Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bagel Post-infection Assistance Request


  • Please log in to reply
15 replies to this topic

#1 Wulffy

Wulffy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE Michigan, US
  • Local time:05:57 PM

Posted 08 April 2008 - 08:30 PM

As directed in this thread, I'm posting my HJT log as requested. The referring thread has some additional pertinent information therein.

Please note that the two times I have ran HJT, I have received an error as depicted in the attached screenshot.

Looking forward to working with you and getting these issues put to bed.

Please review the information, consider, and advise the best method to a timely resolution.

Thank you.

-t

Log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:20 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Plaxo\3.8.1.1\PlaxoHelper_en.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Corel\Corel Paint Shop Pro X\Paint Shop Pro X.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose /waitmore
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.8.1.1\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\NaturalReaders\Natural Voice Reader Free\read.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.balancelogistics.com
O15 - Trusted Zone: *.dogpile.com
O15 - Trusted Zone: *.flyadi.com
O15 - Trusted Zone: *.garmin.com
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: *.phpbb.com
O15 - Trusted Zone: *.regional-services.com
O15 - Trusted Zone: *.shopcollins.com
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.spellingcow.com
O15 - Trusted Zone: *.theothercrew.com
O15 - Trusted Zone: *.usgs.gov
O15 - Trusted IP range: http://127.0.0.1
O15 - Trusted IP range: 69.90.34.*
O16 - DPF: {B21A38F1-EC5D-4519-A715-0AD9DC6CC7A3} (SMControl Class) - http://www.jjward.com/FPSMonitor/SMActiveX.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...253/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\Software\..\Telephony: DomainName = ADI.flyadi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - c:\apache\bin\apache.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Franson GpsGate 2.0 - Unknown owner - C:\Program Files\Franson\GpsGate 2.0\GpsGateService.exe
O23 - Service: geepeeyesDS - Unknown owner - c:\geepeeyes\mysqld-nt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\NovaStor\NovaBACKUP\NMSAccessU.exe
O23 - Service: NsEngine - NovaStor Corporation - C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13459 bytes

Attached Files



BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:57 PM

Posted 08 April 2008 - 08:38 PM

Hi, Wulffy :thumbsup:

Welcome to BC.

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop. Once downloaded, RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Wulffy

Wulffy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE Michigan, US
  • Local time:05:57 PM

Posted 08 April 2008 - 10:22 PM

Hi, JSntgRvr.

Thanks for your quick assistance.

As info, I executed the clearing .inf as directed.
(Just wanted you to know that I DID populate those entries intentionally, over the course of time. Regardless, it is easily rectified, once I am back up and running as expected.)

Please find the scan results detailed in the following:

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Tue 04/08/2008
The current time is: 23:11:22.75


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:57 PM

Posted 09 April 2008 - 11:09 AM

Hi, Wulffy :thumbsup:

Posted ImageDownload Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
If the files are too long, attach them to a reply:
  • Scroll down and click the [Attachments] section
  • Browse to the following folder:
    • C:\Deckard\System Scanner
  • Click Upload to upload these files one by one
  • Submit your reply

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Wulffy

Wulffy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE Michigan, US
  • Local time:05:57 PM

Posted 09 April 2008 - 09:50 PM

Hello JSntgRvr.

Let me open with a bit of an apology as I did what you directed, but only sort of ... :thumbsup:. I'll explain:

I had downloaded the app earlier and then put it in a folder on my desktop vs. directly on my desktop. I ran it this evening (from the folder, not my desktop :wacko:), and got a couple of blank notepad instances and a couple of error dialog boxes. During this initial run, I got dialog about running it only under supervision, etc... Then I clicked OK and it did a system-restore save, went and backed up all of the registry hives, and then did it's thing (probably a six step process taking ~3 to 5 minutes) resulting in the dialog as shown in the attached screenshot.

I then went back are reread your post. I downloaded it from your link and saved it to the desktop. I reran it subsequently. During this second run, it did not do the system restore, nor did it do the registry backup, but rather did the balance of the tests. The length of time that it took to do the tests on this 2nd run seemed much shorter. When it got done doing it's thing, I received just a single notepad window with a single error about not being able to find the share...

Now, I got to thinking, I did not shut down the machine when I left the office today, just put it in standby and got it back up and running this evening when I got home, and did the DSS run after that. So, I rebooted, logging in with my cached domain credentials (Yes I am a member of the local admin group on this box), with the lan cable unplugged and reran it from the desktop. This time, it did the same quicker check - no system-restore save, nor reg backup, but when completed, I got the following text in a single notepad instance...

So, it seems that my not rebooting from my work session, and/or my running it from a folder on the desktop (vs. from the desktop itself), may have prevented it from doing it's thing properly.

Sorry for not thinking things through entirely before acting (seems I have had a bit of that lately... :blink:).

Results follow:

Deckard's System Scanner v20071014.68
Run by TodW on 2008-04-09 22:12:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.72 GiB (less than 15%) free.


-- HijackThis (run as TodW.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:23 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Plaxo\3.8.1.1\PlaxoHelper_en.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Documents and Settings\todw\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\TodW.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose /waitmore
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.8.1.1\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\NaturalReaders\Natural Voice Reader Free\read.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {B21A38F1-EC5D-4519-A715-0AD9DC6CC7A3} (SMControl Class) - http://www.jjward.com/FPSMonitor/SMActiveX.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...253/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\Software\..\Telephony: DomainName = ADI.flyadi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = ADI.flyadi.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - c:\apache\bin\apache.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Franson GpsGate 2.0 - Unknown owner - C:\Program Files\Franson\GpsGate 2.0\GpsGateService.exe
O23 - Service: geepeeyesDS - Unknown owner - c:\geepeeyes\mysqld-nt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\NovaStor\NovaBACKUP\NMSAccessU.exe
O23 - Service: NsEngine - NovaStor Corporation - C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12850 bytes

-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-07 20:00:39 0 d-------- C:\Documents and Settings\twulff\Application Data\Simply Super Software
2008-04-07 19:59:58 0 d-------- C:\Documents and Settings\twulff\Application Data\Windows Desktop Search
2008-04-07 19:58:55 0 d-------- C:\Documents and Settings\twulff\Application Data\Subversion
2008-04-06 12:03:12 0 d-------- C:\Program Files\Notepad++ Backup 06Apr08
2008-04-06 01:06:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-05 23:54:21 0 d-------- C:\Documents and Settings\todw\Application Data\Malwarebytes
2008-04-05 23:54:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 23:54:08 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 22:55:45 0 d-------- C:\Program Files\MicroProse
2008-04-05 22:54:46 47104 --a------ C:\WINDOWS\system32\KMVIDC32.DLL
2008-04-05 22:37:02 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-05 22:07:22 68096 --a------ C:\WINDOWS\zip.exe
2008-04-05 22:07:22 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-05 22:07:22 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-05 22:07:22 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-05 22:07:22 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-05 22:07:22 98816 --a------ C:\WINDOWS\sed.exe
2008-04-05 22:07:22 80412 --a------ C:\WINDOWS\grep.exe
2008-04-05 22:07:22 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-05 21:50:37 0 d-------- C:\Program Files\Trend Micro
2008-04-05 19:14:14 0 d-------- C:\Program Files\Safer Networking
2008-04-05 05:27:25 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-04-05 05:27:25 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-04-05 03:43:34 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-05 02:19:13 4 --ah----- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
2008-04-05 02:11:56 16128 --a------ C:\WINDOWS\system32\drivers\APPDRV.SYS <Not Verified; Dell Inc; Application Driver>
2008-04-05 01:39:29 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
2008-04-04 23:14:33 0 d-------- C:\Program Files\Debugging Tools for Windows
2008-04-04 23:09:29 0 d-------- C:\Program Files\Driver Installation Tools 2.01
2008-04-04 21:37:20 0 d-------- C:\Documents and Settings\todw\Application Data\Windows Search
2008-04-04 21:35:42 0 d-------- C:\Documents and Settings\todw\Application Data\Windows Desktop Search
2008-04-04 21:32:39 0 d-------- C:\Program Files\Windows Desktop Search
2008-04-04 20:25:11 20447232 --a------ C:\Documents and Settings\todw\ntuser.dat
2008-04-04 20:19:28 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-04-04 20:19:28 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-04-04 20:19:28 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-04 20:19:28 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-04-04 20:19:28 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-04-04 20:19:26 0 d-------- C:\Program Files\Trojan Remover
2008-04-04 20:19:26 0 d-------- C:\Documents and Settings\todw\Application Data\Simply Super Software
2008-04-04 20:19:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-04-04 19:38:34 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-04-04 18:59:13 0 d--h----- C:\catalog.wci
2008-04-01 21:59:34 0 d-------- C:\Program Files\mIRC
2008-04-01 21:59:34 0 d-------- C:\Documents and Settings\todw\Application Data\mIRC
2008-03-31 20:47:57 0 d-------- C:\ERDNT
2008-03-31 02:49:35 113 --a------ C:\TALK.vbs
2008-03-30 21:07:38 0 d-------- C:\Documents and Settings\todw\Application Data\TortoiseSVN
2008-03-30 16:51:27 0 d-------- C:\Documents and Settings\todw\Application Data\Subversion
2008-03-30 16:35:59 0 d-------- C:\Program Files\TortoiseSVN
2008-03-29 11:55:07 0 d-------- C:\Program Files\Data Dynamics
2008-03-28 21:24:57 0 d-------- C:\Program Files\IconCool Editor
2008-03-26 22:00:13 0 d-------- C:\Documents and Settings\twulff\Application Data\Talkback
2008-03-26 21:30:00 0 d-------- C:\Documents and Settings\twulff\Application Data\Mozilla
2008-03-26 20:22:47 0 d-------- C:\6b62c8615faaea92f99c813a
2008-03-26 18:23:06 64 --a------ C:\WINDOWS\1.bat
2008-03-26 13:05:11 0 d-------- C:\Documents and Settings\twulff\Application Data\Notepad++
2008-03-26 12:19:24 0 d-------- C:\Documents and Settings\twulff\Application Data\YouSendIt
2008-03-23 00:30:10 0 d-------- C:\Program Files\ResHack
2008-03-22 12:19:49 0 d-------- C:\Program Files\PE Explorer ru
2008-03-21 00:02:40 0 d-------- C:\Program Files\Winspector
2008-03-20 00:34:35 24576 --a------ C:\WINDOWS\KeyHH.exe <Not Verified; KeyWorks Software; KeyHH>
2008-03-20 00:34:35 0 d-------- C:\Program Files\KeyWorks
2008-03-18 16:36:56 0 d-------- C:\Documents and Settings\todw\Application Data\ASAP Utilities
2008-03-18 09:29:41 0 d-------- C:\Documents and Settings\todw\Application Data\skypePM
2008-03-18 09:29:41 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-18 09:28:41 0 d-------- C:\Program Files\Common Files\Skype
2008-03-17 19:58:00 0 d-------- C:\WINDOWS\McAfee.com
2008-03-17 17:52:13 10752 --a------ C:\WINDOWS\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
2008-03-17 17:52:08 0 d-------- C:\Program Files\PrevxCSI
2008-03-17 17:52:03 0 d-------- C:\Documents and Settings\todw\Application Data\PrevxCSI
2008-03-15 14:38:35 0 d-------- C:\Program Files\Drug Lord 2
2008-03-12 20:56:45 0 d-------- C:\Program Files\Notepad++ Backup 12Mar08
2008-03-12 20:56:11 0 d-------- C:\Documents and Settings\todw\Application Data\Notepad++ backup 12Mar08
2008-03-11 20:52:03 0 d-------- C:\Documents and Settings\todw\Application Data\PE Explorer
2008-03-11 20:51:49 0 d-------- C:\Program Files\PE Explorer


-- Find3M Report ---------------------------------------------------------------

2008-04-09 22:10:42 0 d-------- C:\Documents and Settings\todw\Application Data\Skype
2008-04-09 21:08:56 0 d-------- C:\Program Files\Plaxo
2008-04-09 20:47:26 0 d-------- C:\Program Files\TextAloud
2008-04-08 23:31:13 0 d-------- C:\Documents and Settings\todw\Application Data\Free Download Manager
2008-04-07 14:30:42 0 d-------- C:\Program Files\ACT
2008-04-06 13:04:33 0 d-------- C:\Documents and Settings\todw\Application Data\Notepad++
2008-04-06 12:40:04 0 d-------- C:\Program Files\Notepad++
2008-04-06 01:54:31 0 d-------- C:\Program Files\RegistrySmart
2008-04-05 02:19:10 0 d-------- C:\Program Files\Dell
2008-04-05 02:19:08 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-05 01:38:58 0 d-------- C:\Program Files\Intel
2008-04-04 00:09:18 0 d-------- C:\Documents and Settings\todw\Application Data\uTorrent
2008-04-01 23:16:14 0 d-------- C:\Program Files\Common Files
2008-04-01 22:23:35 0 d-------- C:\Program Files\eMule
2008-03-31 17:01:20 0 d-------- C:\Program Files\Coridium
2008-03-31 07:37:55 0 d-------- C:\Program Files\Windows NT
2008-03-30 16:44:17 0 d-------- C:\Program Files\FileZilla
2008-03-26 23:55:09 0 d-------- C:\Program Files\Eltima Software
2008-03-25 23:53:33 0 d-------- C:\Program Files\AutoHotkey
2008-03-20 11:28:23 0 d-------- C:\Program Files\Win32Pad
2008-03-20 00:35:22 0 d-------- C:\Documents and Settings\todw\Application Data\ComcastToolbar
2008-03-18 16:37:28 0 d-------- C:\Program Files\ASAP Utilities
2008-03-11 00:10:58 0 d-------- C:\Program Files\AIM6
2008-03-08 23:30:47 0 d-------- C:\Documents and Settings\todw\Application Data\acccore
2008-03-08 23:30:06 0 d-------- C:\Program Files\Viewpoint
2008-03-08 23:29:05 0 d-------- C:\Program Files\Common Files\AOL
2008-03-04 17:48:02 0 d-------- C:\Program Files\AoA DVD Ripper
2008-03-04 17:41:01 0 d-------- C:\Program Files\Xvid
2008-03-01 22:26:33 0 d-------- C:\Documents and Settings\todw\Application Data\Talkback
2008-03-01 01:38:21 0 d-------- C:\Program Files\Common Files\ActiveXperts
2008-03-01 01:38:21 0 d-------- C:\Program Files\ActiveXperts
2008-03-01 01:11:42 0 d-------- C:\Program Files\FileZilla Server
2008-02-25 23:20:10 0 d-------- C:\Program Files\Raptor
2008-02-25 20:43:46 0 d-------- C:\Documents and Settings\todw\Application Data\YouSendIt
2008-02-25 16:51:24 0 d-------- C:\Program Files\YouSendIt
2008-02-24 01:56:28 0 d-------- C:\Program Files\AccessRecovery
2008-02-23 18:57:41 0 d-------- C:\Documents and Settings\todw\Application Data\Adobe
2008-02-23 18:30:53 0 d-------- C:\Program Files\Soldier of Fortune Payback
2008-02-23 12:08:50 0 d-------- C:\Program Files\Activision Value
2008-02-23 03:59:21 0 d-------- C:\Program Files\Smart Projects
2008-02-23 03:33:22 0 d-------- C:\Program Files\Paragon Software
2008-02-22 10:30:52 0 d-------- C:\Program Files\Motorola Phone Tools
2008-02-18 09:17:24 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-15 18:43:42 8 --a------ C:\Documents and Settings\todw\Application Data\usb.dat.bin
2008-02-15 16:42:33 0 d-------- C:\Program Files\ComcastToolbar
2008-02-12 17:03:38 183361 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx; WebEx Application Sharing ATASNT40.DLL>
2008-02-12 17:03:37 0 d-------- C:\Program Files\WebEx
2008-02-10 13:21:24 0 d-------- C:\Program Files\Soldier of Fortune II - Double Helix
2008-02-10 03:07:49 0 d-------- C:\Documents and Settings\todw\Application Data\teamspeak2
2008-02-10 02:54:31 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-02-09 22:57:13 0 d-------- C:\Program Files\Ventrilo
2008-02-09 22:56:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 22:20:24 0 d-------- C:\Program Files\Virtins SCMI
2008-02-09 21:28:22 0 d-------- C:\Program Files\Susteen


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [09/13/2007 05:00 PM]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 02:13 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [11/10/2005 09:05 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/2006 01:03 PM C:\WINDOWS\KHALMNPR.Exe]
"bascstray"="BascsTray.exe" []
"GoBoingo"="C:\Program Files\Boingo\GoBoingo\GoBoingo.exe" [10/18/2007 02:13 PM]
"SaiMfd"="C:\Program Files\Saitek\SD6\Software\SaiMfd.exe" [05/01/2007 12:09 PM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/29/2003 07:10 AM]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [03/27/2008 06:10 PM]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [08/03/2006 03:19 AM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [07/07/2005 06:08 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [03/04/2005 11:26 AM]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [01/28/2008 11:43 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\3.8.1.1\PlaxoHelper_en.exe" [02/11/2008 10:58 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [02/01/2008 05:22 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [3/25/2008 5:59:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=1 (0x1)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)
"NoStrCmpLogical"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"MemCheckBoxInRunDlg"=0 (0x0)
"NoAutoTrayNotify"=0 (0x0)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoStartBanner"=01000000
"NoWelcomeScreen"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoSharedDocuments"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [03/25/2008 05:56 AM 303616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 08/03/2006 03:20 AM 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BAsfIpM"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b66549b-2b8a-11db-9edb-000f1fb4a71f}]
AutoRun\command- E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{735b7c80-5f6b-11db-9f3e-000cf144f0f2}]
AutoRun\command- F:\Installer.exe




-- End of Deckard's System Scanner: finished at 2008-04-09 22:13:07 ------------

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:57 PM

Posted 10 April 2008 - 10:53 AM

Hi, Wulffy :thumbsup:

I don't see any type of malware in your system. There are two files however, that I would like to see its contents.

Open Notepad. Click on file -> Open, copy and paste the following paths one at a time and open these files. Post their content in a reply.

C:\WINDOWS\1.bat
C:\TALK.vbs


You also have many developer's programs such as ResHacker, ExplorerPE, Notepad++ and others. Any reason?

Download OTCleanit from here. Run the program and follow the prompts. That should remove some of the tools we asked you to download for the removal of malware. It some of the programs fail to delete, please remove these programs from your system.

Please also give me full details on the computer's behavior.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Wulffy

Wulffy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE Michigan, US
  • Local time:05:57 PM

Posted 10 April 2008 - 01:01 PM

Good day, JSntgRvr.

I don't see any type of malware in your system. There are two files however, that I would like to see its contents.


Yeah, I know. I thought I had rid myself of it...

Take a peek at my initial thread. Therein I detail that I do a lot of developing on this box. I am writing an IDE for Coridium Corp.'s ARMBasic line of Micro-Controllers. I am making use of NPP as the shell for my IDE. I (resource-) hacked a template .dll (changed the title and icon) to get the framework of the IDE inside of the NPP application, and then I am using AHK to create the GUIs inside of the dockable window frame, and interact with the target with serial comms, via the use of the ActiveXperts ActiveComPort's ActiveX object. I am about ~60% of the way thru coding up the IDE.

The serial comms COM object that I am using has the limitation that it doesn't offer a property/method to test the serial port receive buffer, and I was testing other ActiveX objects when I kicked of the Bagel variant infected code. :wacko:

The 1.bat file was one I created right after the flipping virus had control of my system. I created it with a short filename so that it was easy to execute via the a cmd shell. I was using Process Explorer and File Monitor, watching it change IceSword's executable to render it an invalid Win32 application. I had a hell of a time getting the virus to release it's hooks on things, so I created the .bat file to copy a good version of the icesword's executable and rename it to drowseci.exe and then I was able to kick it off. If I opened of the folder containing icesword.exe therein, the hooks via explorer.exe were allowing the virus to see the icesword's executable, and commence the altering of it - simply changed a couple bytes at a specific offest and viola, it wouldn't run. This is what led me to make the following assertion in my initial post:

I was surprised at how targeted the malware was - hooking into explorer and changing executables to render them invalid (IceSword), etc.


At any rate, I deleted 1.bat last night, after seeing it in the logs, as it was no longer needed. Sorry...

Regarding Talk.vbs, it is a temp script that my IDE uses to verbally interact with the user. It's current contents are detailed in the following. It changes quite often (for every spoken phrase):
Dim Talk
Set Talk = WScript.CreateObject("SAPI.SpVoice")
Talk.Speak "Target 1, an ARMexpress v2, on Comm 3, selected!"
The code that kicks off the talk.vbs script is detailed below:
...
Speak(whatToSay) {
   TEMPFILE = %TEMP%\TALK.vbs
   IfExist, %TEMPFILE%
	  FileDelete, %TEMPFILE%
   FileAppend, Dim Talk`nSet Talk = WScript.CreateObject("SAPI.SpVoice")`nTalk.Speak "%whatToSay%", %TEMPFILE%
   sleep, 100
  ; Runwait, %TEMPFILE%
   Run, %TEMPFILE%
  ; FileDelete, %TEMPFILE%
}

So, while I understand the interest in the two files specifically mentioned, they are of little concern, IMHO.

...

This is a frustrating event. I am intelligent and I knew better, but got tunnel-vision on the serial comms solution I am looking for and didn't take the time to decompress the tools I was downloading and scan them before executing, but instead, executed them from directly within the archive. It took me a full day's of effort to get it back to where it is now, which is stable.

The only three symptoms (that I am aware of) I am still seeing are the same three that I described in my initiating thread:

1. Wireless Adapter Connects, but fails to get a good IP - always results in the win32 default ip being assigned - 169.254.248.79 with subnet mask of 255.255.0.0 - Gateway, DNS, and WINS server ips are all blank (null)
2. The Service Windows Driver Foundation - User-Mode Driver Framework won't start - barfs up Error 31: A device attached to the system is not functioning... (also causes a app error on startup, if the service is set to start automagically)
3. Booting into safe mode now yields dialog consistent with incorrect passwords.

I have successfully logged onto the machine with both my cached domain credentials and my machine's local account, however when I boot to safe-mode, I can not authenticate with either account. I did type my password in the username field and I am seeing that my keyboard is not fragging up, at least when the cursor is in the username field. suspecting corrupt profile, hook to password field, or something else equally obtuse...

Are you folks willing to work with me in trying to resolve the lingering problems, now that there is a reasonable level of comfort that the machine is rid of any malware? That was my initial intent with posting in the other forum. However, I understand that the above steps needed to be taken to give you folks a level of comfort that we won't be fighting a bug while trying to clean up the problems.

So, with that, I am all ears on what needs to be done. :thumbsup: I can't really be without wireless connectivity as I do travel with the box for professional obligations. Frankly, it pisses me off that I can't boot safe. It is only a matter of time where I will need to do this, and if I can't, I am sure that I will regret it. Finally, while I understand the UMDF was installed with WMP, I suspect that it will be leveraged in the future by other MS applications, and not being able to kick it off, while not an immediate problem that I can see, is still a failure...

I am suspecting that there is probably a corrupted .dll somewhere, or some registry entries that are fragged that just might be causing all three of these issues to be related.?.

While I am intelligent, I don't know everything. With the fine community here at BC, I suspect that there is a Win32 guru that can work with me to get the issues resolved. Maybe with the resolution of the first, the other two will also get fixed (wishful thinking, I know...) :).

This is why I humbly come asking for assistance... :blink: Please, ole wise ones, share your wisdom in helping this meager peasant with his problems...

If there is another forum herein (@ BC), or elsewhere, that would be more appropriate for me to solicit assistance in, I am more than willing to do my part in helping to get these issues resolved.

Please review and advise your thoughts and suggestions. Thanks again, for your time. It is appreciated more than you know.!.

-t

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:57 PM

Posted 10 April 2008 - 03:51 PM

Hi, Wulffy :thumbsup:

Lets take a look:

Download Getservices.zip from Here and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called getservice. Inside the C:\getservice directory will be a file called getservice.bat . Simply double-click on the getservice.bat file and when it is completed a notepad will open with a lot of information. You can th en copy the entire contents of that notepad to a reply.

Download pv.zip from Here and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called PV. Inside the C:\PV directory will be a file called runme.bat . Simply double-click on the runme.bat file. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Usually pretty large and take more than one post. Please do option 2 for Internet Explorer dlls too.

Run the following commands:

CMD /C Reg Query "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot" /s >>"%userprofile%\Desktop\Safe.txt"CMD /C Reg Query "HKLM\SYSTEM\CurrentControlSet\Control\lsa" /s >>"%userprofile%\Desktop\Safe.txt"

They should produce a report in your desktop. Attach it also in your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Wulffy

Wulffy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE Michigan, US
  • Local time:05:57 PM

Posted 10 April 2008 - 05:13 PM

Thank you.

I d/l the files from the specified link, extracted them as directed and basically followed your directives... ;)

In the interests of not having a gawd awful long series of posts, please find the following files attached.

getservice.txt - log file from step 1 (getservice.bat results)
pv 1 log.txt - log file from step 2 (pv option 1 results)
pv 2 log.txt - log file from step 3 (pv option 2 results)
safe1.txt - results from command line execution (renamed safe.txt after creation)
safe2.txt - results from command line execution (renamed safe.txt after creation)

I await further guidance. Thank you.

-t

Attached Files



#10 Wulffy

Wulffy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE Michigan, US
  • Local time:05:57 PM

Posted 10 April 2008 - 05:31 PM

An entry of interest in the getservices.txt file: SERVICE_NAME: NetDDEdsdm possibly corrupt?

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:57 PM

Posted 10 April 2008 - 06:20 PM

Hi, Wulffy :thumbsup:

Windows Driver Foundation by default is set to Manual, in your case is set to Automatic. The service it depends on is Plug and Play and is active. Unless there is an external Plug and Play device malfunctioning I can't see the reason for this behavior.

The Safeboot key has a few entries missing, if compared it with the one in my system.

Download SafeBootKeyRepair.exe by sUBs and save it to your desktop. Double-click SafeBootKeyRepair.exe to run it. Follow all prompts.

Post the log it will produce in your next reply and test safeboot after a restart.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:57 PM

Posted 10 April 2008 - 06:25 PM

An entry of interest in the getservices.txt file: SERVICE_NAME: NetDDEdsdm possibly corrupt?

Not enough information. The entry always appears like that on the report. That means nothing.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Wulffy

Wulffy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE Michigan, US
  • Local time:05:57 PM

Posted 10 April 2008 - 07:09 PM

Understood.

I have ran the tool. No real prompting.?. Just opened up the results log.

Going to reboot into safe mode here in a bit...

Results follow:

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:57 PM

Posted 18 April 2008 - 07:37 PM

Hi, Wulffy :thumbsup:

Sorry for the delay. I did not receive a notification on your last report.

Are you still having issues with your computer?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Wulffy

Wulffy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE Michigan, US
  • Local time:05:57 PM

Posted 19 April 2008 - 06:31 PM

Hello. No worries, honestly, last week was brutal for me professionally, and I too was much too busy to try to deal with it.

Thank you for your continued interest, however. Yes, I am having the issue still.

I am begining to suspect a corrupt hardware profile(.?.), as if I use the docking station at work, I am able to connect to our wireless network without issue.

But, at the house, same thing, no wireless connectivity, a complete inability to login via safemode, and the WUMDF not starting.

I didn't check safemode login capability or WUMDF not starting, while at work. I'll try that Monday and advise.

-t

Edited by Wulffy, 19 April 2008 - 06:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users