Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection Won't Go Away Easily


  • This topic is locked This topic is locked
18 replies to this topic

#1 michtarr

michtarr

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 13 April 2008 - 06:04 PM

I have become infected with Virtumonde twice in the past week or so. Norton 360 just wasn't finding it, so I used other packages - wth disturbing consequences.

When I had a-squared quaranteen suspicious files (c:\windows\system32\nnnliih.dll and 3 processes using it) I got an immediate BSOD-->reboot, then no icons or tray when I logged on. I realized that explorer had been removed, so I got a copy back on and ran Windows Update. Things worked, but Virtumonde reappeared.

Next I tried Spybot S&D. There were several items to clean up along with Virtumonde, and when I requested removal Spybot hung, so I ended it and did a restart. On reboot I had a RUNDLL error loading c:\windows\system32\dswvhwjx - The specified module could not be found. Plus, and Virtumonde was still there. I disconnected the LAN cable and tried Spybot again, did the repairs in small pieces and they were all called successful. On reboot I now get two (2) RUNDLL errors, one for dswvhwjx.dll and one for naydsohw.dll.

I then tried a-squared free again, with the exact same results as before (BSOD/reboot and no icons), so I got explored back. I then ran DSS, and decided I'd better run Windows update, so I did that and ran DSS again. Not understanding what I had where I ran DSS one more time... oh well.

That is where I'm at now - not sure if Virtumonde is gone, but pretty sure I have a bunch of other garbage that should be eliminated. I sure don't want to through ignorance keep perpetuating the mess.

Like I said, along the way I ran DSS several times, there are multiple Main.txt files, only one extra.txt file. I am providing the latest of these...


Main.txt
---------
Deckard's System Scanner v20071014.68
Run by Dad on 2008-04-13 18:48:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Dad.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:04 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Multimedia\PowerCinema\PCMService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Dad's Documents\Downloads\Security Aids\dss (Deckard's System Scanner).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {fff84aba-3819-3e9a-7c04-4f4fa0393cb8} - {8bc3930a-f4f4-40c7-a9e3-9183aba48fff} - C:\WINDOWS\system32\mnnuahxx.dll (file missing)
O2 - BHO: (no name) - {AA87B083-4E3E-42AC-8A2D-AA672522D171} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {D318119E-CB62-4039-AE9B-CF9575BCAA7F} - C:\WINDOWS\system32\nnnliih.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ATIService] "C:\Program Files\ATI Multimedia\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [7097df55] rundll32.exe "C:\WINDOWS\system32\dswvhwjx.dll",b
O4 - HKLM\..\Run: [BM73a4ecc9] Rundll32.exe "C:\WINDOWS\system32\naydsohw.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnliih - nnnliih.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9734 bytes

-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2008-04-13 14:28:15 0 d-------- C:\Program Files\Trend Micro
2008-04-13 13:28:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 13:09:44 0 d-------- C:\old Deckard
2008-04-13 12:54:46 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-13 12:27:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-13 12:27:24 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-13 03:29:09 0 d-------- C:\WINDOWS\CSC
2008-04-12 20:54:19 287130 --ahs---- C:\WINDOWS\system32\ehhkj.ini2
2008-04-11 16:04:41 231936 --a------ C:\WINDOWS\system32\SNWValid.dll <Not Verified; Cendant Software; World Opponent Network>
2008-04-11 16:04:40 1022976 --a------ C:\WINDOWS\system32\SierraNW.dll <Not Verified; Cendant Software; World Opponent Network>
2008-04-11 16:04:39 0 d-------- C:\SIERRA
2008-04-11 16:04:39 0 d-------- C:\Program Files\Sierra On-Line
2008-04-11 16:03:54 0 d-------- C:\Documents and Settings\Ryan\WINDOWS
2008-04-05 03:24:33 0 dr-h----- C:\Documents and Settings\Dad\Recent
2008-04-04 23:43:36 0 d-------- C:\VundoFix Backups
2008-04-04 20:51:27 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-04 20:45:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-04 20:45:07 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-04 20:45:06 0 d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2008-04-04 19:58:07 0 d-------- C:\Program Files\RogueRemover FREE
2008-04-04 19:33:47 308411 --ahs---- C:\WINDOWS\system32\gOWyIRqr.ini2
2008-04-04 18:04:29 286538 --ahs---- C:\WINDOWS\system32\hPprYccf.ini2
2008-04-03 13:12:37 88640 --a------ C:\WINDOWS\system32\ndywhwku.dll
2008-03-29 23:10:17 0 d-------- C:\Documents and Settings\Ryan\Application Data\vlc
2008-03-18 17:59:05 0 d-------- C:\Documents and Settings\Sean\Application Data\pdf995


-- Find3M Report ---------------------------------------------------------------

2008-04-13 13:30:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-13 02:31:04 0 d-------- C:\Program Files\a-squared Free
2008-04-13 01:22:35 0 d-------- C:\Documents and Settings\Dad\Application Data\Azureus
2008-04-13 01:17:43 0 d-------- C:\Program Files\PeerGuardian2
2008-04-12 21:37:18 0 d-------- C:\Program Files\DeductionPro 2007
2008-04-11 17:35:11 0 d-------- C:\Program Files\Steam
2008-04-04 23:52:00 0 d-------- C:\Program Files\PowerISO
2008-04-04 20:54:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 17:43:24 0 d-------- C:\Documents and Settings\Dad\Application Data\Real
2008-03-08 10:10:07 0 d-------- C:\Program Files\Azureus
2008-03-08 00:36:01 0 d-------- C:\Program Files\Java
2008-03-05 10:44:25 0 d-------- C:\Program Files\Elaborate Bytes
2008-03-04 11:58:25 0 d-------- C:\Program Files\TouchStoneSoftware
2008-03-04 11:55:33 0 d-------- C:\Program Files\Avira
2008-03-04 11:40:26 0 d-------- C:\Program Files\FreeUndelete
2008-03-04 11:31:55 0 d-------- C:\Program Files\SoftLogica
2008-03-04 11:24:19 0 d-------- C:\Program Files\Data Doctor Recovery Memory Card (Demo)
2008-03-04 11:04:39 0 d-------- C:\Program Files\File Recover
2008-03-04 09:02:57 0 d-------- C:\Program Files\ParetoLogic
2008-03-04 09:02:57 0 d-------- C:\Program Files\Common Files
2008-03-04 09:02:57 0 d-------- C:\Program Files\Common Files\ParetoLogic
2008-03-04 08:53:32 0 d-------- C:\Program Files\ScummVM
2008-03-03 20:46:46 0 d-------- C:\Program Files\TI Education
2008-03-03 20:46:25 0 d-------- C:\Program Files\Common Files\TI Shared
2008-02-27 20:35:42 0 d-------- C:\Program Files\SlySoft
2008-02-26 21:45:04 0 d-------- C:\Program Files\Audiosurf
2008-02-17 22:56:04 0 d-------- C:\Program Files\Rockstar Games
2008-02-17 01:09:30 0 d-------- C:\Documents and Settings\Dad\Application Data\dvdcss
2008-02-16 23:24:38 0 d-------- C:\Documents and Settings\Dad\Application Data\Ahead
2008-01-26 13:25:33 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-26 13:25:33 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-19 15:04:02 615 --a------ C:\usb001b
2008-01-19 15:02:54 2196 --a------ C:\usb001a
2008-01-19 14:54:06 1416 --a------ C:\usb001


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
12/13/2007 12:49 PM 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8bc3930a-f4f4-40c7-a9e3-9183aba48fff}]
C:\WINDOWS\system32\mnnuahxx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA87B083-4E3E-42AC-8A2D-AA672522D171}]
C:\WINDOWS\system32\jkhhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D318119E-CB62-4039-AE9B-CF9575BCAA7F}]
C:\WINDOWS\system32\nnnliih.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [12/13/2007 12:49 PM 1185120]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [04/19/2007 09:24 PM]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [04/19/2007 09:38 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [04/19/2007 09:29 PM]
"SoundMan"="SOUNDMAN.EXE" [06/20/2005 09:42 PM C:\WINDOWS\SOUNDMAN.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 03:32 PM C:\WINDOWS\KHALMNPR.Exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [01/12/2006 03:40 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [01/15/2008 06:54 PM]
"ATIService"="C:\Program Files\ATI Multimedia\PowerCinema\PCMService.exe" [09/09/2005 04:14 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 01:07 AM]
"nwiz"="nwiz.exe" [09/17/2007 01:07 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/17/2007 01:07 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/26/2007 04:06 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 08:51 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 09:54 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"7097df55"="C:\WINDOWS\system32\dswvhwjx.dll" []
"BM73a4ecc9"="C:\WINDOWS\system32\naydsohw.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]
"@"="" []
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [04/05/2006 10:03 PM]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [10/7/2007 8:14:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{D318119E-CB62-4039-AE9B-CF9575BCAA7F}"= C:\WINDOWS\system32\nnnliih.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnliih]
nnnliih.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhhe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05bd81c8-c2fc-11dc-8760-0015f2c96b9f}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22259b01-6f57-11dc-814a-806d6172696f}]
AutoRun\command- G:\start.exe languages.dbd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55b7dd82-b35b-11dc-872a-0015f2c96b9f}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-04-13 18:48:26 ------------


Extra.txt
----------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 3800+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 3800+
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 1023.48 MiB / 606.73 MiB
Pagefile Memory (total/avail): 2459.51 MiB / 2133.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.9 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 93.15 GiB total, 21.34 GiB free.
D: is Fixed (NTFS) - 372.6 GiB total, 17.2 GiB free.
E: is Fixed (NTFS) - 232.82 GiB total, 3.22 GiB free.
G: is CDROM (No Media)
H: is CDROM (No Media)
M: is Fixed (NTFS) - 232.88 GiB total, 32.28 GiB free.
O: is Fixed (NTFS) - 149.05 GiB total, 42.24 GiB free.

\\.\PHYSICALDRIVE2 - ST3500630AS - 465.76 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 93.15 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 372.6 GiB - D:

\\.\PHYSICALDRIVE1 - WDC WD1600JS-00MHB0 - 149.05 GiB - 1 partition
\PARTITION0 - Installable File System - 149.05 GiB - O:

\\.\PHYSICALDRIVE0 - WDC WD2500JB-75GVC0 - 232.83 GiB - 1 partition
\PARTITION0 - Installable File System - 232.82 GiB - E:

\\.\PHYSICALDRIVE3 - WDC WD2500KS-00MJB0 - 232.88 GiB - 1 partition
\PARTITION0 - Installable File System - 232.88 GiB - M:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dad\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AMD3800X2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dad
LOGONSERVER=\\AMD3800X2
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 43 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dad\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dad\LOCALS~1\Temp
USERDOMAIN=AMD3800X2
USERNAME=Dad
USERPROFILE=C:\Documents and Settings\Dad
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Dad (admin)
Ryan.AMD3800X2 (new local, admin)
Sean (admin)
Mom (admin)
Ryan (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22EB2FA7-1BA0-4FFB-972F-353EC6ABA9D5}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28B97CAB-828F-49D8-A30A-675476F9BA92}\setup.exe" -l0x9 /cont -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6813C983-427E-4511-8456-E98FCAA1A125}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B34B6E67-FCDD-4E03-8742-B5701427FAFB}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Free 3.0 --> "C:\Program Files\a-squared Free\unins000.exe"
a-squared HiJackFree 3.0 --> "C:\Program Files\a-squared HiJackFree\unins000.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Parental Control --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{390FF986-468D-4CA9-8830-2C4B313F447F} /l1033
ATI Remote Wonder 3.04 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8F36E44A-E6E7-41B7-B6F6-4637BF84EFA5}
ATI TV Settings --> MsiExec.exe /X{66F50839-A069-4903-B6B5-E438077A42ED}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Avira UnErase Personal --> C:\Program Files\Avira\UnErase\uninstall.exe
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
BOINC --> MsiExec.exe /I{B7A29B75-4B5E-4B62-A8C9-2EA14D7891CB}
Bonus --> MsiExec.exe /I{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}
Canon S900 --> C:\WINDOWS\system32\CNMCP3g.exe "-PRINTERNAMECanon S900" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon S900 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon S900 Installer\Inst2\cnmi0409.dll"
CC_ccProxyExt --> MsiExec.exe /I{4AAD206E-0557-440F-8A98-94921A64BF4B}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
ccPxyCore --> MsiExec.exe /I{47A86BDE-6871-4A8A-BB49-21FAF754E00E}
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
CIB --> MsiExec.exe /I{E8176C35-0C2D-4142-9ED4-81861ECAB403}
Codename Gordon --> "C:\Program Files\Steam\steam.exe" steam://uninstall/92
Counter-Strike: Source --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/240
Data Doctor Recovery Memory Card (Demo) 3.0.1.5 --> C:\Program Files\Data Doctor Recovery Memory Card (Demo)\Uninstall.exe
DeductionPro 2006 --> C:\Program Files\DeductionPro 2006\RemoveDPro.EXE C:\PROGRA~1\DEDUCT~2\INSTALL.LOG
DeductionPro 2007 --> "C:\Program Files\InstallShield Installation Information\{8A5EBB62-ADE7-41E2-8884-1517DE3505D1}\setup.exe" -runfromtemp -l0x0009 -removeonly
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Identifier --> "C:\Program Files\DVD Identifier\Uninst\unins000.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDFab HD Decrypter 4.0.5.5 --> "C:\Program Files\DVDFab HD Decrypter 4\unins000.exe"
ERUNT 1.1j --> "C:\Program Files\ERUNT\unins000.exe"
Family Tree Maker 2006 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F2F4C144-7D1A-47C4-9D53-395A57B0CD64}\setup.exe" -l0x9
File Recover 6.2 --> "C:\Program Files\File Recover\unins000.exe"
FreeUndelete --> C:\Program Files\FreeUndelete\GLF72.exe /handle:fru
GameSpot Download Manager --> "D:\Kid's Documents\Ryan's Stuff\Downloads\GameSpot\uninstall.exe"
Garry's Mod --> "C:\Program Files\Steam\steam.exe" steam://uninstall/4000
GearDrvs --> MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
GNU Aspell 0.50-3 --> "C:\Program Files\Pidgin\Aspell\unins000.exe"
Grand Theft Auto Vice City --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\Setup.exe" -l0x9
GTK+ Runtime 2.10.13 rev a (remove only) --> C:\Program Files\Pidgin\uninst.exe
GUIDE PLUS+™ for Windows® System - ATI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99D34763-7E45-4FE5-8424-28DBC3A5F0BF}\setup.exe"
Half-Life --> C:\WINDOWS\IsUninst.exe -fC:\SIERRA\Half-Life\Uninst.isu -c"C:\SIERRA\Half-Life\HLUNINST.DLL"
Half-Life 2 --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Deathmatch --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/320
Half-Life 2: Episode One --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Lost Coast --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/340
Half-Life Deathmatch: Source --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/360
Half-Life: Source --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/280
Handy Recovery 4.0 --> C:\PROGRA~1\SOFTLO~1\HANDYR~1\UNWISE.EXE C:\PROGRA~1\SOFTLO~1\HANDYR~1\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KhalInstallWrapper --> MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
LiveUpdate --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BAFA84F8-5A33-4ACD-AD10-58356B27A0F1}
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money Plus --> "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{7F1B3341-A94E-4F5C-B587-CA0EB964221E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
NeroVision Express Content --> C:\WINDOWS\UNNVEContent.exe /UNINSTALL
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 --> MsiExec.exe /I{F413B69D-4AD6-42AB-AEA5-0548989FAD50}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_3_0_24\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Add-on Pack (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}_1_1_0_38\{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}.exe" /X
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4E9E-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485F-9E18-C5025306BB3F}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security Bonus Pack --> MsiExec.exe /I{D4BB907A-623E-4F07-8787-041ABAE088E4}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA nTune --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033
Parental Control --> MsiExec.exe /I{66B9BD1F-4189-4f35-BD82-9948720A04CF}
ParetoLogic Data Recovery --> MsiExec.exe /I{15D8D315-BB4C-4867-BCD7-2B829EF0F38B}
PC Probe II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\Setup.exe" -l0x9
Pdf995 (installed by TaxCut) --> C:\Program Files\pdf995\setup.exe uninstall
PdfEdit995 (installed by TaxCut) --> C:\Program Files\pdf995\res\utilities\thinsetup.exe - uninstall
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Peggle Extreme --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/3483
Picture Package Music Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE2121C6-C94D-4A73-8EA4-6943F33EE335}\setup.exe" -l0x9 -removeonly
Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe
PowerCinema 3.0 - ATI Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Quintessential Player --> "C:\Program Files\Quintessential Player\uninst.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Sam and Max Episode 4 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/8230
ScummVM 0.10.0 --> "C:\Program Files\ScummVM\unins000.exe"
Seagate DiscWizard --> MsiExec.exe /X{81A60A13-224D-4637-8203-3EAC03B121A4}
Sierra Utilities --> C:\Program Files\Sierra On-Line\sutil32.exe uninstall
Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\setup.exe" -l0x9 UNINSTALL -removeonly
Source SDK Base --> "C:\Program Files\Steam\steam.exe" steam://uninstall/215
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
Symantec Technical Support Web Controls --> MsiExec.exe /X{9743AF47-B746-4324-B4C4-512E67D04370}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
TaxCut Michigan 2007 --> MsiExec.exe /X{80D8662E-1EAD-4036-844B-0374F39E4C81}
TaxCut Premium + State 2007 --> MsiExec.exe /X{663E217E-FC26-4249-9E8E-F190CD63E737}
Team Fortress 2 --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/440
TI Connect 1.6 --> MsiExec.exe /I{A8B94669-8654-4126-BD28-D0D2412CDED6}
Undelete Plus 2.94 --> "C:\Program Files\TouchStoneSoftware\UndeletePlus\unins000.exe"
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Virtual Cable Tester --> MsiExec.exe /X{3D654496-9C3D-4565-858C-3E551ECDA4E2}
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Remote --> "C:\Program Files\Winamp Remote\uninstall.exe"
Winamp Toolbar for Internet Explorer --> "C:\Program Files\Winamp Toolbar\uninstall.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type17122 / Error
Event Submitted/Written: 04/13/2008 05:07:50 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error

Initialization of the COM subsystem failed. Error code: 0x80080005

Event Record #/Type17053 / Error
Event Submitted/Written: 04/13/2008 02:49:32 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type17049 / Error
Event Submitted/Written: 04/13/2008 02:34:53 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error

Initialization of the COM subsystem failed. Error code: 0x80070218

Event Record #/Type16999 / Error
Event Submitted/Written: 04/13/2008 00:21:03 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 721804357.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type16998 / Error
Event Submitted/Written: 04/13/2008 00:20:47 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module mnnuahxx.dll, version 0.0.0.0, fault address 0x0000bfa2.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2660 / Error
Event Submitted/Written: 04/13/2008 05:07:50 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {03E0E6C2-363B-11D3-B536-00902771A435} did not register with DCOM within the required timeout.

Event Record #/Type2561 / Error
Event Submitted/Written: 04/13/2008 03:57:54 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type2560 / Error
Event Submitted/Written: 04/13/2008 03:57:12 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type2559 / Error
Event Submitted/Written: 04/13/2008 03:56:57 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type2558 / Error
Event Submitted/Written: 04/13/2008 03:56:51 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-04-13 17:21:15 ------------


Any advice would be greatly appreciated.
Thanks,
michtarr

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:58 PM

Posted 14 April 2008 - 07:07 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 michtarr

michtarr
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 14 April 2008 - 12:23 PM

Hi Sam - Thanks for the help.
I ran ComboFix and I'll post the log below.
After I posted yesterday my son discovered additional issues that I hope get resolved easily.
- C++ Runtime erroes
- WinAmp won't run
- PowerCinema 3. ATI Edition TV feature won't work

Thanks again

ComboFix 08-04-13.3 - Dad 2008-04-14 13:00:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.508 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\gOWyIRqr.ini
C:\WINDOWS\system32\gOWyIRqr.ini2
C:\WINDOWS\system32\hPprYccf.ini
C:\WINDOWS\system32\hPprYccf.ini2
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-13 18:48 . 2008-04-13 18:48 <DIR> d-------- C:\Deckard
2008-04-13 17:04 . 2007-06-13 06:23 1,033,216 --a--c--- C:\WINDOWS\system32\dllcache\explorer.exe
2008-04-13 17:04 . 2007-06-13 06:23 1,033,216 --a------ C:\WINDOWS\explorer.exe
2008-04-13 14:33 . 2008-04-13 15:38 208 --a------ C:\WINDOWS\wininit.ini
2008-04-13 14:28 . 2008-04-13 14:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 13:28 . 2008-04-13 13:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-13 13:28 . 2008-04-13 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 13:09 . 2008-04-13 18:46 <DIR> d-------- C:\old Deckard
2008-04-13 12:54 . 2008-04-13 12:54 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-13 12:27 . 2008-04-13 12:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-13 12:27 . 2008-04-13 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-13 11:34 . 2004-08-04 08:00 1,032,192 --a------ C:\WINDOWS\explorer.exe-ed
2008-04-13 10:48 . 2008-04-13 10:48 <DIR> d-------- C:\Program Files\ERUNT
2008-04-12 20:57 . 2008-04-13 14:33 1,238 --ahs---- C:\WINDOWS\system32\xjwhvwsd.ini
2008-04-11 16:04 . 2008-04-11 16:05 <DIR> d-------- C:\SIERRA
2008-04-11 16:04 . 2008-04-11 16:04 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-04-11 16:04 . 1998-10-30 23:21 1,022,976 --a------ C:\WINDOWS\system32\SierraNW.dll
2008-04-11 16:04 . 1998-10-30 23:21 231,936 --a------ C:\WINDOWS\system32\SNWValid.dll
2008-04-11 16:04 . 2008-04-11 16:05 433 --a------ C:\WINDOWS\SIERRA.INI
2008-04-11 16:03 . 2008-04-11 16:03 <DIR> d-------- C:\Documents and Settings\Ryan\WINDOWS
2008-04-04 23:43 . 2008-04-13 01:45 <DIR> d-------- C:\VundoFix Backups
2008-04-04 20:54 . 2008-04-05 10:37 1,134 --ahs---- C:\WINDOWS\system32\qmipnmsy.ini
2008-04-04 20:45 . 2008-04-05 00:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-04 20:45 . 2008-04-04 20:55 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2008-04-04 20:45 . 2008-04-04 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-04 20:29 . 2008-04-04 20:52 714 --ahs---- C:\WINDOWS\system32\qfjwuppn.ini
2008-04-04 19:58 . 2008-04-13 01:30 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-04 19:34 . 2008-04-04 20:23 594 --ahs---- C:\WINDOWS\system32\tbdhnnlj.ini
2008-04-04 18:05 . 2008-04-04 19:41 414 --ahs---- C:\WINDOWS\system32\qnxlaaah.ini
2008-04-04 16:10 . 2008-04-04 16:10 294 --ahs---- C:\WINDOWS\system32\ibqupeew.ini
2008-04-03 13:15 . 2008-04-04 15:05 1,786 --ahs---- C:\WINDOWS\system32\iffgqmyu.ini
2008-04-03 13:12 . 2008-04-03 13:12 88,640 --a------ C:\WINDOWS\system32\ndywhwku.dll
2008-04-02 09:50 . 2008-04-03 13:10 834 --ahs---- C:\WINDOWS\system32\ufeororh.ini
2008-04-02 09:44 . 2008-04-13 13:24 101,127 --a------ C:\WINDOWS\BM73a4ecc9.xml
2008-03-29 23:10 . 2008-03-29 23:38 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\vlc
2008-03-18 17:59 . 2008-03-18 17:59 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\pdf995
2008-03-18 17:59 . 2008-03-18 17:59 28 --a------ C:\WINDOWS\pdf995.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-14 01:37 --------- d-----w C:\Documents and Settings\Ryan\Application Data\.purple
2008-04-14 01:36 --------- d-----w C:\Documents and Settings\Ryan\Application Data\U3
2008-04-14 01:30 --------- d-----w C:\Documents and Settings\Ryan\Application Data\gtk-2.0
2008-04-14 00:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 06:31 --------- d-----w C:\Program Files\a-squared Free
2008-04-13 05:22 --------- d-----w C:\Documents and Settings\Dad\Application Data\Azureus
2008-04-13 05:17 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-13 01:37 --------- d-----w C:\Program Files\DeductionPro 2007
2008-04-11 21:35 --------- d-----w C:\Program Files\Steam
2008-04-05 03:52 --------- d-----w C:\Program Files\PowerISO
2008-04-05 00:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 03:07 --------- d-----w C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-03-18 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-13 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-08 14:10 --------- d-----w C:\Program Files\Azureus
2008-03-08 04:36 --------- d-----w C:\Program Files\Java
2008-03-07 01:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-05 14:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-05 14:44 --------- d-----w C:\Program Files\Elaborate Bytes
2008-03-04 15:58 --------- d-----w C:\Program Files\TouchStoneSoftware
2008-03-04 15:55 --------- d-----w C:\Program Files\Avira
2008-03-04 15:40 --------- d-----w C:\Program Files\FreeUndelete
2008-03-04 15:31 --------- d-----w C:\Program Files\SoftLogica
2008-03-04 15:24 --------- d-----w C:\Program Files\Data Doctor Recovery Memory Card (Demo)
2008-03-04 15:04 --------- d-----w C:\Program Files\File Recover
2008-03-04 13:02 --------- d-----w C:\Program Files\ParetoLogic
2008-03-04 13:02 --------- d-----w C:\Program Files\Common Files\ParetoLogic
2008-03-04 13:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-03-04 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-03-04 12:53 --------- d-----w C:\Program Files\ScummVM
2008-03-04 00:46 --------- d-----w C:\Program Files\TI Education
2008-03-04 00:46 --------- d-----w C:\Program Files\Common Files\TI Shared
2008-02-28 00:35 --------- d-----w C:\Program Files\SlySoft
2008-02-27 01:45 --------- d-----w C:\Program Files\Audiosurf
2008-02-18 02:56 --------- d-----w C:\Program Files\Rockstar Games
2008-02-17 05:09 --------- d-----w C:\Documents and Settings\Dad\Application Data\dvdcss
2008-02-17 03:24 --------- d-----w C:\Documents and Settings\Dad\Application Data\Ahead
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-12-13 12:49 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8bc3930a-f4f4-40c7-a9e3-9183aba48fff}]
C:\WINDOWS\system32\mnnuahxx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA87B083-4E3E-42AC-8A2D-AA672522D171}]
C:\WINDOWS\system32\jkhhe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 12:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 12:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2006-04-05 22:03 1622016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 21:24 1169744]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 21:38 1945688]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29 149024]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 21:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 18:54 37376]
"ATIService"="C:\Program Files\ATI Multimedia\PowerCinema\PCMService.exe" [2005-09-09 16:14 94208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-26 16:06 185896]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"7097df55"="C:\WINDOWS\system32\dswvhwjx.dll" [ ]
"BM73a4ecc9"="C:\WINDOWS\system32\naydsohw.dll" [ ]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-10-07 20:14:26 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnliih]
nnnliih.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05bd81c8-c2fc-11dc-8760-0015f2c96b9f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22259b01-6f57-11dc-814a-806d6172696f}]
\Shell\AutoRun\command - G:\start.exe languages.dbd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55b7dd82-b35b-11dc-872a-0015f2c96b9f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 22:00:00 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2008-04-13 04:33:09 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 13:06:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-14 13:09:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 17:09:34

Pre-Run: 22,721,007,616 bytes free
Post-Run: 22,598,008,832 bytes free
.
2008-04-09 13:25:33 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:58 PM

Posted 14 April 2008 - 08:52 PM

Let's take care of your malware issues first and then we'll see what other issues are still present.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\VundoFix Backups

File::
C:\WINDOWS\system32\xjwhvwsd.ini
C:\WINDOWS\system32\qmipnmsy.ini
C:\WINDOWS\system32\qfjwuppn.ini
C:\WINDOWS\system32\tbdhnnlj.ini
C:\WINDOWS\system32\qnxlaaah.ini
C:\WINDOWS\system32\ibqupeew.ini
C:\WINDOWS\system32\iffgqmyu.ini
C:\WINDOWS\system32\ndywhwku.dll
C:\WINDOWS\system32\ufeororh.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8bc3930a-f4f4-40c7-a9e3-9183aba48fff}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA87B083-4E3E-42AC-8A2D-AA672522D171}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7097df55"=-
"BM73a4ecc9"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnliih]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 michtarr

michtarr
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 14 April 2008 - 09:26 PM

That was easy enough. No reboot occurred.

ComboFix.txt
---------------

ComboFix 08-04-13.3 - Dad 2008-04-14 22:08:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.439 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ibqupeew.ini
C:\WINDOWS\system32\iffgqmyu.ini
C:\WINDOWS\system32\ndywhwku.dll
C:\WINDOWS\system32\qfjwuppn.ini
C:\WINDOWS\system32\qmipnmsy.ini
C:\WINDOWS\system32\qnxlaaah.ini
C:\WINDOWS\system32\tbdhnnlj.ini
C:\WINDOWS\system32\ufeororh.ini
C:\WINDOWS\system32\xjwhvwsd.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\fccbAPfE.dll.bad
C:\VundoFix Backups\nhgtidxj.dll.bad
C:\VundoFix Backups\nhqxwqea.dll.bad
C:\VundoFix Backups\PWRISOSH.DLL.bad
C:\VundoFix Backups\rqRHwTNH.dll.bad
C:\VundoFix Backups\ssqRKBQJ.dll.bad
C:\WINDOWS\system32\ibqupeew.ini
C:\WINDOWS\system32\iffgqmyu.ini
C:\WINDOWS\system32\ndywhwku.dll
C:\WINDOWS\system32\qfjwuppn.ini
C:\WINDOWS\system32\qmipnmsy.ini
C:\WINDOWS\system32\qnxlaaah.ini
C:\WINDOWS\system32\tbdhnnlj.ini
C:\WINDOWS\system32\ufeororh.ini
C:\WINDOWS\system32\xjwhvwsd.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-13 18:48 . 2008-04-13 18:48 <DIR> d-------- C:\Deckard
2008-04-13 17:04 . 2007-06-13 06:23 1,033,216 --a--c--- C:\WINDOWS\system32\dllcache\explorer.exe
2008-04-13 17:04 . 2007-06-13 06:23 1,033,216 --a------ C:\WINDOWS\explorer.exe
2008-04-13 14:33 . 2008-04-13 15:38 208 --a------ C:\WINDOWS\wininit.ini
2008-04-13 14:28 . 2008-04-13 14:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 13:28 . 2008-04-13 13:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-13 13:28 . 2008-04-13 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 13:09 . 2008-04-13 18:46 <DIR> d-------- C:\old Deckard
2008-04-13 12:54 . 2008-04-13 12:54 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-13 12:27 . 2008-04-13 12:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-13 12:27 . 2008-04-13 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-13 11:34 . 2004-08-04 08:00 1,032,192 --a------ C:\WINDOWS\explorer.exe-ed
2008-04-13 10:48 . 2008-04-13 10:48 <DIR> d-------- C:\Program Files\ERUNT
2008-04-11 16:04 . 2008-04-11 16:05 <DIR> d-------- C:\SIERRA
2008-04-11 16:04 . 2008-04-11 16:04 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-04-11 16:04 . 1998-10-30 23:21 1,022,976 --a------ C:\WINDOWS\system32\SierraNW.dll
2008-04-11 16:04 . 1998-10-30 23:21 231,936 --a------ C:\WINDOWS\system32\SNWValid.dll
2008-04-11 16:04 . 2008-04-11 16:05 433 --a------ C:\WINDOWS\SIERRA.INI
2008-04-11 16:03 . 2008-04-11 16:03 <DIR> d-------- C:\Documents and Settings\Ryan\WINDOWS
2008-04-04 20:45 . 2008-04-05 00:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-04 20:45 . 2008-04-04 20:55 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2008-04-04 20:45 . 2008-04-04 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-04 19:58 . 2008-04-13 01:30 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-02 09:44 . 2008-04-13 13:24 101,127 --a------ C:\WINDOWS\BM73a4ecc9.xml
2008-03-29 23:10 . 2008-03-29 23:38 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\vlc
2008-03-18 17:59 . 2008-03-18 17:59 <DIR> d-------- C:\Documents and Settings\Sean\Application Data\pdf995
2008-03-18 17:59 . 2008-03-18 17:59 28 --a------ C:\WINDOWS\pdf995.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 20:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 16:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-14 01:37 --------- d-----w C:\Documents and Settings\Ryan\Application Data\.purple
2008-04-14 01:36 --------- d-----w C:\Documents and Settings\Ryan\Application Data\U3
2008-04-14 01:30 --------- d-----w C:\Documents and Settings\Ryan\Application Data\gtk-2.0
2008-04-13 06:31 --------- d-----w C:\Program Files\a-squared Free
2008-04-13 05:22 --------- d-----w C:\Documents and Settings\Dad\Application Data\Azureus
2008-04-13 05:17 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-13 01:37 --------- d-----w C:\Program Files\DeductionPro 2007
2008-04-11 21:35 --------- d-----w C:\Program Files\Steam
2008-04-05 03:52 --------- d-----w C:\Program Files\PowerISO
2008-04-05 00:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 03:07 --------- d-----w C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 21:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-13 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-08 14:10 --------- d-----w C:\Program Files\Azureus
2008-03-08 04:36 --------- d-----w C:\Program Files\Java
2008-03-07 01:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-05 14:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-05 14:44 --------- d-----w C:\Program Files\Elaborate Bytes
2008-03-04 15:58 --------- d-----w C:\Program Files\TouchStoneSoftware
2008-03-04 15:55 --------- d-----w C:\Program Files\Avira
2008-03-04 15:40 --------- d-----w C:\Program Files\FreeUndelete
2008-03-04 15:31 --------- d-----w C:\Program Files\SoftLogica
2008-03-04 15:24 --------- d-----w C:\Program Files\Data Doctor Recovery Memory Card (Demo)
2008-03-04 15:04 --------- d-----w C:\Program Files\File Recover
2008-03-04 13:02 --------- d-----w C:\Program Files\ParetoLogic
2008-03-04 13:02 --------- d-----w C:\Program Files\Common Files\ParetoLogic
2008-03-04 13:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-03-04 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-03-04 12:53 --------- d-----w C:\Program Files\ScummVM
2008-03-04 00:46 --------- d-----w C:\Program Files\TI Education
2008-03-04 00:46 --------- d-----w C:\Program Files\Common Files\TI Shared
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 00:35 --------- d-----w C:\Program Files\SlySoft
2008-02-27 01:45 --------- d-----w C:\Program Files\Audiosurf
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-18 02:56 --------- d-----w C:\Program Files\Rockstar Games
2008-02-17 05:09 --------- d-----w C:\Documents and Settings\Dad\Application Data\dvdcss
2008-02-17 03:24 --------- d-----w C:\Documents and Settings\Dad\Application Data\Ahead
2008-01-26 17:25 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-01-26 17:25 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-01-25 16:59 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-14_13.09.24.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-14\ERDNT.EXE
+ 2008-04-14 17:07:30 9,134,080 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-14\Users\00000001\NTUSER.DAT
+ 2008-04-14 17:07:30 233,472 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-14\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-12-13 12:49 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 12:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 12:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2006-04-05 22:03 1622016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 21:24 1169744]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 21:38 1945688]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29 149024]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 21:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 18:54 37376]
"ATIService"="C:\Program Files\ATI Multimedia\PowerCinema\PCMService.exe" [2005-09-09 16:14 94208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-26 16:06 185896]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-10-07 20:14:26 344064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05bd81c8-c2fc-11dc-8760-0015f2c96b9f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22259b01-6f57-11dc-814a-806d6172696f}]
\Shell\AutoRun\command - G:\start.exe languages.dbd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55b7dd82-b35b-11dc-872a-0015f2c96b9f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 22:00:00 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2008-04-13 04:33:09 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 22:11:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 22:11:51
ComboFix-quarantined-files.txt 2008-04-15 02:11:48
ComboFix2.txt 2008-04-14 17:09:38

Pre-Run: 33,829,695,488 bytes free
Post-Run: 33,812,557,824 bytes free
.
2008-04-09 13:25:33 --- E O F ---



hijackthis.log
---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:10 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Multimedia\PowerCinema\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ATIService] "C:\Program Files\ATI Multimedia\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - HKUS\S-1-5-21-57989841-1972579041-682003330-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Sean')
O4 - HKUS\S-1-5-21-57989841-1972579041-682003330-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Sean')
O4 - HKUS\S-1-5-21-57989841-1972579041-682003330-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Sean')
O4 - HKUS\S-1-5-21-57989841-1972579041-682003330-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Ryan')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9519 bytes


Thanks

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:58 PM

Posted 15 April 2008 - 06:03 AM

Your logs are looking pretty good at this point. How is your computer working for you now?
Let me know of any issues that you are still having and we'll see what we can do.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 michtarr

michtarr
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 15 April 2008 - 10:25 AM

Hi Sam,

First the good stuff (so far):
- Startup is faster
- Internet navigation quicker
- No unexpected redirects or popups
- Winamp works for me (maybe my son was imagining things)

The irritants and anomalies:
- Norton 360 Transaction Security will not turn on, whether by me or through the 'fix' button (this started after he first ComboFix run)
- ATI Powercinema TV fails with a C++ runtime error (but the radio and other features work)
---- Runtime Error! for MS Visual C++ Runtime Library
---- Progran:C:\Program Files\ATI Multimedia\PowerCinema\PCM3.exe
---- "This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team..."

I haven't been doing a lot lately, waiting for the cleanup to finish. I'll push it a little harder later today.

Thanks

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:58 PM

Posted 15 April 2008 - 11:26 AM

The issues that you are having seem to be isolated to those particular programs. Probably the best thing you can do is just to reinstall them and see if that clears the error. There does seem to be some corruption there, but I don't any experience troubleshooting those particular applications.

It does seem like your malware issue is now resolved so let's move forward with some final steps for you in that area.



First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :blink:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 michtarr

michtarr
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 15 April 2008 - 02:43 PM

Thank you for all of the help.

I took the steps you listed and now have Tea Timer running and SpyWareBlaster enabled. I also have Norton 360 running. Is there any interference between these packages?

I'll follow-up with Symantec on that issue and try re-installing the PowerCinema package.

It's been a pleasure. You provide a great service.

Thanks again.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:58 PM

Posted 15 April 2008 - 04:06 PM

You won't have any problems with Spyware Blaster, Teatimer, and Norton all running together. They all work in different ways so no conflicts.

I'm glad I could help you out! :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 michtarr

michtarr
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 15 April 2008 - 10:54 PM

One last thing -

Can you direct me to where I can get help with the collateral damage that seems to have come from this?
-- The Visual C++ Runtime Library error is still happening with PowerVCinema, even after multiple reinstalls.
-- I'm having repeatable faults with several modules. The most notable is Microsoft Management Console. It is easily abended to get the following:

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 4/15/2008
Time: 11:41:06 PM
User: N/A
Computer: AMD3800X2
Description:
Faulting application mmc.exe, version 5.1.2600.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00011e5a.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 6d 63 ure mmc
0018: 2e 65 78 65 20 35 2e 31 .exe 5.1
0020: 2e 32 36 30 30 2e 32 31 .2600.21
0028: 38 30 20 69 6e 20 6e 74 80 in nt
0030: 64 6c 6c 2e 64 6c 6c 20 dll.dll
0038: 35 2e 31 2e 32 36 30 30 5.1.2600
0040: 2e 32 31 38 30 20 61 74 .2180 at
0048: 20 6f 66 66 73 65 74 20 offset
0050: 30 30 30 31 31 65 35 61 00011e5a
0058: 0d 0a ..


Where do you recommend I post this?

Thanks

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:58 PM

Posted 16 April 2008 - 07:07 AM

Let's try running Microsoft's System File Checker program.

The utility will check the system files and automatically replace any that it finds necessary.

Scannow Tutorial
http://www.updatexp.com/scannow-sfc.html

You may need the Windows Install CD, so have it ready.
Go to Start, then Run, type sfc /scannow in the run box and press enter.

When it has finished it will close itself.

Note: There is a space between sfc and the forward slash. Windows may ask you for your Windows Install CD so put it in...don't worry if the XP setup screen appears, this is not a part of sfc /scannow, your autorun utility in Windows is starting it. Simply
minimize the screen and allow sfc to continue.

Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 michtarr

michtarr
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 16 April 2008 - 02:38 PM

The reference for sfc help was a great help in getting it to run. After a long execution time it finished and I restarted.

Unfortunately I saw no impact. I ran Windows Update just in case there was some combined effect, but no changes needed there.

The same major issues are there -- C++ Runtime error and the various other faults. Another example is:

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 4/16/2008
Time: 3:21:34 PM
User: N/A
Computer: AMD3800X2
Description:
Faulting application pcm3.exe, version 3.0.0.3309, faulting module mfc42.dll, version 6.2.4131.0, fault address 0x00004973.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 70 63 6d ure pcm
0018: 33 2e 65 78 65 20 33 2e 3.exe 3.
0020: 30 2e 30 2e 33 33 30 39 0.0.3309
0028: 20 69 6e 20 6d 66 63 34 in mfc4
0030: 32 2e 64 6c 6c 20 36 2e 2.dll 6.
0038: 32 2e 34 31 33 31 2e 30 2.4131.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 34 et 00004
0050: 39 37 33 0d 0a 973..


Suggestions?

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:58 PM

Posted 16 April 2008 - 05:30 PM

Cyberlink customer support
http://www.cyberlink.com/english/cs/suppor...port_index.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 michtarr

michtarr
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 20 April 2008 - 12:07 AM

I tried the Cyberlink customer support. Their support has been less than stellar in the past. Tonight their problem reporting system errors out when I enter the problem. I'll hope they recycle and it gets healed so I can try again tomorrow.

Frustration grows.

I have the feeling I've had a driver messed up in this whole process. I hate just shooting in the dark. I keep having this feeling of deja vu back to a video driver problem that came out of nowhere and required all of the nvidia stuff to be replaced.


Thughts?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users