Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Getting Redirected


  • This topic is locked This topic is locked
13 replies to this topic

#1 brussel57

brussel57

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:02:22 AM

Posted 09 April 2008 - 11:58 AM

Hi Everyone

I noticed very recently that when I search with Google and click on the link I am redirected to different sites. This includes links that I know have the correct info. At first I thought I made a mistake but after getting redirected to the same pages - one in particular is for Trusted Antivirus website, I knew something was wrong. I am now getting redirected when I use favorites that I've had for years. I ran Spybot and Adware to see if anything was there and nothing showed up.
My tech ran a virus scan but said that everything was cleared up, however same thing was happening.
I came here from Trend Micro seeking help. I've run the scans requested and Kaspersky shows I have a backdoor - Infected: Backdoor.Win32.Rbot.jqt. I am not sure if it is indicating that I have spy/malware.

BTW, I ran Kaspersky for both critical area and drive c - both scans have been included. How can I stop the redirections and third can I be helped?

Hopefully I have provided everything that is needed.
Thank you for any help
brussel57

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.60GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 479.53 MiB / 204.24 MiB
Pagefile Memory (total/avail): 738.52 MiB / 346.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1952.86 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.65 GiB total, 7.57 GiB free.
D: is CDROM (No Media)
F: is Network (NTFS)
M: is Network (NTFS)
T: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD200BB-32CXA0 - 18.65 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.65 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LESLIE
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\VDMSERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINDOWS\system32\os2\dll;
Path=C:\PROGRA~1\SYMANTEC\PCANYW~1\;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\WBEM;C:\Program Files\Symantec\pcAnywhere\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$p$g
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDNSDOMAIN=vdm-law.com
USERDOMAIN=VDM-LAW
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)
user (admin)
administrator.VDM-LAW (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
3D Merry Christmas Screensaver 1.0 --> "C:\Program Files\Astro Gemini Software\3D Merry Christmas Screensaver\unins000.exe"
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Ad-aware 6 Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\98\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\98\Uninst.dll"
Adobe Acrobat 6.0 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Autumn Spins Screensaver --> C:\Program Files\Irene's Images\Autumn Spins\Uninstall.exe
Autumn Sunset 3D Screensaver 1.0 --> C:\Program Files\ScenicReflections\Autumn Sunset 3D Screensaver\uninst.exe
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Bearmont Castle --> C:\WINDOWS\DWUninst.exe "Bearmont Castle"
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Bewitched by TV Land Screen Saver --> C:\WINDOWS\Bewitched by TV Land.scr /u
Cadbury Bunny Screensaver --> C:\WINDOWS\system32\Cadbury Bunny Screensaver.scr /u
Caroling With Pooh & Friends --> C:\Program Files\Caroling With Pooh & Friends\Uninstall.exe
Castle Of Dreams 2 Saver --> C:\Windows\Uninstal.exe
Cathedral 3D Screensaver 1.0 --> "C:\Program Files\Cathedral 3D Screensaver\unins000.exe"
Cats and Quotes Scenic Reflections 3.0 --> C:\Program Files\DesktopFun\Cats and Quotes Scenic Reflections\uninst.exe
Christmas At Our House Saver --> C:\Windows\Uninstal.exe
Christmas Fun Screen Saver --> C:\WINDOWS\INDSOFT\SSAVERS\Christmas Fun\UNINSTAL.EXE
Corel WordPerfect Suite 8 --> C:\Corel\Suite8\AppMan\Setup\REMOVELAUNCHER.EXE
Country Christmas 3D Screensaver 1.0 --> C:\Program Files\ScenicReflections\Country Christmas 3D Screensaver\uninst.exe
Crystal Falls Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Crystal Falls.Theme"
Deck the Halls With Pooh and Friends --> C:\Program Files\Deck the Halls With Pooh and Friends\Uninstall.exe
DirectX 8.1 Hotfix - KB839643 --> C:\WINDOWS\$NtUninstallKB839643-DirectX81$\spuninst\spuninst.exe
discoqueen Screensaver --> pysoft_uninstaller.exe /u C:\WINDOWS\system32\discoqueen.scr
easter-basket Screen Saver --> C:\WINDOWS\system32\easter-basket.scr /u
Easter Egg Cut Out Collection by Lady Di Screensaver --> C:\Program Files\Lady Di's Dimension\Easter Egg Cut Out Collection by Lady Di\Uninstall.exe
Evening at Holly Hill --> C:\Program Files\Evening at Holly Hill\Uninstall.exe
Evening Reflections Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Evening Reflections.Theme"
Fairytale Castle --> C:\Program Files\Fairytale Castle\Uninstall.exe
Fascinating Art Screen Saver --> C:\WINDOWS\system32\FASCIN~1.SCR /U
FileOpen Plug-in for Adobe Acrobat« and Adobe Reader« --> MsiExec.exe /I{2E8DC19D-E1E1-402D-A483-CFF559207B94}
fishbowlkittyss Screensaver --> pysoft_uninstaller.exe /u C:\WINDOWS\system32\fishbowlkittyss.scr
FREEWARE And it snows outside by DF DESIGNS Screensaver --> C:\Program Files\DF DESIGNS\FREEWARE And it snows outside by DF DESIGNS\Uninstall.exe
Frost and Gingerbread Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Frost and Gingerbread.theme"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Home For The Holidays Screen Saver --> C:\WINDOWS\SOFTDISK\SSSTUDIO\Home For The Holidays\UNINSTAL.EXE
HP LaserJet 1200 Uninstaller --> C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\1200\setup.exe uninst12.ini
HSP56 MicroModem Drivers --> ptuninst.exe
I Dream of Jeannie by TV Land Screen Saver --> C:\WINDOWS\I Dream of Jeannie by TV Land.scr /u
IKON Quick Review CD --> C:\PROGRA~1\IKONQU~1\UNWISE.EXE C:\PROGRA~1\IKONQU~1\INSTALL.LOG
Intel RSX 3D --> C:\WINDOWS\system32\rsxunins.exe
iTunes --> MsiExec.exe /I{ABCE1C63-56ED-41FF-BEAF-57321F70DC49}
Jonquils and Butterflies Screen Saver --> C:\WINDOWS\SOFTDISK\SSSTUDIO\Jonquils and Butterflies\UNINSTAL.EXE
Kinkade Gazebo Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Kinkade Gazebo.theme"
KONICA MINOLTA bizhub C650 Series --> C:\PROGRA~1\KONICA~1\PRINTE~1\BC650S~1\Setup.exe /UinsOnly:10 C:\PROGRA~1\KONICA~1\PRINTE~1\BC650S~1\Setup.exe Setup.ini /UnInst /LANG:0009
KONICA MINOLTA FTP Utility --> MsiExec.exe /X{7857B993-B7A4-438C-9644-DEF0FA605CC4}
KONICA MINOLTA TWAIN Ver.3 --> MsiExec.exe /I{616E8966-0574-4E9E-A9CD-9CB819EBC162}
LaserJet 1020 series --> C:\Program Files\Zenographics\{8B3C37E0-AEA4-11DA-A52B-00E0186D4779}\SETUP.EXE -u "HPLJInstaller.dll=Hplj1020.inf"
Le_Chateau_d_Esclimont --> C:\WINDOWS\DWUninst.exe "Le_Chateau_d_Esclimont"
Leaving The Station --> "C:\WINDOWS\uninstall leavingthestationss.exe"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Long and Winding Road Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Long and Winding Road.theme"
Main Street Celebration Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Main Street Celebration.theme"
Marshmallow Peeps Screensaver Screen Saver --> C:\WINDOWS\Marshmallow Peeps Screensaver.scr /u
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINDOWS\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 97, Professional Edition --> C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Word 2000 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
midnightsparkle Screensaver --> pysoft_uninstaller.exe /u C:\WINDOWS\system32\midnightsparkle.scr
Mississippi Night Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Mississippi Night.Theme"
mistycastless Screensaver --> pysoft_uninstaller.exe /u C:\WINDOWS\system32\mistycastless.scr
MMs ScreenSaver --> C:\WINDOWS\MMs ScreenSaver.scr /u
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Night Visions --> "C:\WINDOWS\uninstall nightvisions.exe"
Ocean Avenue Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Ocean Avenue.theme"
Oceanside --> C:\WINDOWS\unins003.exe
Paris By Night by Lady Di --> C:\WINDOWS\unins000.exe
Piglets Night Lights Screen Saver --> C:\WINDOWS\INDSOFT\SSAVERS\Piglets Night Lights\UNINSTAL.EXE
Poohs Christmas Carol --> C:\WINDOWS\system32\ssunstl.exe "Poohs Christmas Carol"
Pumpkin Fun Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Pumpkin Fun.Theme"
queensaver Screen Saver --> C:\WINDOWS\queensaver.scr /u
QuickBooks Pro 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2007" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7}
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Ripple into Spring Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Ripple into Spring.Theme"
Rocky Mountain Dream Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Rocky Mountain Dream.theme"
Rue de Paris 1152 Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Rue de Paris 1152.theme"
Rue de Paris Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Rue de Paris.theme"
San Francisco Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\San Francisco.theme"
Santa Fe Station Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Santa Fe Station.theme"
Scenic- Amazing Monuments --> C:\Program Files\Scenic- Amazing Monuments\Uninstall.exe
Scenic- Christmas Snow --> C:\Program Files\Scenic- Christmas Snow\Uninstall.exe
Scenic- Hanging Wonders --> C:\Program Files\Scenic- Hanging Wonders\Uninstall.exe
Scenic- High Rises --> C:\Program Files\Scenic- High Rises\Uninstall.exe
Scenic- Skyscrapers --> C:\Program Files\Scenic- Skyscrapers\Uninstall.exe
seaoftrolls Screen Saver --> C:\WINDOWS\seaoftrolls.scr /u
Second Nature - A Blaze of Color by Tony Sweet --> C:\SLIDESHW\unslide\tsfall\UNSLIDE.EXE C:\SLIDESHW\unslide\tsfall <:> C:\SLIDESHW
Second Nature - An Old Time Christmas by Stewart Sherwood --> C:\SLIDESHW\unslide\sher\UNSLIDE.EXE C:\SLIDESHW\unslide\sher <:> C:\SLIDESHW
Second Nature - Ancient Civilizations by Tom Till --> C:\SLIDESHW\unslide\till\UNSLIDE.EXE C:\SLIDESHW\unslide\till <:> C:\SLIDESHW
Second Nature - Audubon On Wings of Beauty --> C:\PROGRA~1\SECOND~1\unslide\ONWING~1\UNWISE.EXE C:\PROGRA~1\SECOND~1\unslide\ONWING~1\INSTALL.LOG
Second Nature - Autumn's Bounty of Color by James Randklev --> C:\SLIDESHW\unslide\randk4\UNSLIDE.EXE C:\SLIDESHW\unslide\randk4 <:> C:\SLIDESHW
Second Nature - Autumn Days --> C:\PROGRA~1\SECOND~1\Images\SLIDESHW\unslide\AutDays\UNSLIDE.EXE C:\PROGRA~1\SECOND~1\Images\SLIDESHW\unslide\AutDays <:> C:\Program Files\Second Nature\Images\SLIDESHW
Second Nature - Autumn Sampler 2007 --> C:\PROGRA~1\SECOND~1\unslide\AUTUMN~1\UNWISE.EXE C:\PROGRA~1\SECOND~1\unslide\AUTUMN~1\INSTALL.LOG
Second Nature - Celestial Odyssey II by John Foster --> C:\SLIDESHW\unslide\fostr2\UNSLIDE.EXE C:\SLIDESHW\unslide\fostr2 <:> C:\SLIDESHW
Second Nature - Cowboy Chronicles by Jack Sorenson --> C:\SLIDESHW\unslide\cowboy\UNSLIDE.EXE C:\SLIDESHW\unslide\cowboy <:> C:\SLIDESHW
Second Nature - Floral Studies by Barry Peril --> C:\SLIDESHW\unslide\peril\UNSLIDE.EXE C:\SLIDESHW\unslide\peril <:> C:\SLIDESHW
Second Nature - Glimmer Train Stories --> C:\SLIDESHW\unslide\GLIM\UNSLIDE.EXE C:\SLIDESHW\unslide\GLIM <:> C:\SLIDESHW
Second Nature - Holiday Collection - Pumpernickel Press --> C:\SLIDESHW\unslide\pump\UNSLIDE.EXE C:\SLIDESHW\unslide\pump <:> C:\SLIDESHW
Second Nature - Home for Christmas by Linda Picken --> C:\SLIDESHW\unslide\lindap\UNSLIDE.EXE C:\SLIDESHW\unslide\lindap <:> C:\SLIDESHW
Second Nature - New England Charm --> C:\SLIDESHW\unslide\new\UNSLIDE.EXE C:\SLIDESHW\unslide\new <:> C:\SLIDESHW
Second Nature - Our America --> C:\SLIDESHW\unslide\Flags3\UNSLIDE.EXE C:\SLIDESHW\unslide\Flags3 <:> C:\SLIDESHW
Second Nature - Painted Memories by Jim Hansel --> C:\SLIDESHW\unslide\jimh\UNSLIDE.EXE C:\SLIDESHW\unslide\jimh <:> C:\SLIDESHW
Second Nature - Pathways In Paradise by Alan Giana --> C:\SLIDESHW\unslide\giana\UNSLIDE.EXE C:\SLIDESHW\unslide\giana <:> C:\SLIDESHW
Second Nature - Rainforest Alliance presents the Amazing Amazon --> C:\PROGRA~1\SECOND~1\unslide\RAINFO~1\UNWISE.EXE C:\PROGRA~1\SECOND~1\unslide\RAINFO~1\INSTALL.LOG
Second Nature - Romantic Gardens of the Early 1900's --> C:\SLIDESHW\unslide\garden\UNSLIDE.EXE C:\SLIDESHW\unslide\garden <:> C:\SLIDESHW
Second Nature - Second Nature - Snow Splendor --> C:\PROGRA~1\SECOND~1\unslide\HOLIDA~1\UNWISE.EXE C:\PROGRA~1\SECOND~1\unslide\HOLIDA~1\INSTALL.LOG
Second Nature - Second Nature - Winter 2007 --> C:\PROGRA~1\SECOND~1\unslide\WINTER~1\UNWISE.EXE C:\PROGRA~1\SECOND~1\unslide\WINTER~1\INSTALL.LOG
Second Nature - Second Nature presents Spring 2007 --> C:\PROGRA~1\SECOND~1\unslide\SPRING~1\UNWISE.EXE C:\PROGRA~1\SECOND~1\unslide\SPRING~1\INSTALL.LOG
Second Nature - Second Nature presents Summer 2007 --> C:\PROGRA~1\SECOND~1\unslide\SUMMER~1\UNWISE.EXE C:\PROGRA~1\SECOND~1\unslide\SUMMER~1\INSTALL.LOG
Second Nature - Second Nature Sampler 08 --> C:\PROGRA~1\SECOND~1\unslide\WINTER~2\UNWISE.EXE C:\PROGRA~1\SECOND~1\unslide\WINTER~2\INSTALL.LOG
Second Nature - Spirit of the Season by Alan Giana --> C:\SLIDESHW\unslide\giana3\UNSLIDE.EXE C:\SLIDESHW\unslide\giana3 <:> C:\SLIDESHW
Second Nature - Sunrise - Sunset --> C:\SLIDESHW\unslide\set\UNSLIDE.EXE C:\SLIDESHW\unslide\set <:> C:\SLIDESHW
Second Nature - The Cinnamon Creek Collecton --> C:\SLIDESHW\unslide\blay\UNSLIDE.EXE C:\SLIDESHW\unslide\blay <:> C:\SLIDESHW
Second Nature - The Elegant Orchid --> C:\SLIDESHW\unslide\orchid\UNSLIDE.EXE C:\SLIDESHW\unslide\orchid <:> C:\SLIDESHW
Second Nature - The Ultimate Escape Sampler --> C:\PROGRA~1\SECOND~1\unslide\ULTIMA~1\UNWISE.EXE C:\PROGRA~1\SECOND~1\unslide\ULTIMA~1\INSTALL.LOG
Second Nature - Treasured Times by D. R. Laird --> C:\SLIDESHW\unslide\laird\UNSLIDE.EXE C:\SLIDESHW\unslide\laird <:> C:\SLIDESHW
Second Nature - Water Dance by Steven Power --> C:\SLIDESHW\unslide\power\UNSLIDE.EXE C:\SLIDESHW\unslide\power <:> C:\SLIDESHW
Second Nature - What's New at Second Nature? --> C:\SLIDESHW\unslide\SAMP\UNSLIDE.EXE C:\SLIDESHW\unslide\SAMP <:> C:\SLIDESHW
Security Update for DirectX 8 (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568_DX8$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) -->
Security Update for Windows 2000 (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM\MACROMED\SHOCKW~2\Install.log
SiS 650 --> RUNDLL32 setuplib.dll,UnInstall ,315&ISUNINST -f"C:\PROGRA~1\SISCOM~1.22\DeIsL1.isu"&P.U 4 xvga.in&-1
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\WINDOWS\SiS\900\Uninst.exe
SiS Audio Driver --> C:\Progra~1\SiS7012\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7012
SiSAGP driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC226AC9-0314-496C-BE6A-B6A132628466}\setup.exe" -l0x9
skittles_screensaver --> C:\WINDOWS\skittles_screensaver.scr /u
Snow Globe Pooh Screensaver --> C:\WINDOWS\system32\Snow Globe Pooh Screensaver.scr u
SoftStuff Screen Saver --> C:\WINDOWS\uninst.exe -fc:\Softstuf\DeIsL1.isu -cc:\Softstuf\_ISREG32.DLL
Somebody's Home Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Somebody's Home.theme"
Spring Windmill 3D Screensaver 1.0 --> C:\Program Files\ScenicReflections\Spring Windmill 3D Screensaver\uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
SweetPea's Autumn Afternoon Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\SweetPea's Autumn Afternoon.Theme"
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Symantec pcAnywhere --> MsiExec.exe /I{B05E8183-866A-11D3-97DF-0000F8D8F2E9}
Symantec pcAnywhere --> MsiExec.exe /I{E05E8183-866A-11D3-97DF-0000F8D8F2E9}
The Christmas Tree Free Version Screen Saver --> C:\WINDOWS\system32\The Christmas Tree Free Version.scr /u
The Mystic Altar Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\The Mystic Altar.Theme"
Thomas Kinkade 4th Theme --> "G:\Themes\Desktop Themes.exe" /u "C:\Themes\Thomas Kinkade 4th.theme"
Timeslips 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A7141A5-1178-4BB6-B98D-41B3D4B04888}\setup.exe" -uninst
Timeslips 2005 Local --> C:\Program Files\InstallShield Installation Information\{3A480BE8-3DBB-4C8F-A4D1-C6FCDBE14C09}\Setup.exe
Trevi Water Fountain --> "C:\WINDOWS\uninstall Trevi Water Fountain SS.exe"
Under the Moon of Love --> C:\Program Files\Under the Moon of Love\Uninstall.exe
Warriors Screensaver --> C:\WINDOWS\system32\Warriors Screensaver.scr /u
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~1\setup_wm.exe /Uninstall
Winter Dreams Screensaver --> C:\Program Files\Winter Dreams Screensaver\UnInstal.exe
Winter Playground --> C:\WINDOWS\unins002.exe
wintercollectionss4 --> C:\Program Files\wintercollectionss4\Uninstall.exe
Winters Eve --> C:\WINDOWS\unins001.exe
WinZip --> "C:\PROGRAM FILES\WINZIP\WINZIP32.EXE" /uninstall
Woodland 2001 Screensaver --> C:\Program Files\Woodland 2001 Screensaver\UnInstal.exe
Woodland Dreams --> C:\Program Files\Delfyn Software\Woodland Dreams\Uninst_Woodland Dreams.exe /U "C:\Program Files\Delfyn Software\Woodland Dreams\Uninst_Woodland Dreams.log"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1858 / Error
Event Submitted/Written: 04/08/2008 10:58:43 AM
Event ID/Source: 4126 / Ci
Event Description:
Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci. Index will
be automatically restored by refiltering all documents.

Event Record #/Type1857 / Error
Event Submitted/Written: 04/08/2008 10:58:43 AM
Event ID/Source: 4124 / Ci
Event Description:
Content index on c:\system volume information\catalog.wci is corrupt. Please shutdown and restart
the Indexing Service (cisvc).

Event Record #/Type1856 / Warning
Event Submitted/Written: 04/08/2008 10:58:43 AM
Event ID/Source: 4132 / Ci
Event Description:
41 inconsistencies were detected in PropertyStore during recovery of catalog c:\system volume information\catalog.wci.

Event Record #/Type1810 / Error
Event Submitted/Written: 04/03/2008 07:20:53 PM
Event ID/Source: 11606 / MsiInstaller
Event Description:
Product: Symantec AntiVirus Client -- Error 1606.Could not access network location \\vdmserver\Margaret\margaret_bk\my documents\My Pictures\.

Event Record #/Type1809 / Error
Event Submitted/Written: 04/03/2008 07:20:53 PM
Event ID/Source: 11606 / MsiInstaller
Event Description:
Product: Symantec AntiVirus Client -- Error 1606.Could not access network location \\vdmserver\Margaret\margaret_bk\my documents\My Pictures\.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4450 / Warning
Event Submitted/Written: 04/07/2008 09:53:13 AM
Event ID/Source: 11050 / dnscache
Event Description:
The DNS Client service could not contact any DNS servers for
a repeated number of attempts. For the next 30 seconds the
DNS Client service will not use the network to avoid further
network performance problems. It will resume its normal behavior
after that. If this problem persists, verify your TCP/IP
configuration, specifically check that you have a preferred
(and possibly an alternate) DNS server configured. If the problem
continues, verify network conditions to these DNS servers or contact
your network administrator.

Event Record #/Type4449 / Error
Event Submitted/Written: 04/07/2008 09:52:22 AM
Event ID/Source: 4319 / NetBT
Event Description:
A duplicate name has been detected on the TCP network. The IP address of
the machine that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.

Event Record #/Type4448 / Error
Event Submitted/Written: 04/07/2008 09:52:22 AM
Event ID/Source: 4319 / NetBT
Event Description:
A duplicate name has been detected on the TCP network. The IP address of
the machine that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.

Event Record #/Type4447 / Error
Event Submitted/Written: 04/07/2008 09:46:22 AM
Event ID/Source: 33 / Print
Event Description:
The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 54b

Event Record #/Type4446 / Warning
Event Submitted/Written: 04/07/2008 09:46:09 AM
Event ID/Source: 54 / w32time
Event Description:
The Windows Time Service was not able to find a Domain Controller. A time and date update was not possible.



-- End of Deckard's System Scanner: finished at 2008-04-08 16:31:47 ------------

Deckard's System Scanner v20071014.68
Run by user on 2008-04-09 12:25:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:01 PM, on 4/9/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\khooker.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\s1bktqv6p3.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\user\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://VMSERVER:80
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 207.155.252.31 pop3.vdm-law.com.cnchost.com
O1 - Hosts: 207.155.248.31 smtp.vdm-law.com.cnchost.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D977F63-06C7-4B54-A65F-5BF72510A582} - C:\WINDOWS\system32\avifileo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6684B749-26AB-4478-8670-31FABCC2201C} - c:\windows\system32\d3drefg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [s1bktqv6p3] C:\WINDOWS\system32\s1bktqv6p3.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [s1bktqv6p3] C:\WINDOWS\system32\s1bktqv6p3.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: KONICA MINOLTA FTP Utility.lnk = C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://dsjcpa.tzo.com/Remote/msrdp.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vdm-law.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vdm-law.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vdm-law.com
O20 - Winlogon Notify: lsvxqhbn - C:\WINDOWS\SYSTEM32\d3drefg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 7404 bytes

-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 08:56:47 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_230.dat
2008-04-09 05:46:41 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_100.dat
2008-04-08 16:35:45 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-08 16:31:42 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_3c0.dat
2008-04-08 10:51:45 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_1fc.dat
2008-04-07 15:41:57 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_234.dat
2008-04-07 09:39:48 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_224.dat
2008-04-05 03:48:22 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_1dc.dat
2008-04-04 19:04:02 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_390.dat
2008-04-04 15:32:14 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_1e8.dat
2008-04-04 10:51:05 0 d-------- C:\Program Files\Trend Micro
2008-04-04 08:50:47 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_258.dat
2008-04-04 05:19:45 744528 ---h----- C:\WINDOWS\ShellIconCache
2008-04-03 17:35:08 0 d-------- C:\Program Files\Symantec_Client_Security
2008-04-03 16:12:49 0 d-------- C:\Program Files\Alwil Software
2008-04-03 11:12:53 0 d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-03 11:12:52 35072 --a------ C:\WINDOWS\system32\iqgwtvgd.dat
2008-04-03 11:12:52 6491392 --a------ C:\WINDOWS\system32\bhveiiti.dat
2008-04-03 11:12:51 36608 --a------ C:\WINDOWS\system32\znxpfdwo.dat
2008-04-03 11:12:51 42752 --a------ C:\WINDOWS\system32\xxuyzdnd.dat
2008-04-03 11:12:51 638208 --a------ C:\WINDOWS\system32\gllgaltd.dat
2008-04-02 10:59:20 110336 --a------ C:\WINDOWS\system32\kwjxrmsq.dat
2008-04-02 10:52:30 81920 --a------ C:\WINDOWS\system32\d3drefg.dll <Not Verified; Microsoft Corporation; Microsoft« Windows« Operating System>
2008-04-02 10:51:59 17408 --a------ C:\WINDOWS\system32\s1bktqv6p3.exe
2008-04-02 10:51:15 88064 --a------ C:\WINDOWS\system32\avifileo.dll
2008-03-17 18:04:21 0 d-------- C:\Documents and Settings\user\Application Data\FileOpen
2008-03-17 18:04:13 0 d-------- C:\Program Files\FileOpen
2008-03-14 09:43:46 197120 --a------ C:\WINDOWS\system32\Warriors Screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-14 09:43:46 0 d-------- C:\WINDOWS\system32\Warriors Screensaver dir
2008-03-14 09:42:59 192000 --a------ C:\WINDOWS\seaoftrolls.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-14 09:42:55 0 d-------- C:\WINDOWS\seaoftrolls dir
2008-03-14 09:42:18 471040 --a------ C:\WINDOWS\queensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-14 09:42:15 0 d-------- C:\WINDOWS\queensaver dir
2008-03-13 11:39:23 192000 --a------ C:\WINDOWS\MMs ScreenSaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-13 11:39:20 0 d-------- C:\WINDOWS\MMs ScreenSaver dir
2008-03-13 11:33:29 202092 --a------ C:\WINDOWS\HERSHE~1.scr
2008-03-13 11:33:29 1650521 --a------ C:\WINDOWS\HERSHE~1.exe <Not Verified; Macromedia, Inc.; Macromedia Director>
2008-03-13 11:32:56 532480 --a------ C:\WINDOWS\system32\Cadbury Bunny Screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-13 11:32:55 0 d-------- C:\WINDOWS\system32\Cadbury Bunny Screensaver dir
2008-03-13 11:32:27 201728 --a------ C:\WINDOWS\system32\easter-basket.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-13 11:32:27 0 d-------- C:\WINDOWS\system32\easter-basket dir
2008-03-13 11:31:27 192000 --a------ C:\WINDOWS\skittles_screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-13 11:31:24 0 d-------- C:\WINDOWS\skittles_screensaver dir
2008-03-13 11:29:56 471040 --a------ C:\WINDOWS\Marshmallow Peeps Screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-13 11:29:52 0 d-------- C:\WINDOWS\Marshmallow Peeps Screensaver dir
2008-03-13 10:28:47 415157 --a------ C:\WINDOWS\Pop.exe <Not Verified; Macromedia, Inc.; Flash 4.0>
2008-03-13 10:28:47 30208 --a------ C:\WINDOWS\mickey32.dll <Not Verified; MacSourcery; Mickey DLL>
2008-03-13 10:27:20 192000 --a------ C:\WINDOWS\Bewitched by TV Land.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-13 10:27:16 0 d-------- C:\WINDOWS\Bewitched by TV Land dir
2008-03-13 10:14:15 192000 --a------ C:\WINDOWS\I Dream of Jeannie by TV Land.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-03-13 10:14:11 12288 --a------ C:\WINDOWS\impborl.dll
2008-03-13 10:14:11 0 d-------- C:\WINDOWS\I Dream of Jeannie by TV Land dir
2008-03-13 10:14:11 535040 --a------ C:\WINDOWS\flashax.exe <Not Verified; Microsoft Corporation; Microsoft® Windows NT® Operating System>
2008-03-13 09:06:54 520704 --a------ C:\WINDOWS\Peanuts Baseball Game.scr
2008-03-13 09:06:54 0 d-------- C:\Program Files\Peanuts Baseball Game
2008-03-13 09:06:46 1256994 --a------ C:\WINDOWS\MM_s.scr
2008-03-12 13:19:28 1864206 --a------ C:\WINDOWS\Rocky Mountain Way.scr <Not Verified; AllerSoft; AnimateIt Screen Saver Toolkit>
2008-03-12 13:03:19 7621168 --a------ C:\WINDOWS\system32\Easter Egg Cut Out Collection by Lady Di.scr <Not Verified; Axialis Software; Axialis Screen Saver Producer>
2008-03-12 12:49:30 0 d-------- C:\Program Files\Lady Di's Dimension
2008-03-12 12:45:39 1563 --a------ C:\WINDOWS\unins003.dat
2008-03-12 12:45:15 219046 --a------ C:\WINDOWS\uninstall nightvisions.exe
2008-03-12 12:45:13 21010119 --a------ C:\WINDOWS\nightvisions.scr
2008-03-12 12:44:31 6399870 --a------ C:\WINDOWS\system32\Misty Castless.scr <Not Verified; ; Animated Screen>
2008-03-12 12:44:16 4 --a------ C:\WINDOWS\HP26J06UOY1FB3G0GWBJ64FH
2008-03-12 12:44:08 858317 --a------ C:\WINDOWS\system32\Midnight Sparkle.scr <Not Verified; ; Animated Screen>
2008-03-12 12:43:27 1203620 --a------ C:\WINDOWS\Fairytale Castle.scr <Not Verified; AllerSoft; AnimateIt Screen Saver Toolkit>
2008-03-12 12:43:27 0 d-------- C:\Program Files\Fairytale Castle
2008-03-12 12:42:45 2622388 --a------ C:\WINDOWS\system32\fishbowlkittyss.scr <Not Verified; ; Animated Screen>
2008-03-12 12:41:48 9728 --a------ C:\WINDOWS\system32\UnInstall Fascinating Art.exe
2008-03-12 12:41:46 6382658 --a------ C:\WINDOWS\system32\Fascinating Art.scr
2008-03-12 12:40:44 4782217 --a------ C:\WINDOWS\system32\discoqueen.scr <Not Verified; Di's Dimension (www.disdimension.com); Animated Screen>
2008-03-12 12:40:44 78336 --a------ C:\WINDOWS\pysoft_uninstaller.exe <Not Verified; ; Animated Screen (www.pysoft.com)>
2008-03-11 16:02:42 245760 --a------ C:\WINDOWS\Jonquils and Butterflies.scr
2008-03-11 16:01:16 5647978 --a------ C:\WINDOWS\system32\Bearmont Castle.scr
2008-03-10 17:47:23 270336 --a------ C:\WINDOWS\system32\xaudio.dll <Not Verified; Xaudio Corporation; Xaudio SDK Runtime>
2008-03-10 17:47:23 210432 --a------ C:\WINDOWS\system32\npmod32.dll <Not Verified; Olivier Lapicque; MOD Plugin>
2008-03-10 17:47:23 143360 --a------ C:\WINDOWS\system32\ezunzip.dll <Not Verified; Econg.com; Econg.com UnZip Windows DLL>
2008-03-10 17:47:23 24576 --a------ C:\WINDOWS\system32\EZTIMER.DLL <Not Verified; www.econg.com; Easy Screen Studio Timer>
2008-03-10 14:53:06 0 d-------- C:\Program Files\TZEdit


-- Find3M Report ---------------------------------------------------------------

2008-04-03 17:35:34 0 d-a------ C:\Program Files\Symantec
2008-04-03 17:35:30 0 d-a------ C:\Program Files\Common Files\Symantec Shared
2008-04-03 11:12:53 0 dra------ C:\Program Files\Common Files
2008-04-02 15:36:03 0 d-a------ C:\Program Files\Timeslips
2008-04-02 11:54:55 0 d-------- C:\Program Files\Easy CD-DA Extractor 10
2008-03-21 15:35:38 0 d-a------ C:\Documents and Settings\user\Application Data\AdobeUM
2008-03-12 13:05:53 0 d-------- C:\Program Files\Irene's Images
2008-03-12 12:39:41 74744 --a------ C:\WINDOWS\Uninstal.exe
2008-03-10 17:29:40 0 d-a------ C:\Program Files\Common Files\Adobe
2008-03-06 15:36:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-04 15:42:48 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_2fc.dat
2008-03-04 15:09:47 61678 --a------ C:\Documents and Settings\user\Application Data\PFP110JPR.{PB
2008-03-04 15:09:47 12358 --a------ C:\Documents and Settings\user\Application Data\PFP110JCM.{PB
2008-03-04 15:09:45 0 d-------- C:\Documents and Settings\user\Application Data\Corel
2008-03-04 15:07:50 0 d-a------ C:\Program Files\Common Files\InstallShield
2008-03-04 14:43:17 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_518.dat
2008-03-04 11:24:15 0 d-------- C:\Program Files\Evening at Holly Hill
2008-03-04 11:23:20 219046 --a------ C:\WINDOWS\uninstall leavingthestationss.exe
2008-03-04 11:23:20 5385056 --a------ C:\WINDOWS\leavingthestationss.scr
2008-03-04 10:24:41 0 d-------- C:\Program Files\Second Nature
2008-03-04 09:45:34 0 d-------- C:\Program Files\Mojicon Installer
2008-02-26 01:11:28 4272513 --a------ C:\WINDOWS\Paris Bears.scr <Not Verified; AllerSoft; AnimateIt Screen Saver Toolkit>
2008-02-20 11:12:38 9835690 --a------ C:\WINDOWS\FromParis_pack1.SCR
2008-02-11 11:45:33 1241536 --a------ C:\WINDOWS\Under the Moon of Love.scr <Not Verified; AllerSoft; AnimateIt Screen Saver Toolkit>
2008-02-11 11:45:33 0 d-------- C:\Program Files\Under the Moon of Love
2008-02-11 10:24:41 4 --a------ C:\WINDOWS\HP2608BW4W4Q7HJM6QJJI7T0
2008-02-11 10:24:07 1981 --a------ C:\WINDOWS\unins002.dat
2008-01-10 15:42:05 1877 --a------ C:\WINDOWS\unins001.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D977F63-06C7-4B54-A65F-5BF72510A582}]
07/14/03 08:00a 88064 --a------ C:\WINDOWS\system32\avifileo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6684B749-26AB-4478-8670-31FABCC2201C}]
04/07/08 09:13a 81920 --a------ c:\windows\system32\d3drefg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [07/14/03 08:00a C:\WINDOWS\SYSTEM32\systray.exe]
"Synchronization Manager"="mobsync.exe" [07/14/03 08:00a C:\WINDOWS\SYSTEM32\mobsync.exe]
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" [01/24/02 02:31p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/07 03:53p]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/27/07 08:14p]
"s1bktqv6p3"="C:\WINDOWS\system32\s1bktqv6p3.exe" [07/23/07 01:37p]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/08 02:37p]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [07/30/02 11:35a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/26/07 04:28p]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" []
"TSTimer"="C:\Program Files\Timeslips\TSTimer.exe" [11/01/04 04:55p]
"s1bktqv6p3"="C:\WINDOWS\system32\s1bktqv6p3.exe" [07/23/07 01:37p]
"MSI Configuration"="msiconf.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM]
KONICA MINOLTA FTP Utility.lnk - C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe [10/27/2004 4:40:24 PM]
Snsicon.lnk - C:\Program Files\Second Nature\Snsicon.exe [8/28/2007 10:51:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lsvxqhbn]
d3drefg.dll 04/07/08 09:13a 81920 C:\WINDOWS\SYSTEM32\d3drefg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 10/31/03 11:01a 8704 C:\WINDOWS\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TSTimer"="C:\Program Files\Timeslips\TSTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PTSNOOP"=ptsnoop.exe
"CountrySelection"=pctptt.exe
"SiS7012Utility"=C:\WINDOWS\system32\SISAUDUT.EXE -wdm
"SiS KHooker"=C:\WINDOWS\system32\KHOOKER.EXE

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wscznzhj




-- End of Deckard's System Scanner: finished at 2008-04-09 12:26:30 ------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 09, 2008 12:18:06 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/04/2008
Kaspersky Anti-Virus database records: 692530
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 50109
Number of viruses found: 4
Number of infected objects: 10
Number of suspicious objects: 42
Duration of the scan process: 01:39:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <cservice.refu576883009eh.cm@regions.com>][Date Sun, 20 May 2007 17:27:20 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <cservice.refu576883009eh.cm@regions.com>][Date Sun, 20 May 2007 17:27:20 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientdepmnt.refa991731227f.cm@regions.com>][Date Sat, 19 May 2007 18:04:58 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientdepmnt.refa991731227f.cm@regions.com>][Date Sat, 19 May 2007 18:04:58 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientcare.refXR68709830332OE.cm@regions.com>][Date Fri, 18 May 2007 09:52:32 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientcare.refXR68709830332OE.cm@regions.com>][Date Fri, 18 May 2007 09:52:32 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientcare.reftw31681792yw.cm@regions.com>][Date Mon, 21 May 2007 11:54:07 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientcare.reftw31681792yw.cm@regions.com>][Date Mon, 21 May 2007 11:54:07 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientcare.refF580837581.cm@regions.com>][Date Tue, 22 May 2007 16:05:11 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientcare.refF580837581.cm@regions.com>][Date Tue, 22 May 2007 16:05:11 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientservice.refdc3178713304h.cm@regions.com>][Date Fri, 25 May 2007 06:14:56 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientservice.refdc3178713304h.cm@regions.com>][Date Fri, 25 May 2007 06:14:56 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Commerce Bank" <cservice.refZW3222767437MZ.cm@commercebank.com>][Date Tue, 29 May 2007 03:35:23 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Commerce Bank" <cservice.refZW3222767437MZ.cm@commercebank.com>][Date Tue, 29 May 2007 03:35:23 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <cservice.ref367879783079450.cm@regions.com>][Date Sat, 26 May 2007 14:36:28 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <cservice.ref367879783079450.cm@regions.com>][Date Sat, 26 May 2007 14:36:28 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientdepmnt.refte15729661717918.cm@regions.com>][Date Sat, 26 May 2007 01:51:32 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientdepmnt.refte15729661717918.cm@regions.com>][Date Sat, 26 May 2007 01:51:32 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <custservice.refkd828746991746u.cm@regions.com>][Date Tue, 29 May 2007 16:36:32 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx/[From "Regions bank" <custservice.refkd828746991746u.cm@regions.com>][Date Tue, 29 May 2007 16:36:32 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: suspicious - 20 skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Inbox.dbx/[From "Branch Banking and Trust" <reference-91458450ib@bbt.com>][Date Wed, 28 Mar 2007 15:24:22 -0400 (EDT)]/UNNAMED/allentown.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Inbox.dbx/[From "Branch Banking and Trust" <reference-91458450ib@bbt.com>][Date Wed, 28 Mar 2007 15:24:22 -0400 (EDT)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\Administrator\Desktop\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <cservice.refu576883009eh.cm@regions.com>][Date Sun, 20 May 2007 17:27:20 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <cservice.refu576883009eh.cm@regions.com>][Date Sun, 20 May 2007 17:27:20 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientdepmnt.refa991731227f.cm@regions.com>][Date Sat, 19 May 2007 18:04:58 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientdepmnt.refa991731227f.cm@regions.com>][Date Sat, 19 May 2007 18:04:58 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientcare.refXR68709830332OE.cm@regions.com>][Date Fri, 18 May 2007 09:52:32 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientcare.refXR68709830332OE.cm@regions.com>][Date Fri, 18 May 2007 09:52:32 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientcare.reftw31681792yw.cm@regions.com>][Date Mon, 21 May 2007 11:54:07 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientcare.reftw31681792yw.cm@regions.com>][Date Mon, 21 May 2007 11:54:07 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientcare.refF580837581.cm@regions.com>][Date Tue, 22 May 2007 16:05:11 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <clientcare.refF580837581.cm@regions.com>][Date Tue, 22 May 2007 16:05:11 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientservice.refdc3178713304h.cm@regions.com>][Date Fri, 25 May 2007 06:14:56 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientservice.refdc3178713304h.cm@regions.com>][Date Fri, 25 May 2007 06:14:56 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Commerce Bank" <cservice.refZW3222767437MZ.cm@commercebank.com>][Date Tue, 29 May 2007 03:35:23 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Commerce Bank" <cservice.refZW3222767437MZ.cm@commercebank.com>][Date Tue, 29 May 2007 03:35:23 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <cservice.ref367879783079450.cm@regions.com>][Date Sat, 26 May 2007 14:36:28 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions Bank" <cservice.ref367879783079450.cm@regions.com>][Date Sat, 26 May 2007 14:36:28 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientdepmnt.refte15729661717918.cm@regions.com>][Date Sat, 26 May 2007 01:51:32 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <clientdepmnt.refte15729661717918.cm@regions.com>][Date Sat, 26 May 2007 01:51:32 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <custservice.refkd828746991746u.cm@regions.com>][Date Tue, 29 May 2007 16:36:32 -0400 (EDT)]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Regions bank" <custservice.refkd828746991746u.cm@regions.com>][Date Tue, 29 May 2007 16:36:32 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: suspicious - 20 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Inbox.dbx/[From "Branch Banking and Trust" <reference-91458450ib@bbt.com>][Date Wed, 28 Mar 2007 15:24:22 -0400 (EDT)]/UNNAMED/allentown.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Inbox.dbx/[From "Branch Banking and Trust" <reference-91458450ib@bbt.com>][Date Wed, 28 Mar 2007 15:24:22 -0400 (EDT)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{3DE929DD-4432-4216-AB93-77DCF2C28977}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Leslie\Deleted Items.dbx/[From eBay Inc <custservice_547@ebay.com>][Date Fri, 14 Oct 2005 18:44:39 -0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\user\Leslie\Deleted Items.dbx/[From eBay Inc <custservice_547@ebay.com>][Date Fri, 14 Oct 2005 18:44:39 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\user\Leslie\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012008040920080410\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\INMEM000.REM Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010005.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\ipsecpa.log Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM.ALT Object is locked skipped
C:\WINDOWS\SYSTEM32\d3drefg.dll Infected: Backdoor.Win32.Rbot.jqt skipped
C:\WINDOWS\SYSTEM32\Perflib_Perfdata_230.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 09, 2008 10:34:25 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/04/2008
Kaspersky Anti-Virus database records: 692530
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\user\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 11668
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:21:25

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\ipsecpa.log Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM.ALT Object is locked skipped
C:\WINDOWS\SYSTEM32\d3drefg.dll Infected: Backdoor.Win32.Rbot.jqt skipped
C:\WINDOWS\SYSTEM32\Perflib_Perfdata_230.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\user\LOCALS~1\Temp\INMEM000.REM Object is locked skipped

Scan process completed.

Again thank you for any and all help.

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:22 AM

Posted 14 April 2008 - 07:14 AM

Hello Brussel57 and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/140885/internet-getting-redirected/
Collect::[9]
C:\WINDOWS\system32\d3drefg.dll
C:\WINDOWS\system32\s1bktqv6p3.exe
C:\WINDOWS\system32\avifileo.dll
File::
C:\WINDOWS\system32\iqgwtvgd.dat
C:\WINDOWS\system32\bhveiiti.dat
C:\WINDOWS\system32\znxpfdwo.dat
C:\WINDOWS\system32\xxuyzdnd.dat
C:\WINDOWS\system32\gllgaltd.dat
C:\WINDOWS\system32\kwjxrmsq.dat
NetSvc::
wscznzhj
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D977F63-06C7-4B54-A65F-5BF72510A582}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6684B749-26AB-4478-8670-31FABCC2201C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"s1bktqv6p3"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"s1bktqv6p3"=-
"MSI Configuration"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lsvxqhbn]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.
Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:02:22 AM

Posted 14 April 2008 - 08:25 AM

Hi Thunder

Thank you for helping me. I am in the process of following your instructions. The only problem is when the guide for Combo Fix said to install Windows Recovery Console. Where do I find this program? I am running Windows 2000. If you could point me in the right direction then I can complete the Combo fix steps.

Thanks again for your help.
Leslie

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:22 AM

Posted 14 April 2008 - 08:42 AM

Hello Leslie,

This is the procedure for Win2K :
To install the Recovery Console, perform the following steps:

1. Insert the Win2K CD into the CD-ROM drive.
2. Click Start, and then click Run.
3. In the Open box, type d:\i386\winnt32.exe /cmdcons
where d is the drive letter for the CD-ROM drive.
4. A Windows Setup Dialog Box appears, which describes the Recovery Console option.
5. The system prompts you to confirm installation. Click Yes to start the installation procedure.
6. Restart the computer. The next time you start your computer, you will see a "Microsoft Windows Recovery Console" entry on the boot menu.
[/list]If yo do not have your Win2K boot-CD at hand right now, you can skip this procedure for now, as it's possible to boot to the RC using the boot-CD at any given time.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:02:22 AM

Posted 14 April 2008 - 11:58 AM

Hi Thunder

Followed your instructions regarding the Recovery Console and was successful. However, once I try to run Combofix my system keeps restarting. All virus programs are turned off. The first time it restarted I draged the txt file you told me to create CSFscript.txt into it. It ran again but then the system rebooted again. On startup I now notice a zip file on my desktop - Catchme.zip. I know I didn't save one there.

Do you have any idea on:
1) How to get Combofix to stop restarting the system until after it runs the scan completely.
2) What/where Catchme.zip came from? Is this from Combofix?

Sorry to be having problems
Thanks for all your help
Leslie

Edited by brussel57, 14 April 2008 - 03:01 PM.


#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:22 AM

Posted 15 April 2008 - 03:20 AM

Hello Brussel57,

Just to avoid misunderstandings :
your PC reboots prematurely ? Before ComboFix finishes it's run ?
In normal conditions, ComboFix would run for a couple of minutes, then reboot your system.
You then can find a C:\ComboFix.txt file (log file).
What happens if you run ComboFix by simply doubleclicking the red ComboFix.exe icon ?
Catchme.zip is indeed produced by ComboFix :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:02:22 AM

Posted 15 April 2008 - 08:29 AM

I'm glad to hear that Catchme is part of Combofix. When I first saw it, it sounded like a virus taunting me. :thumbsup:

I re-ran Combo this morning and made a note of everything it did. It bought up blue box; backed up registry; began scanning. It reached up to Stage 3 complete and that is when computer restarted.

Then got choice to enter either 1) Windows Professional or 2)Windows Recovery Console. I chose 1 and computer finished loading. Combofix does not continue once everything stops loading.

This time the log was created but there is not much in it. I pasted the log along with the new Hijackthis log.

ComboFix 08-04-13.3 - user 04/15/2008 9:29:56.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.219 [GMT -4:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\system32\bhveiiti.dat
C:\WINDOWS\system32\gllgaltd.dat
C:\WINDOWS\system32\iqgwtvgd.dat
C:\WINDOWS\system32\kwjxrmsq.dat
C:\WINDOWS\system32\xxuyzdnd.dat
C:\WINDOWS\system32\znxpfdwo.dat
.

Logfile of Trend Micro HijackThis v2.0.2
"Scan saved at 09:37, on 2008-04-15"
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

"R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank"
"R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm"
"R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = [url="http://VMSERVER:80""]http://VMSERVER:80"[/url]
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 207.155.252.31 pop3.vdm-law.com.cnchost.com
O1 - Hosts: 207.155.248.31 smtp.vdm-law.com.cnchost.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D977F63-06C7-4B54-A65F-5BF72510A582} - C:\WINDOWS\system32\avifileo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6684B749-26AB-4478-8670-31FABCC2201C} - c:\windows\system32\d3drefg.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
"O4 - HKLM\..\Run: [QuickTime Task] ""C:\Program Files\QuickTime\qttask.exe"" -atboottime"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
"O4 - HKLM\..\Run: [iTunesHelper] ""C:\Program Files\iTunes\iTunesHelper.exe"""
O4 - HKLM\..\Run: [s1bktqv6p3] C:\WINDOWS\system32\s1bktqv6p3.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
"O4 - HKCU\..\Run: [TSTimer] ""C:\Program Files\Timeslips\TSTimer.exe"""
O4 - HKCU\..\Run: [s1bktqv6p3] C:\WINDOWS\system32\s1bktqv6p3.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: KONICA MINOLTA FTP Utility.lnk = C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://dsjcpa.tzo.com/Remote/msrdp.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vdm-law.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vdm-law.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vdm-law.com
O20 - Winlogon Notify: lsvxqhbn - d3drefg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 7420 bytes


Sorry for length of post. Just want to make sure I give you all info.

Edited by brussel57, 15 April 2008 - 08:31 AM.


#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:22 AM

Posted 15 April 2008 - 09:56 AM

Hello Leslie,

It looks like something is interfering with ComboFix :thumbsup:

Boot your computer in Safe Mode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows window appears, tap the F8 key continually;
  • Instead of loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Now drop the CFScript.txt file onto ComboFix and see if it can perform a complete run.

Please post the new ComboFix log in your next reply. :blink:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:02:22 AM

Posted 15 April 2008 - 11:47 AM

Boot your computer in Safe Mode

Yeah! That did it. :thumbsup:

Here are the logs from Combofix and Hijackthis:

ComboFix 08-04-13.3 - Administrator 04/15/2008 12:39:51.2 - NTFSx86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.322 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\system32\bhveiiti.dat
C:\WINDOWS\system32\gllgaltd.dat
C:\WINDOWS\system32\iqgwtvgd.dat
C:\WINDOWS\system32\kwjxrmsq.dat
C:\WINDOWS\system32\xxuyzdnd.dat
C:\WINDOWS\system32\znxpfdwo.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\d3drefg.dll
.
---- Previous Run -------
.
C:\WINDOWS\hosts
C:\WINDOWS\start.exe
C:\WINDOWS\system32\avifileo.dll
C:\WINDOWS\system32\bhveiiti.dat
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\d3drefg.dll
C:\WINDOWS\system32\gllgaltd.dat
C:\WINDOWS\system32\iqgwtvgd.dat
C:\WINDOWS\system32\kwjxrmsq.dat
C:\WINDOWS\system32\s1bktqv6p3.exe
C:\WINDOWS\system32\xxuyzdnd.dat
C:\WINDOWS\system32\znxpfdwo.dat
C:\WINDOWS\Web\default.htt
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WSCZNZHJ
-------\Service_wscznzhj


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 12:45 . 04/15/08 12:45p 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_234.dat
2008-04-15 12:34 . 04/15/08 12:34p 1,285,082 ---h----- C:\WINDOWS\ShellIconCache
2008-04-15 12:08 . 04/14/08 08:58a 1,700,404 --a------ C:\Temp\ComboFix.exe
2008-04-08 16:35 . 04/08/08 04:35p <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-08 16:35 . 04/08/08 04:35p <DIR> d-------- C:\WINDOWS\All Users\Application Data\Kaspersky Lab
2008-04-08 16:29 . 04/08/08 04:29p <DIR> d-------- C:\Deckard
2008-04-04 10:51 . 04/04/08 10:51a <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 19:13 . 03/29/08 02:31p 75,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys
2008-04-03 19:13 . 03/29/08 02:35p 20,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys
2008-04-03 18:56 . 04/03/08 06:56p 0 --a------ C:\WINDOWS\vpc32.INI
2008-04-03 17:35 . 04/03/08 05:35p <DIR> d-------- C:\Program Files\Symantec_Client_Security
2008-04-03 16:13 . 03/29/08 02:23p 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-04-03 16:13 . 03/29/08 02:35p 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-04-03 16:13 . 01/17/08 11:34a 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-04-03 16:13 . 03/29/08 02:27p 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-04-03 16:13 . 03/29/08 02:26p 26,944 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-04-03 16:13 . 03/29/08 02:29p 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-04-03 16:12 . 04/03/08 04:12p <DIR> d-------- C:\Program Files\Alwil Software
2008-04-03 16:12 . 03/29/08 02:45p 1,146,232 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-04-03 16:12 . 01/09/04 05:13a 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-04-03 11:12 . 04/03/08 11:13a <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-03 11:12 . 04/03/08 11:12a 1,015,808 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2008-04-03 11:12 . 04/03/08 11:12a 196,608 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2008-03-17 18:04 . 03/17/08 06:04p <DIR> d-------- C:\WINDOWS\All Users\Application Data\FileOpen
2008-03-17 18:04 . 03/17/08 06:04p <DIR> d-------- C:\Program Files\FileOpen
2008-03-17 18:04 . 03/17/08 06:04p <DIR> d-------- C:\Documents and Settings\user\Application Data\FileOpen

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 16:32 --------- d---a-w C:\Documents and Settings\user\Application Data\AdobeUM
2008-04-03 21:35 --------- d---a-w C:\Program Files\Symantec
2008-04-03 21:35 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2008-04-02 20:53 --------- d---a-w C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:36 --------- d---a-w C:\Program Files\Timeslips
2008-04-02 15:54 --------- d---a-w C:\Program Files\Spybot - Search & Destroy
2008-04-02 15:54 --------- d-----w C:\Program Files\Easy CD-DA Extractor 10
2008-04-02 13:23 --------- d---a-w C:\WINDOWS\All Users\Application Data\TEMP
2008-03-14 13:42 535,040 ----a-w C:\WINDOWS\flashax.exe
2008-03-14 13:42 471,040 ----a-w C:\WINDOWS\queensaver.scr
2008-03-14 13:42 192,000 ----a-w C:\WINDOWS\seaoftrolls.scr
2008-03-14 13:42 12,288 ----a-w C:\WINDOWS\impborl.dll
2008-03-13 15:39 192,000 ----a-w C:\WINDOWS\MMs ScreenSaver.scr
2008-03-13 15:33 202,092 ----a-w C:\WINDOWS\HERSHE~1.scr
2008-03-13 15:33 1,650,521 ----a-w C:\WINDOWS\HERSHE~1.exe
2008-03-13 15:31 192,000 ----a-w C:\WINDOWS\skittles_screensaver.scr
2008-03-13 15:29 471,040 ----a-w C:\WINDOWS\Marshmallow Peeps Screensaver.scr
2008-03-13 14:28 415,157 ----a-w C:\WINDOWS\Pop.exe
2008-03-13 14:28 30,208 ----a-w C:\WINDOWS\mickey32.dll
2008-03-13 14:27 192,000 ----a-w C:\WINDOWS\Bewitched by TV Land.scr
2008-03-13 14:14 192,000 ----a-w C:\WINDOWS\I Dream of Jeannie by TV Land.scr
2008-03-13 13:11 --------- d-----w C:\Program Files\Lady Di's Dimension
2008-03-13 13:06 --------- d-----w C:\Program Files\Peanuts Baseball Game
2008-03-13 04:16 1,256,994 ----a-w C:\WINDOWS\MM_s.scr
2008-03-12 17:05 --------- d-----w C:\Program Files\Irene's Images
2008-03-12 16:45 219,046 ----a-w C:\WINDOWS\uninstall nightvisions.exe
2008-03-12 16:45 21,010,119 ----a-w C:\WINDOWS\nightvisions.scr
2008-03-12 16:44 78,336 ----a-w C:\WINDOWS\pysoft_uninstaller.exe
2008-03-12 16:43 1,203,620 ----a-w C:\WINDOWS\Fairytale Castle.scr
2008-03-12 16:43 --------- d-----w C:\Program Files\Fairytale Castle
2008-03-12 16:39 74,744 ----a-w C:\WINDOWS\Uninstal.exe
2008-03-11 20:02 245,760 ----a-w C:\WINDOWS\Jonquils and Butterflies.scr
2008-03-10 21:29 --------- d---a-w C:\Program Files\Common Files\Adobe
2008-03-10 18:53 --------- d-----w C:\Program Files\TZEdit
2008-03-06 19:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 19:09 --------- d-----w C:\Documents and Settings\user\Application Data\Corel
2008-03-04 19:07 --------- d---a-w C:\Program Files\Common Files\InstallShield
2008-03-04 15:24 --------- d-----w C:\Program Files\Evening at Holly Hill
2008-03-04 15:23 5,385,056 ----a-w C:\WINDOWS\leavingthestationss.scr
2008-03-04 15:23 219,046 ----a-w C:\WINDOWS\uninstall leavingthestationss.exe
2008-03-04 14:24 --------- d-----w C:\Program Files\Second Nature
2008-03-04 13:45 --------- d-----w C:\Program Files\Mojicon Installer
2008-02-26 05:11 4,272,513 ----a-w C:\WINDOWS\Paris Bears.scr
2008-02-20 15:12 9,835,690 ----a-w C:\WINDOWS\FromParis_pack1.SCR
2008-02-11 15:45 1,241,536 ----a-w C:\WINDOWS\Under the Moon of Love.scr
2007-06-03 10:53 305 ---h--w C:\Program Files\desktop.ini
2007-06-03 10:49 21,952 ---h--w C:\Program Files\folder.htt
2004-12-06 10:11 5,591,072 ----a-w C:\Program Files\system.pca
2004-12-06 10:10 643,104 ----a-w C:\Program Files\user.pca
.

Logfile of Trend Micro HijackThis v2.0.2
"Scan saved at 12:53, on 2008-04-15"
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

"R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank"
"R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157""]http://go.microsoft.com/fwlink/?LinkId=69157"[/url]
"R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896""]http://go.microsoft.com/fwlink/?LinkId=54896"[/url]
"R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm"
"R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = [url="http://VMSERVER:80""]http://VMSERVER:80"[/url]
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
"O4 - HKLM\..\Run: [QuickTime Task] ""C:\Program Files\QuickTime\qttask.exe"" -atboottime"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
"O4 - HKLM\..\Run: [iTunesHelper] ""C:\Program Files\iTunes\iTunesHelper.exe"""
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
"O4 - HKCU\..\Run: [TSTimer] ""C:\Program Files\Timeslips\TSTimer.exe"""
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: KONICA MINOLTA FTP Utility.lnk = C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://dsjcpa.tzo.com/Remote/msrdp.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vdm-law.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vdm-law.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vdm-law.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 7026 bytes

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:22 AM

Posted 15 April 2008 - 01:49 PM

Nicely done, Brussel57 :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against this entry, if still present :R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:02:22 AM

Posted 15 April 2008 - 02:04 PM

Thanks Thunder. It looks like it worked. Checked some of the links where I was redirected and I go to the right sites this time. I'll just keep an eye on it for a while just in case it is trying to lull me into a false sense of security. Although I may never got to sites where I do my banking on this machine again. As the saying goes - Once bitten, twice shy. :thumbsup:

Are there any other steps I have to do?

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:22 AM

Posted 15 April 2008 - 03:10 PM

Hello, Brussel57,

You can remove all used tools and created folders now. :thumbsup:

To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 brussel57

brussel57
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Long Island
  • Local time:02:22 AM

Posted 17 April 2008 - 12:15 PM

Hi Thunder

It's been a couple of days and so far no problems. I would have let you know sooner but wanted to make sure everything was okay.

I have not been redirected and my computer is actually moving faster, so it looks like I am back to normal. :thumbsup:

Many, many, many thanks for all your help.
Brussel57

#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:22 AM

Posted 17 April 2008 - 12:40 PM

Glad we could help, Brussel57 :thumbsup:

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users