\PAYROLL.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\PAYROLL\STAGING16\CPS\CPSCONFIG\CPSPTE\CPSPTE.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\PAYROLL\STAGING16\SETUP\SETUP.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\PAYROLL\STAGING16\STAGING16.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\PCONFIG\PCONFIG.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\QBUPDATE\LOG\LOG.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\QBUPDATE\QBUPDATE.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\SERVICES\SERVICES.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\TI\TI.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\QUICKBOOKS BASIC.EXE
C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\CLIENT\CLIENT.EXE
C:\PROGRAM FILES\JAVA\JRE1.6.0_03\JRE1.6.0_03.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AD-AWARE 2007.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\HELP\HELP.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\LANG\LANG.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\REGISTRATION\REGISTRATION.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\SKIN\SKIN.EXE
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL$LACERTEDB\DATA\DATA.EXE
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL$LACERTEDB\LOG\LOG.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\LIBRARY\LIBRARY.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MUSICMATCH JUKEBOX.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANUP\NORTON CLEANUP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON SYSTEMWORKS.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NORTON UTILITIES.EXE
C:\PROGRAM FILES\QUICKEN\BASIC\BASIC.EXE
C:\PROGRAM FILES\QUICKEN\BASIC\CUSTOM\CUSTOM.EXE
C:\PROGRAM FILES\QUICKEN\BASIC\CUSTOM\ICONS\ICONS.EXE
C:\PROGRAM FILES\QUICKEN\BASIC\CUSTOM\INET\COMMON\PNF\QUICKEN\QUICKEN.EXE
C:\PROGRAM FILES\QUICKEN\DELUXE\CUSTOM\CUSTOM.EXE
C:\PROGRAM FILES\QUICKEN\DELUXE\CUSTOM\INET\COMMON\PNF\QUICKEN\QUICKEN.EXE
C:\PROGRAM FILES\QUICKEN\DELUXE\DELUXE.EXE
C:\PROGRAM FILES\QUICKEN\HAB\CUSTOM\CUSTOM.EXE
C:\PROGRAM FILES\QUICKEN\HAB\CUSTOM\ICONS\ICONS.EXE
C:\PROGRAM FILES\QUICKEN\HAB\HAB.EXE
C:\PROGRAM FILES\QUICKEN\INET\COMMON\PATCH\NOTIFY\NOTIFY.EXE
C:\PROGRAM FILES\QUICKEN\INET\COMMON\PNF\QUICKEN\QUICKEN.EXE
C:\PROGRAM FILES\QUICKEN\PREMIER\CUSTOM\CUSTOM.EXE
C:\PROGRAM FILES\QUICKEN\PREMIER\CUSTOM\ICONS\ICONS.EXE
C:\PROGRAM FILES\QUICKEN\PREMIER\CUSTOM\INET\COMMON\PNF\QUICKEN\QUICKEN.EXE
C:\PROGRAM FILES\QUICKEN\PREMIER\PREMIER.EXE
C:\PROGRAM FILES\QUICKEN\QUICKEN.EXE
C:\PROGRAM FILES\SYMANTEC\SYMANTEC.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\LOGS\LOGS.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\MESSENGER.EXE
C:\PROGRAM FILES\YAHOO!\YAHOO! MUSIC JUKEBOX\SUPPORT\SUPPORT.EXE
C:\QOOBOX\QUARANTINE\C\.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SYSTEM32.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\WINDOWS.EXE.VIR
C:\RECYCLER\NPROTECT\00026685
C:\RECYCLER\NPROTECT\00026699
C:\RECYCLER\NPROTECT\00026713
C:\RECYCLER\NPROTECT\00026731
C:\RECYCLER\NPROTECT\00095806
C:\RECYCLER\NPROTECT\00128292
C:\RECYCLER\NPROTECT\00134738
C:\RECYCLER\NPROTECT\00134770
C:\RECYCLER\NPROTECT\00135049
C:\RECYCLER\NPROTECT\00135050.EXE
C:\RECYCLER\NPROTECT\00135058
C:\RECYCLER\NPROTECT\00135122
C:\RECYCLER\NPROTECT\00135132
C:\SDFIX\BACKUPS\BACKUPS.EXE
C:\SDFIX\SDFIX.EXE
C:\STAN VIRUS FIX\BLEEPING COMPUTER\BLEEPING COMPUTER.EXE
C:\STAN VIRUS FIX\REG FIXES\REG FIXES.EXE
C:\STAN VIRUS FIX\SMITFRAUDFIX\SMITFRAUDFIX.EXE
C:\STAN VIRUS FIX\STAN VIRUS FIX.EXE
C:\STAN VIRUS FIX\VUNDO FIX\VUNDO FIX.EXE
C:\VIRUS CHECK\TREND\DEBUG\DEBUG.EXE
C:\VIRUS CHECK\TREND\REPORT\REPORT.EXE
C:\VIRUS CHECK\TREND\TREND.EXE
C:\WINDOWS\DEBUG\DEBUG.EXE
C:\WINDOWS\ERDNT\DSS\DSS.EXE
C:\WINDOWS\ERUNT\SDFIX\SDFIX.EXE
C:\WINDOWS\ERUNT\SDFIX\USERS\00000001\00000001.EXE
C:\WINDOWS\ERUNT\SDFIX\USERS\00000002\00000002.EXE
C:\WINDOWS\ERUNT\SDFIX_FIRST_RUN\SDFIX_FIRST_RUN.EXE
C:\WINDOWS\ERUNT\SDFIX_FIRST_RUN\USERS\00000001\00000001.EXE
C:\WINDOWS\ERUNT\SDFIX_FIRST_RUN\USERS\00000002\00000002.EXE
C:\WINDOWS\HELP\HELP.EXE
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\CONFIG\CONFIG.EXE
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\V1.1.4322.EXE
C:\WINDOWS\MINIDUMP\MINIDUMP.EXE
C:\WINDOWS\PCHEALTH\HELPCTR\CONFIG\CACHE\CACHE.EXE
C:\WINDOWS\PCHEALTH\HELPCTR\DATACOLL\DATACOLL.EXE
C:\WINDOWS\SECURITY\LOGS\LOGS.EXE
C:\WINDOWS\SOFTWAREDISTRIBUTION\DATASTORE\DATASTORE.EXE
C:\WINDOWS\SOFTWAREDISTRIBUTION\DATASTORE\LOGS\LOGS.EXE
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\EVENTCACHE.EXE
C:\WINDOWS\SOFTWAREDISTRIBUTION\SELFUPDATE\DEFAULT\DEFAULT.EXE
C:\WINDOWS\SOFTWAREDISTRIBUTION\SOFTWAREDISTRIBUTION.EXE
C:\WINDOWS\SYSTEM32\CATROOT2\CATROOT2.EXE
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}.EXE
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.EXE
C:\WINDOWS\SYSTEM32\CONFIG\CONFIG.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DRIVERS.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\ETC.EXE
C:\WINDOWS\SYSTEM32\MACROMED\AUTHORWA\NP32ASW\AW50\AW50.EXE
C:\WINDOWS\SYSTEM32\MACROMED\AUTHORWA\NP32ASW\AW50\XTRAS\XTRAS.EXE
C:\WINDOWS\SYSTEM32\MACROMED\AUTHORWA\NP32ASW\AW60\AW60.EXE
C:\WINDOWS\SYSTEM32\MACROMED\AUTHORWA\NP32ASW\AW60\XTRAS\XTRAS.EXE
C:\WINDOWS\SYSTEM32\MACROMED\AUTHORWA\NP32ASW\AW65\AW65.EXE
C:\WINDOWS\SYSTEM32\MACROMED\AUTHORWA\NP32ASW\AW65\XTRAS\XTRAS.EXE
C:\WINDOWS\SYSTEM32\MACROMED\AUTHORWA\NP32ASW\AW70\AW70.EXE
C:\WINDOWS\SYSTEM32\MACROMED\AUTHORWA\NP32ASW\AW70\XTRAS\XTRAS.EXE
C:\WINDOWS\SYSTEM32\MACROMED\FLASH\FLASH.EXE
C:\WINDOWS\SYSTEM32\RAS\RAS.EXE
C:\WINDOWS\SYSTEM32\SHOVTH.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\W32X86.EXE
C:\WINDOWS\SYSTEM32\WBEM\LOGS\LOGS.EXE
C:\WINDOWS\SYSTEM32\WBEM\REPOSITORY\REPOSITORY.EXE
C:\WINDOWS\TEMP\TEMP.EXE
C:\WINDOWS\WINDOWS.EXE
C:\WINDOWS\WINSXS\MANIFESTS\MANIFESTS.EXE
C:\WINDOWS\WINSXS\X86_MICROSOFT.TOOLS.VISUALCPLUSPLUS.RUNTIME-LIBRARIES_6595B64144CCF1DF_6.0.0.0_X-WW_FF9986D7\X86_MICROSOFT.TOOLS.VISUALCPLUSPLUS.RUNTIME-LIBRARIES_6595B64144CCF1DF_6.0.0.0_X-WW_FF9986D7.EXE
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.0.0_X-WW_1382D70A\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.0.0_X-WW_1382D70A.EXE
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.CPLUSPLUSRUNTIME_6595B64144CCF1DF_7.0.0.0_X-WW_2726E76A\X86_MICROSOFT.WINDOWS.CPLUSPLUSRUNTIME_6595B64144CCF1DF_7.0.0.0_X-WW_2726E76A.EXE
C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.0.0.0_X-WW_8D353F13\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.0.0.0_X-WW_8D353F13.EXE
C:\_OTMOVEIT\MOVEDFILES\12182007_144025\WINDOWS\SYSTEM32\SHOVTH.EXE
C:\_OTMOVEIT\MOVEDFILES\12182007_144025\WINDOWS\SYSTEM32\WINSN.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\DOCUMENTS AND SETTINGS\ADMINISTRATOR\ADMINISTRATOR.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\DOCUMENTS AND SETTINGS\OWNER\OWNER.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\F0473636.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\WINDOWS\SYSTEM32\DRIVERS\DRIVERS.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\WINDOWS\SYSTEM32\SHOVTH.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\WINDOWS\SYSTEM32\WINSN.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\WINDOWS\WINDOWS.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\WINDOWS\WSYSTMP_FLS.EXE
C:\_OTMOVEIT\MOVEDFILES\MOVEDFILES.EXE

Trojan.System32
C:\WINDOWS\SYSTEM32\SYSTEM32.EXE
C:\_OTMOVEIT\MOVEDFILES\12182007_144025\WINDOWS\SYSTEM32\SYSTEM32.EXE
C:\_OTMOVEIT\MOVEDFILES\12192007_143244\WINDOWS\SYSTEM32\SYSTEM32.EXE

Trojan.Unclassified/WN852
C:\WINDOWS\TRAYICONS.EXE


*****************************************************
*****************************************************
*****************************************************
*****************************************************


Scanning Report
Thursday, December 20, 2007 16:51:33 - 13:13:15
Computer name: LEE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ E:\


--------------------------------------------------------------------------------

Result: 224 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
Trojan-Downloader.Win32.Small.gye (virus)
C:\_OTMoveIt\MovedFiles\12192007_143244\WINDOWS\system32\winsos.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12182007_144025\windows\system32\winsos.exe (Renamed & Submitted)
C:\WINDOWS\trayicons.exe (Renamed & Submitted)
C:\WINDOWS\system32\winsos.exe (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00026684
C:\RECYCLER\NPROTECT\00026698
C:\RECYCLER\NPROTECT\00026712
C:\RECYCLER\NPROTECT\00026723
C:\RECYCLER\NPROTECT\00026730
C:\RECYCLER\NPROTECT\00095805
C:\RECYCLER\NPROTECT\00128291 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00134737 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00134769 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135048 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135057 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135121 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135131 (Renamed & Submitted)
Trojan-PSW.Win32.QQPass.aom (virus)
C:\_OTMoveIt\MovedFiles\MovedFiles.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\F0473636.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\WINDOWS\WINDOWS.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\WINDOWS\wsystmp_fls.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\WINDOWS\system32\shovth.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\WINDOWS\system32\system32.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\WINDOWS\system32\winsn.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\WINDOWS\system32\drivers\drivers.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\Documents and Settings\Owner\Owner.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12192007_143244\Documents and Settings\Administrator\Administrator.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12182007_144025\windows\system32\shovth.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12182007_144025\windows\system32\system32.exe (Renamed & Submitted)
C:\_OTMoveIt\MovedFiles\12182007_144025\windows\system32\winsn.exe (Renamed & Submitted)
C:\WINDOWS\WINDOWS.exe (Renamed & Submitted)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13.exe (Renamed & Submitted)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.exe (Renamed & Submitted)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.exe (Renamed & Submitted)
C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.exe (Renamed & Submitted)
C:\WINDOWS\WinSxS\Manifests\Manifests.exe (Renamed & Submitted)
C:\WINDOWS\TEMP\TEMP.exe (Renamed & Submitted)
C:\WINDOWS\system32\shovth.exe (Renamed & Submitted)
C:\WINDOWS\system32\system32.exe (Renamed & Submitted)
C:\WINDOWS\system32\wbem\Repository\Repository.exe (Renamed & Submitted)
C:\WINDOWS\system32\wbem\Logs\Logs.exe (Renamed & Submitted)
C:\WINDOWS\system32\spool\drivers\w32x86\w32x86.exe (Renamed & Submitted)
C:\WINDOWS\system32\ras\ras.exe (Renamed & Submitted)
C:\WINDOWS\system32\Macromed\Flash\Flash.exe (Renamed & Submitted)
C:\WINDOWS\system32\Macromed\AUTHORWA\NP32ASW\AW70\AW70.exe (Renamed & Submitted)
C:\WINDOWS\system32\Macromed\AUTHORWA\NP32ASW\AW70\XTRAS\XTRAS.exe (Renamed & Submitted)
C:\WINDOWS\system32\Macromed\AUTHORWA\NP32ASW\AW65\AW65.exe (Renamed & Submitted)
C:\WINDOWS\system32\Macromed\AUTHORWA\NP32ASW\AW65\XTRAS\XTRAS.exe (Renamed & Submitted)
C:\WINDOWS\system32\Macromed\AUTHORWA\NP32ASW\AW60\AW60.exe (Renamed & Submitted)
C:\WINDOWS\system32\Macromed\AUTHORWA\NP32ASW\AW60\XTRAS\XTRAS.exe (Renamed & Submitted)
C:\WINDOWS\system32\Macromed\AUTHORWA\NP32ASW\AW50\AW50.exe (Renamed & Submitted)
C:\WINDOWS\system32\Macromed\AUTHORWA\NP32ASW\AW50\XTRAS\XTRAS.exe (Renamed & Submitted)
C:\WINDOWS\system32\drivers\drivers.exe (Renamed & Submitted)
C:\WINDOWS\system32\drivers\etc\etc.exe (Renamed & Submitted)
\\?\C:\WINDOWS\system32\config\config.exe (Renamed & Submitted)
C:\WINDOWS\system32\CatRoot2\CatRoot2.exe (Renamed & Submitted)
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.exe (Renamed & Submitted)
C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}.exe (Renamed & Submitted)
C:\WINDOWS\SoftwareDistribution\SoftwareDistribution.exe (Renamed & Submitted)
C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default.exe (Renamed & Submitted)
C:\WINDOWS\SoftwareDistribution\EventCache\EventCache.exe (Renamed & Submitted)
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.exe (Renamed & Submitted)
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\Logs.exe (Renamed & Submitted)
C:\WINDOWS\security\logs\logs.exe (Renamed & Submitted)
C:\WINDOWS\PCHealth\HelpCtr\DataColl\DataColl.exe
C:\WINDOWS\PCHealth\HelpCtr\Config\Cache\Cache.exe (Renamed & Submitted)
C:\WINDOWS\Minidump\Minidump.exe (Renamed & Submitted)
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\v1.1.4322.exe (Renamed & Submitted)
\\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\CONFIG.exe (Renamed & Submitted)
C:\WINDOWS\Help\Help.exe (Renamed & Submitted)
C:\WINDOWS\ERUNT\SDFIX_First_Run\SDFIX_First_Run.exe (Renamed & Submitted)
C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\00000002.exe (Renamed & Submitted)
C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\00000001.exe (Renamed & Submitted)
C:\WINDOWS\ERUNT\SDFIX\SDFIX.exe (Renamed & Submitted)
C:\WINDOWS\ERUNT\SDFIX\Users\00000002\00000002.exe (Renamed & Submitted)
C:\WINDOWS\ERUNT\SDFIX\Users\00000001\00000001.exe (Renamed & Submitted)
C:\WINDOWS\erdnt\dss\dss.exe (Renamed & Submitted)
C:\WINDOWS\Debug\Debug.exe (Renamed & Submitted)
C:\virus check\trend\trend.exe (Renamed & Submitted)
C:\virus check\trend\report\report.exe (Renamed & Submitted)
C:\virus check\trend\debug\debug.exe (Renamed & Submitted)
C:\stan virus fix\stan virus fix.exe (Renamed & Submitted)
C:\stan virus fix\vundo fix\vundo fix.exe (Renamed & Submitted)
C:\stan virus fix\SmitfraudFix\SmitfraudFix.exe (Renamed & Submitted)
C:\stan virus fix\reg fixes\reg fixes.exe (Renamed & Submitted)
C:\stan virus fix\bleeping computer\bleeping computer.exe (Renamed & Submitted)
C:\SDFix\SDFix.exe (Renamed & Submitted)
C:\SDFix\backups\backups.exe (Renamed & Submitted)
C:\SDFix\backups\backups.zip\backups\system32.exe
C:\SDFix\backups\backups.zip\backups\Temp.exe
C:\SDFix\backups\backups.zip\backups\WINDOWS.exe
C:\RECYCLER\NPROTECT\00026685
C:\RECYCLER\NPROTECT\00026699
C:\RECYCLER\NPROTECT\00026713
C:\RECYCLER\NPROTECT\00026731
C:\RECYCLER\NPROTECT\00095806
C:\RECYCLER\NPROTECT\00128292 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00134738 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00134770 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135049 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135050.exe (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135058 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135078.rbf (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135122 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00135132 (Renamed & Submitted)
C:\qoobox\Quarantine\C\.exe.vir (Renamed & Submitted)
C:\qoobox\Quarantine\C\WINDOWS\WINDOWS.exe.vir (Renamed & Submitted)
C:\qoobox\Quarantine\C\WINDOWS\system32\system32.exe.vir (Renamed & Submitted)
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\Support\Support.exe (Renamed & Submitted)
C:\Program Files\Yahoo!\Messenger\Messenger.exe (Renamed & Submitted)
C:\Program Files\Yahoo!\Messenger\logs\logs.exe (Renamed & Submitted)
C:\Program Files\Symantec\Symantec.exe (Renamed & Submitted)
C:\Program Files\Quicken\Quicken.exe (Renamed & Submitted)
C:\Program Files\Quicken\Premier\Premier.exe (Renamed & Submitted)
C:\Program Files\Quicken\Premier\custom\custom.exe (Renamed & Submitted)
C:\Program Files\Quicken\Premier\custom\inet\common\pnf\quicken\quicken.exe (Renamed & Submitted)
C:\Program Files\Quicken\Premier\custom\icons\icons.exe (Renamed & Submitted)
C:\Program Files\Quicken\inet\common\pnf\quicken\quicken.exe (Renamed & Submitted)
C:\Program Files\Quicken\inet\common\PATCH\Notify\Notify.exe (Renamed & Submitted)
C:\Program Files\Quicken\HAB\HAB.exe (Renamed & Submitted)
C:\Program Files\Quicken\HAB\custom\custom.exe (Renamed & Submitted)
C:\Program Files\Quicken\HAB\custom\icons\icons.exe (Renamed & Submitted)
C:\Program Files\Quicken\Deluxe\Deluxe.exe (Renamed & Submitted)
C:\Program Files\Quicken\Deluxe\custom\custom.exe (Renamed & Submitted)
C:\Program Files\Quicken\Deluxe\custom\inet\common\pnf\quicken\quicken.exe (Renamed & Submitted)
C:\Program Files\Quicken\Basic\Basic.exe (Renamed & Submitted)
C:\Program Files\Quicken\Basic\custom\custom.exe (Renamed & Submitted)
C:\Program Files\Quicken\Basic\custom\inet\common\pnf\quicken\quicken.exe (Renamed & Submitted)
C:\Program Files\Quicken\Basic\custom\icons\icons.exe (Renamed & Submitted)
C:\Program Files\Norton SystemWorks\Norton SystemWorks.exe (Renamed & Submitted)
C:\Program Files\Norton SystemWorks\Norton Utilities\Norton Utilities.exe (Renamed & Submitted)
C:\Program Files\Norton SystemWorks\Norton Cleanup\Norton Cleanup.exe (Renamed & Submitted)
C:\Program Files\Musicmatch\Musicmatch Jukebox\Musicmatch Jukebox.exe (Renamed & Submitted)
C:\Program Files\Musicmatch\Musicmatch Jukebox\Library\Library.exe (Renamed & Submitted)
C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\LOG\LOG.exe (Renamed & Submitted)
C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Data\Data.exe (Renamed & Submitted)
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware 2007.exe (Renamed & Submitted)
C:\Program Files\Lavasoft\Ad-Aware 2007\Skin\Skin.exe (Renamed & Submitted)
C:\Program Files\Lavasoft\Ad-Aware 2007\Registration\Registration.exe (Renamed & Submitted)
C:\Program Files\Lavasoft\Ad-Aware 2007\Lang\Lang.exe (Renamed & Submitted)
C:\Program Files\Lavasoft\Ad-Aware 2007\Help\Help.exe (Renamed & Submitted)
C:\Program Files\Java\jre1.6.0_03\jre1.6.0_03.exe (Renamed & Submitted)
C:\Program Files\Java\jre1.6.0_03\bin\client\client.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\QuickBooks Basic.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\TI\TI.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Services\Services.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\QBUpdate\QBUpdate.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\QBUpdate\Log\Log.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\PConfig\PConfig.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Payroll\Payroll.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Payroll\staging16\staging16.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Payroll\staging16\setup\setup.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Payroll\staging16\CPS\cpsconfig\cpspte\cpspte.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Payroll\Cps\Cps.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Payroll\Cps\cpsconfig\cpspte\cpspte.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Pages\RSL\RSL.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Navigator\Navigator.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Navigator\Images\Images.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Navigator\Images\Ven\Ven.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Navigator\Images\Emp\Emp.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Navigator\Images\Ctr\Ctr.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Navigator\Images\Cst\Cst.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Navigator\Images\Cmp\Cmp.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Navigator\Images\Bnk\Bnk.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Messages\Messages.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Manifest\Offcycle\Offcycle.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Help\Updates\pay_tax_n\pay_tax_n.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Help\Updates\pay_set_n\pay_set_n.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Help\Updates\pay_n_n\pay_n_n.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Help\Updates\pay_employee_n\pay_employee_n.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Help\Updates\pay_deluxe_n\pay_deluxe_n.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Help\Updates\pay_basic_n\pay_basic_n.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\Help\Updates\onboarding_n\onboarding_n.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\DownloadQB16\Payroll\Payroll.exe (Renamed & Submitted)
C:\Program Files\Intuit\QuickBooks Basic\Components\DownloadQB16\NewFeatures\NewFeatures.exe (Renamed & Submitted)
C:\Program Files\HP\Temp\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\{3E386744-10FA-44b2-98C9-DF7A270DECB3}.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Source\SharpZip\SharpZip.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\oov1.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\vt\vt.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\st\st.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\pt\pt.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\mi\mi.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\is\is.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\ie\ie.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\fw\fw.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\dv\dv.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\cp\cp.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\br\br.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\bc\img\img.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\bc\htc\htc.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\oov1\bc\css\css.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Skins\hp1\hp1.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\bin.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\HPIdeas\HPIdeas.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\HPIdeas\common\common.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\hp photosmart 3200 series\data\data.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\Help.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\xmlmenu\xmlmenu.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\player\player.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\player\fscommand\fscommand.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\Library\Library.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\helpImages\helpImages.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\flash\flash.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\cuetour\cuetour.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\cuetour\shared\shared.exe (Renamed & Submitted)
C:\Program Files\HP\Digital Imaging\Help\cuetour\fscommand\fscommand.exe (Renamed & Submitted)
E:\0D6A1CEB.exe (Renamed & Submitted)
E:\.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027594.EXE (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027602.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027577.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027579.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027581.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027584.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027586.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027589.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027591.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027615.exe (Renamed & Submitted)
E:\RECYCLED\NPROTECT\00027623.exe (Renamed & Submitted)
Trojan.Win32.Qhost.abh (virus)
C:\qoobox\Quarantine\catchme2007-12-17_151423.28.zip\wowfx.dll

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 559620
System: 4737
Not scanned: 31
Actions:
Disinfected: 1
Renamed: 205
Deleted: 0
None: 18
Submitted: 205
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\RECYCLER\NPROTECT\NPROTECT.LOG
arrow1.gif
C:\PROGRAM FILES\INTUIT\QUICKBOOKS BASIC\COMPONENTS\NAVIGATOR\IMAGES\CST\ARROW1.GIF
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\Program Files\Adams Business Forms\Tax Forms Helper 2006\DL\UpdateConfig.zml\UpdateConfig
C:\Program Files\Adams Business Forms\Tax Forms Helper 2005\DL\UpdateConfig.zml\AppInfo
C:\Program Files\Adams Business Forms\Tax Forms Helper 2004\DL\UpdateConfig.zml\UpdateConfig
C:\DOCUMENTS AND SETTINGS\OWNER\NTUSER.DAT
C:\Documents and Settings\Owner\My Documents\FINANCIAL\QUICKBOOKS DATA\LFS\Lori's QBPOS 4-27-07.qpw\qbpos.db
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 12-20-2007 - 16-19-19.SBU\{01967CA2-7010-45E3-938E-563F14CEA260}
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
E:\RECYCLED\NPROTECT\NPROTECT.LOG
E:\RECYCLED\NPROTECT\00027550.QPW\qbpos.db

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-12-20
F-Secure AVP: 7.0.171, 2007-12-20
F-Secure Orion: 1.2.37, 2007-12-20
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Pegasus: 1.19.0, 2007-11-18
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------


*****************************************************
*****************************************************
*****************************************************
*****************************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:16 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\CMS Peripherals\BounceBack Professional\BBLauncher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.dailygraphs.com
O15 - Trusted Zone: http://www.investors.com
O16 - DPF: {03A89EFD-E023-8000-A22D-45F77558EB4C} (ILINCInstall80 Class) - https://lm-learnlinc-7.ilinc.com/download/ilinci80.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.investors.com/member/ocx/WonSearchX.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.investors.com/member/ocx/WonList.ocx
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.investors.com/member/ocx/PFMngr.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--


*****************************************************
*****************************************************
*****************************************************
*****************************************************

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 21 December 2007 - 06:52 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Restart your pc.
Post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#9 StanW

StanW
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 22 December 2007 - 12:50 PM

Here is the last HiJackThis log. The PC seems to be running normally. There are no Windows startup or shutdown error messages. Unless you see any problems in the log, can I safely assume that the PC is Clean?

Thanks Richie


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:39 AM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\CMS Peripherals\BounceBack Professional\BBLauncher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.dailygraphs.com
O15 - Trusted Zone: http://www.investors.com
O16 - DPF: {03A89EFD-E023-8000-A22D-45F77558EB4C} (ILINCInstall80 Class) - https://lm-learnlinc-7.ilinc.com/download/ilinci80.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.investors.com/member/ocx/WonSearchX.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.investors.com/member/ocx/WonList.ocx
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.investors.com/member/ocx/PFMngr.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10403 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 22 December 2007 - 01:07 PM

Your log is clean :thumbsup:

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#11 StanW

StanW
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 22 December 2007 - 07:30 PM

Thanks Richie. You're the man. :thumbsup:

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 23 December 2007 - 05:13 AM

You're most welcome Stan :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users