Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Dropper.agent.git & Backdoor.agent.pta


  • This topic is locked This topic is locked
49 replies to this topic

#1 EamonHannaway

EamonHannaway

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 21 January 2008 - 06:11 PM

Hi

I'm brand new any sort of forum - so don't really know the form.

What I know is that my daughter's laptop has the above Trojan Horse viruses that have knocked out the AVG control centre, any internet connection and the C drive (probably lots more as well). So I'm doing this on my PC. The HijackThis log file follows - very grateful for your help to recover things:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:50:28, on 21/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjh.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 3Com Wireless 11g PC Card.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?5077a97214b74263bc3c509fe3041cf3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?5077a97214b74263bc3c509fe3041cf3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = harrogate.gov.uk
O17 - HKLM\Software\..\Telephony: DomainName = harrogate.gov.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = harrogate.gov.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = harrogate.gov.uk
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

--
End of file - 7425 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 27 January 2008 - 04:52 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 EamonHannaway

EamonHannaway
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 27 January 2008 - 03:51 PM

Hi Richie

Thanks.

I've carried out the actions at the preparation guide - less step 5 (Housecall, Panda etc) - this is because the problem is on a laptop where the internet connection has been taken out by the Trojan horse viruses (as well as the AVG control centre). I have, though done a scan with AVG (as well as with Spybot & Adaware).

I also get the following error messages on start-up:

1. Important - potential errors found in system. During a scan of files system start up potential errors in the system registry were found
p-07-100irql:1f SYSVER 0xff00024 NT_Kernel error 12656 KMODE_EXCEPTION_NOT_HANDLED

2.C/WINDOWS/System 32/jkkjh.exe
Windows cannot access the specific device, path or file. You may not have the appropriate permissions to access the item.

I have been unable to complete the RUN: cleanmgr on the laptop as it 'stalls' within seconds of launches and does nothing - there remain a large number of temp internet files (have done a delete files in internet options).

(Have transferred eg Stinger etc to laptop using memory stick)

Regards
Eamon

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 27 January 2008 - 04:01 PM

Hello Eamon,see if you're able to do the following,if you run into problems,post back.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 EamonHannaway

EamonHannaway
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 27 January 2008 - 04:05 PM

Richie

I omitted the Hijackthis log that I've just taken:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00:57, on 27/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjh.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 3Com Wireless 11g PC Card.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?5077a97214b74263bc3c509fe3041cf3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?5077a97214b74263bc3c509fe3041cf3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = harrogate.gov.uk
O17 - HKLM\Software\..\Telephony: DomainName = harrogate.gov.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = harrogate.gov.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = harrogate.gov.uk
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8025 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 27 January 2008 - 04:11 PM

Thanks,post the Combofix report when you're ready please.
Posted Image
Posted Image

#7 EamonHannaway

EamonHannaway
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 28 January 2008 - 03:44 AM

Hi Richie

My Cobofix log is too large to send (massive no of Temp files) - 936kb as a Notepad. Should I split into 2/3 notepads and send that way? Many thanks - Eamon

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 28 January 2008 - 08:29 AM

Should I split into 2/3 notepads and send that way? Many thanks - Eamon

Yes,do that then if you will.
Posted Image
Posted Image

#9 EamonHannaway

EamonHannaway
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 28 January 2008 - 11:00 AM

Richie

The first of the 3 Combolog parts attached.

Thanks
Eamon

Attached Files



#10 EamonHannaway

EamonHannaway
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 28 January 2008 - 11:13 AM

Richie

My 2nd part of the Combolog won't upload. My PC shows its file size as 281kb - yet part 1 which seems to have been sent is 363kb (part 3 is 293kb0. I've tried pasting it into this window also far too large - please advise. Thanks

Eamon

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 28 January 2008 - 12:01 PM

Download RenV.exe to your desktop,double click to run it:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
When its finished it will produce a Log.
Please post the contents of that Log into your next reply.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#12 EamonHannaway

EamonHannaway
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 28 January 2008 - 01:16 PM

Hi Richie

DSS files below; thanks:

Deckard's System Scanner v20071014.68
Run by RCPUSER on 2008-01-28 18:10:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
54: 2008-01-28 18:10:09 UTC - RP147 - Deckard's System Scanner Restore Point
53: 2008-01-27 22:15:54 UTC - RP146 - Last known good configuration
52: 2008-01-27 22:15:38 UTC - RP145 - ComboFix created restore point
51: 2008-01-27 22:15:38 UTC - RP144 - System Checkpoint
50: 2008-01-27 22:15:38 UTC - RP143 - System Checkpoint


-- First Restore Point --
1: 2008-01-27 22:15:25 UTC - RP94 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as RCPUSER.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:10:37, on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\RCPUSER\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\RCPUSER.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Module - {28C703D0-B4A9-4b2f-9123-CE8294761861} - halifax1.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7C950EB9-D311-4CDE-8390-07777CECF4F7} - C:\Program Files\Outlook Express\povehapoC:\WINDOWS\system32\qui4\qopre83122.exe.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: 3Com Wireless 11g PC Card.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?5077a97214b74263bc3c509fe3041cf3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?5077a97214b74263bc3c509fe3041cf3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = harrogate.gov.uk
O17 - HKLM\Software\..\Telephony: DomainName = harrogate.gov.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = harrogate.gov.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = harrogate.gov.uk
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8639 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 WNTHW - c:\windows\system32\drivers\wnthw.sys
R3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\program files\belkin\belkin 802.11g wireless card configuration utility\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; McAfee, Inc; VirusScan>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; McAfee Inc.; VirusScan>

S3 3C154G (3Com OfficeConnect 802.11g PC Card Driver) - c:\windows\system32\drivers\3c154g72.sys <Not Verified; 3Com Corporation; 3Com OfficeConnect Wireless 11g PC Card (3CRWE154G72)>
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 w32n503c (3Com 11Mbps Wireless PC Card (3CRSHPW796) DIS5 Protocol Driver) - c:\windows\system32\w32n503c.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 UPHClean (User Profile Hive Cleanup) - c:\program files\uphclean\uphclean.exe <Not Verified; Microsoft Corporation; User Profile Hive Cleanup Service>

S2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
S4 TSCensus Collection Client (ZENworks Asset Management - Collection Client) - "c:\program files\novell\zenworks\asset management\bin\cclientsvc.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-28 09:08:30 258 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-01-28 09:00:00 350 --a------ C:\WINDOWS\Tasks\At58.job
2008-01-28 09:00:00 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-01-28 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-01-28 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-01-28 08:00:00 350 --a------ C:\WINDOWS\Tasks\At57.job
2008-01-28 08:00:00 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-01-28 07:21:19 442 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-01-28 02:00:00 350 --a------ C:\WINDOWS\Tasks\At51.job
2008-01-28 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-01-28 02:00:00 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-01-28 01:00:00 350 --a------ C:\WINDOWS\Tasks\At50.job
2008-01-28 01:00:00 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-01-28 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-01-28 00:00:00 350 --a------ C:\WINDOWS\Tasks\At49.job
2008-01-28 00:00:00 350 --a------ C:\WINDOWS\Tasks\At25.job
2008-01-28 00:00:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-01-27 23:00:00 350 --a------ C:\WINDOWS\Tasks\At72.job
2008-01-27 23:00:00 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-01-27 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-01-27 21:00:00 350 --a------ C:\WINDOWS\Tasks\At70.job
2008-01-27 21:00:00 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-01-27 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-01-27 20:00:00 350 --a------ C:\WINDOWS\Tasks\At69.job
2008-01-27 20:00:00 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-01-27 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-01-27 19:00:00 350 --a------ C:\WINDOWS\Tasks\At68.job
2008-01-27 19:00:00 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-01-27 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-01-27 18:00:01 350 --a------ C:\WINDOWS\Tasks\At67.job
2008-01-27 18:00:01 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-01-27 18:00:01 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-01-27 17:00:00 350 --a------ C:\WINDOWS\Tasks\At66.job
2008-01-27 17:00:00 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-01-27 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-01-24 22:00:00 350 --a------ C:\WINDOWS\Tasks\At71.job
2008-01-24 22:00:00 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-01-24 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-01-24 20:48:10 376 --a------ C:\WINDOWS\Tasks\RegCure.job
2008-01-20 11:00:00 350 --a------ C:\WINDOWS\Tasks\At60.job
2008-01-20 11:00:00 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-01-20 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-01-06 10:00:00 350 --a------ C:\WINDOWS\Tasks\At59.job
2008-01-06 10:00:00 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-01-06 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-01-04 16:00:00 350 --a------ C:\WINDOWS\Tasks\At65.job
2008-01-04 16:00:00 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-01-04 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-01-04 15:00:00 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-01-04 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-01-04 14:00:00 350 --a------ C:\WINDOWS\Tasks\At63.job
2008-01-04 14:00:00 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-01-04 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-01-04 13:00:00 350 --a------ C:\WINDOWS\Tasks\At62.job
2008-01-04 13:00:00 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-01-04 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-01-04 12:00:00 350 --a------ C:\WINDOWS\Tasks\At61.job
2008-01-04 12:00:00 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-01-04 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2007-11-12 19:37:21 350 --a------ C:\WINDOWS\Tasks\At56.job
2007-11-12 19:37:21 350 --a------ C:\WINDOWS\Tasks\At55.job
2007-11-12 19:37:21 350 --a------ C:\WINDOWS\Tasks\At54.job
2007-11-12 19:37:21 350 --a------ C:\WINDOWS\Tasks\At53.job
2007-11-12 19:37:21 350 --a------ C:\WINDOWS\Tasks\At52.job
2007-11-02 18:55:14 350 --a------ C:\WINDOWS\Tasks\At32.job
2007-11-02 18:55:14 350 --a------ C:\WINDOWS\Tasks\At31.job
2007-11-02 18:55:14 350 --a------ C:\WINDOWS\Tasks\At30.job
2007-11-02 18:55:14 350 --a------ C:\WINDOWS\Tasks\At29.job
2007-11-02 18:55:14 350 --a------ C:\WINDOWS\Tasks\At28.job
2007-10-04 06:02:17 350 --a------ C:\WINDOWS\Tasks\At8.job
2007-10-01 16:37:47 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-29 15:42:22 350 --a------ C:\WINDOWS\Tasks\At7.job
2007-08-29 15:42:22 350 --a------ C:\WINDOWS\Tasks\At6.job
2007-08-29 15:42:22 350 --a------ C:\WINDOWS\Tasks\At5.job
2007-08-29 15:42:22 350 --a------ C:\WINDOWS\Tasks\At4.job


-- Files created between 2007-12-28 and 2008-01-28 -----------------------------

2008-01-24 20:48:02 0 d-------- C:\Program Files\RegCure
2008-01-24 19:05:07 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-24 19:04:53 0 d-------- C:\Program Files\Spyware Doctor
2008-01-24 19:04:53 0 d-------- C:\Documents and Settings\RCPUSER\Application Data\PC Tools
2008-01-21 08:58:18 0 d-------- C:\Program Files\Trend Micro
2008-01-15 22:04:45 204800 --a------ C:\WINDOWS\system32\UploadDLL.dll <Not Verified; Belkin Corporation; Belkin Corporation>
2008-01-15 22:04:45 53248 --a------ C:\WINDOWS\system32\preflib.dll
2008-01-15 22:04:45 101888 --a------ C:\WINDOWS\system32\CrashRpt.dll <Not Verified; ; Crash Handler>
2008-01-15 22:04:45 81920 --a------ C:\WINDOWS\system32\brdcm2k.dll <Not Verified; Belkin; brdcm2k Dynamic Link Library>
2008-01-15 22:04:45 167936 --a------ C:\WINDOWS\system32\BelkinwcuiDLL.dll
2008-01-15 22:04:45 61440 --a------ C:\WINDOWS\system32\BelkinHWStatus.dll
2008-01-15 22:04:44 192512 --a------ C:\WINDOWS\system32\blkwcd.dll
2008-01-15 22:04:44 0 d-------- C:\Program Files\Belkin
2008-01-15 19:10:11 10240 --a------ C:\WINDOWS\system32\wsock3.dll
2008-01-15 19:10:08 1 --a------ C:\WINDOWS\system32\rc.dat
2008-01-15 19:10:08 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-01-15 19:10:08 1 --a------ C:\WINDOWS\system32\cs.dat
2008-01-15 19:02:21 53760 --a------ C:\WINDOWS\system32\halifax1.dll <Not Verified; Shafter; Herbalife>
2008-01-15 17:36:37 0 d-------- C:\Program Files\Windows Live Favorites
2008-01-15 17:25:55 0 d-------- C:\Program Files\MSN Messenger
2008-01-15 17:02:47 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-15 17:02:41 0 d-------- C:\Program Files\Windows Live
2008-01-15 17:02:32 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-15 16:46:56 17149 --a------ C:\WINDOWS\system32\DNINDIS5.SYS <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-01-12 18:40:46 3584 --a------ C:\WINDOWS\system32\jkkjh.exe
2007-12-31 14:18:01 0 d-------- C:\Documents and Settings\RCPUSER\Application Data\LGSync
2007-12-31 13:43:20 0 d-------- C:\Program Files\LG Electronics
2007-12-31 13:41:34 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2007-12-31 13:41:33 1703936 --a------ C:\WINDOWS\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-31 13:41:33 36864 --a------ C:\WINDOWS\system32\CSDLGE1LIB.dll
2007-12-31 13:41:23 291840 --a------ C:\WINDOWS\system32\msvcirtd.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Studio.NET>
2007-12-31 13:40:44 0 d-------- C:\Program Files\LGE GSM PC Sync


-- Find3M Report ---------------------------------------------------------------

2008-01-27 17:08:13 0 d-------- C:\Documents and Settings\RCPUSER\Application Data\AVG7
2008-01-20 17:19:29 0 d-------- C:\Program Files\Common Files
2008-01-15 22:04:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 17:36:45 0 d-------- C:\Program Files\Windows Live Toolbar
2008-01-11 21:16:01 0 d-------- C:\Program Files\iTunes
2008-01-11 21:15:54 0 d-------- C:\Program Files\QuickTime
2008-01-11 18:25:27 0 d-------- C:\Documents and Settings\RCPUSER\Application Data\U3
2007-12-30 21:33:04 0 d-------- C:\Documents and Settings\RCPUSER\Application Data\Adobe
2007-11-28 20:54:54 0 d-------- C:\Documents and Settings\RCPUSER\Application Data\Apple Computer
2007-11-12 19:36:47 27200 --a------ C:\WINDOWS\system32\7PiEfGN1.exe
2007-11-08 18:49:53 27200 --a------ C:\WINDOWS\system32\6O28r15x.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28C703D0-B4A9-4b2f-9123-CE8294761861}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C950EB9-D311-4CDE-8390-07777CECF4F7}]
C:\Program Files\Outlook Express\povehapoC:\WINDOWS\system32\qui4\qopre83122.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" []
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/03/2006 14:39]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" []
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 19:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" []
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [04/08/2004 11:00]
"PRISMSVR.EXE"="C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [27/01/2008 22:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
3Com Wireless 11g PC Card.lnk - C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe [02/07/2004 14:18:52]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 21:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe [15/01/2008 22:04:46]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [15/02/2006 15:16:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="ziswin.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

*Newly Created Service* - TSCENSUS_COLLECTION_CLIENT



-- End of Deckard's System Scanner: finished at 2008-01-28 18:11:06 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU T5500 @ 1.66GHz
CPU 1: Intel® Core™2 CPU T5500 @ 1.66GHz
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 503.36 MiB / 112.77 MiB
Pagefile Memory (total/avail): 1227.5 MiB / 759.18 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1946.5 MiB

C: is Fixed (NTFS) - 55.89 GiB total, 47.03 GiB free.
D: is CDROM (CDFS)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6034GSX - 55.9 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.89 GiB - C:

\\.\PHYSICALDRIVE1 - SONY USB 2.0 USB Device - 494.19 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 501.51 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.516 v7.5.516 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\RCPUSER\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DDSLAP08X
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\RCPUSER
LOGONSERVER=\\DDSLAP08X
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\RCPUSER\LOCALS~1\Temp
TMP=C:\DOCUME~1\RCPUSER\LOCALS~1\Temp
USERDOMAIN=DDSLAP08X
USERNAME=RCPUSER
USERPROFILE=C:\Documents and Settings\RCPUSER
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

admin.DDSLAP08X (admin)
RCPUSER (admin)
ME (new local, admin)
administrator (admin)
RCP1 (update central)
RCP2
RCP3 (new local, update central)
RCP4 (update central)
RCP5 (new local, update central)
FI17 (new local, update central, admin)
ADMIN.HBCDOM01 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3Com OfficeConnect Wireless 11g PC Card --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{CAA871F1-FCB4-4678-B518-F30FF489FFAE}
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Agere Systems HDA Modem --> agrsmdel
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Belkin 802.11g Wireless Card --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F07C011F-82D0-42CE-B2A6-28CD4BF385E2}\Setup.exe"
Broadcom 440x 10/100 Integrated Controller --> MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
CANON iMAGE GATEWAY Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\CRWUnInstall.ini"
Canon Internet Library for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\CIGUnInstall.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Digital Photo Professional 2.2 --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
DriveCleaner Freeware 1.0.111.0 --> "C:\Program Files\DriveCleaner Freeware\pv.exe"
Garmin Training Center 3.2.3 --> MsiExec.exe /X{561F6A76-DCB0-11DB-8314-0800200C9A66}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP Quick Launch Buttons 6.00 D2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe" -l0x9 -removeonly uninst
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
InterVideo DVD Check --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D97A4A7-C274-4B63-86D9-07A33435F505}\setup.exe" REMOVEALL
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
LG USB Modem driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\setup.exe" -l0x9 -removeonly
LG_MobileSync --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{832ECDE8-5E05-4601-9B0E-4ED14985F46A}\setup.exe" -l0x9 -removeonly
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{ECDA9BD9-A54E-462A-8191-A2B569D9AB34}
McAfee Anti-Spyware Enterprise Module --> C:\Program Files\Network Associates\VirusScan\csscan.exe /UninstallMAS
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft Office 2000 SR-1 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
NICI (Shared) U.S./Worldwide (128 bit) (2.7.0-2) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe" -uninst
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{DF821FC5-C198-452B-A0D4-82433EFEAE9B}
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{117CD9C0-0F15-4633-93D7-F957B50535A5}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RegCure 1.3.0.2 --> C:\Program Files\RegCure\uninst.exe
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{95FC661A-A0C5-4B18-92CE-90347DA79CC9}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tabbed Browsing (Windows Live Toolbar) --> MsiExec.exe /X{1707BF02-0F5C-4A6C-8F17-053BB73E443F}
User Profile Hive Cleanup Service --> MsiExec.exe /I{BF755CD9-E185-498A-AAFB-E9F8470AB1CC}
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{DCE65B11-710D-4C54-9DE5-1A6A0BD2186B}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{A40D6757-B145-4FE7-B694-89180A9F3F64}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar --> MsiExec.exe /X{DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{3727B920-F5A3-46A4-AC02-94F421A039C7}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{38024121-D084-4E7D-B1A2-1A04CB5C4CF3}
Windows NT Messaging --> RunDll32 setupapi.dll,InstallHinfSection Uninstall 4 MSMail.inf
ZENworks Asset Management - Client Apps --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Novell\ZENworks\Asset Management\UninstFA.isu" -c"C:\Program Files\Novell\ZENworks\Asset Management\bin\UninstCC.dll"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6321 / Warning
Event Submitted/Written: 01/28/2008 06:10:54 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DDSLAP08X IP 127.0.0.1 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type6320 / Warning
Event Submitted/Written: 01/28/2008 06:10:54 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DDSLAP08X IP 127.0.0.1 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type6319 / Error
Event Submitted/Written: 01/28/2008 06:08:01 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x800704cf). The network location cannot be reached. For information about network troubleshooting, see Windows Help.
Enrollment will not be performed.

Event Record #/Type6316 / Error
Event Submitted/Written: 01/28/2008 01:32:22 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type6315 / Error
Event Submitted/Written: 01/28/2008 01:31:19 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type17666 / Warning
Event Submitted/Written: 01/28/2008 06:08:11 PM
Event ID/Source: 1006 / Dhcp
Event Description:
Your computer was unable to automatically configure the IP parameters for
the Network Card with the network address 001150DE343E. The following error occurred
during configuration: %%10106.

Event Record #/Type17661 / Error
Event Submitted/Written: 01/28/2008 09:08:30 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout.

Event Record #/Type17660 / Error
Event Submitted/Written: 01/28/2008 09:08:00 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Automatic Updates service terminated with the following error:
%%2147952506

Event Record #/Type17657 / Error
Event Submitted/Written: 01/28/2008 09:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At58.job command failed to start due to the following error:
%%2147942405

Event Record #/Type17656 / Error
Event Submitted/Written: 01/28/2008 09:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At34.job command failed to start due to the following error:
%%2147942405



-- End of Deckard's System Scanner: finished at 2008-01-28 18:11:06 ------------

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 28 January 2008 - 01:35 PM

Click Start/Run,type CMD then press Ok.
At the command prompt copy and paste the following command in bold text below,then press Enter:
DEL C:\WINDOWS\Tasks\At*.job
Then exit command prompt.


Download LSPFix from:
http://www.bleepingcomputer.com/files/spyware/lspfix.zip
Once LSP-Fix is downloaded, extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "wsock3.dll" into the remove box using the >> button.
Press the finish button.
Then reboot.


Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\jkkjh.exe
C:\WINDOWS\system32\7PiEfGN1.exe
C:\WINDOWS\system32\6O28r15x.exe
C:\WINDOWS\system32\wsock3.dll


Return to OTMoveIt, right click on the "Paste Standard List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: Google Module - {28C703D0-B4A9-4b2f-9123-CE8294761861} - halifax1.dll (file missing)
O2 - BHO: (no name) - {7C950EB9-D311-4CDE-8390-07777CECF4F7} - C:\Program Files\Outlook Express\povehapoC:\WINDOWS\system32\qui4\qopre83122.exe.dll (file missing)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#14 EamonHannaway

EamonHannaway
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 28 January 2008 - 03:18 PM

Hi Richie

1. Moveit log:

File/Folder C:\WINDOWS\system32\rc.dat not found.
File/Folder C:\WINDOWS\system32\ps1.dat not found.
File/Folder C:\WINDOWS\system32\cs.dat not found.
File/Folder C:\WINDOWS\system32\jkkjh.exe not found.
File/Folder C:\WINDOWS\system32\7PiEfGN1.exe not found.
File/Folder C:\WINDOWS\system32\6O28r15x.exe not found.
File/Folder C:\WINDOWS\system32\wsock3.dll not found.

OTMoveIt2 v1.0.15 log created on 01282008_193904

2. Seem to have hit a snag when attempting to run Super antispy scan (which I successfully downloaded/updated on my clean PC and copied to the dirty laptop - when I double click on it message says: 'The Windows Installer service could not be accessed. This can occur if you are running Windows in safe mode, or if Windows Installer is not correctly installed. (as well as copying the Super antispy exe file also copied the 1 kb Super antispy free edition file (?).

Laptop remains in safe mode.

Thanks
Eamon

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 28 January 2008 - 03:30 PM

Restart the machine normally,then run SuperAntiSpyware in normal/regular windows.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users