Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Monder (?) Virus Plus Malware- Logs Attached- Please Help!


  • This topic is locked This topic is locked
5 replies to this topic

#1 fairyglass

fairyglass

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 29 April 2008 - 02:11 AM

Hi- I'm a new user, posting for a friend who's been having problems with her computer- I hop you can help. The system was infected with some kind of malware that keeps popping up extra browser windows with nasty adverts when IE or FF is loaded. I tried AVG, Spyware Doctor, Spybot, Adaware, but none found the source of the problem. I downloaded and ran Combofix which seemed to clear a lot of files, and the pop ups have gone for the moment, but the computer is still really slow and I get an error message at start up saying that there is a DLL file which cannot be run (sorry, didn't make a note of which one). Having found this forum, I have downloaded Kapersky scanner, HJT and DSS which have identified some issues but I'm not sufficiently experienced to deal with them without help. I'd really appreciate some assistance and hope someone can help- if any more info is required please ask. I have a HJT logfile if required. Thanks in advance!
Ben

Kapersky log:
Tuesday, April 29, 2008 7:02:34 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 729076
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 74321
Number of viruses found 6
Number of infected objects 8
Number of suspicious objects 2
Duration of the scan process 01:49:14

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hgtjbeib.dll Object is locked skipped
C:\WINDOWS\Temp\ZLT05d2d.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05d31.TMP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7cc.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_da4.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{511D1168-BCE1-4389-B38B-00422A3D979B}.crmlog Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\ModemLog_HDAUDIO Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\LOUISELT.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoAXObject.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoAXObject.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Louise\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Louise\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Temp\Perflib_Perfdata_78c.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Temp\Perflib_Perfdata_bb4.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Temp\Perflib_Perfdata_bc4.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Louise\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse Object is locked skipped
C:\Documents and Settings\Louise\Cookies\index.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP160\A0105022.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP160\A0105023.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP160\A0105024.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP160\A0105025.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP160\A0105026.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP160\A0105027.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP160\A0105028.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP160\A0105029.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP161\A0105089.DLL Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP161\A0105092.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP162\A0105100.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP162\A0105101.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP162\A0105102.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP162\A0105116.dll Object is locked skipped
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP162\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hsxsrdtu.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qoMffFXn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\usmtynmd.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-28_191209.56.zip/efcBsrPh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\QooBox\Quarantine\catchme2008-04-28_191209.56.zip ZIP: infected - 1 skipped
Scan process completed.

DSS main report:
Deckard's System Scanner v20071014.68
Run by Louise on 2008-04-29 07:48:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2008-04-29 06:49:01 UTC - RP163 - Deckard's System Scanner Restore Point
9: 2008-04-28 18:04:25 UTC - RP162 - ComboFix created restore point
8: 2008-04-28 15:34:55 UTC - RP161 - System Checkpoint
7: 2008-04-25 15:17:30 UTC - RP160 - Installed Ad-Aware 2007
6: 2008-04-24 22:06:05 UTC - RP159 - System Checkpoint


-- First Restore Point --
1: 2008-04-23 13:44:39 UTC - RP154 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Louise.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:52:08, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Louise\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Louise.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {850c8d19-6ec8-9c08-8084-117b625b736e} - {e637b526-b711-4808-80c9-8ce691d8c058} - C:\WINDOWS\system32\yxgsxlqm.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM4185c49b] Rundll32.exe "C:\WINDOWS\system32\varnjfnt.dll",s
O4 - HKLM\..\RunServices: [Microsoft Update] livemessenger.com
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [worfosa] c:\windows\system32\worfosa.exe worfosa
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8579 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R2 int15 - c:\windows\system32\drivers\int15.sys
R2 tvicport - c:\windows\system32\drivers\tvicport.sys <Not Verified; EnTech Taiwan; TVicPort Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
R2 zntport - c:\windows\system32\drivers\zntport.sys <Not Verified; Zeal SoftStudio; NTPort Library>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S2 eLock2BurnerLockDriver - c:\windows\system32\elock2burnerlockdriver.sys (file missing)
S2 eLock2FSCTLDriver - c:\windows\system32\elock2fsctldriver.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcerMemUsageCheckService (Memory Check Service) - c:\acer\empowering technology\eperformance\memcheck.exe <Not Verified; Acer Inc.; >


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-29 07:35:04 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-03-29 and 2008-04-29 -----------------------------

2008-04-28 19:55:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-28 19:55:49 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 19:55:48 0 d-------- C:\WINDOWS\LastGood
2008-04-28 19:03:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-28 19:03:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-28 19:03:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-28 19:03:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-28 19:03:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-28 19:03:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-28 19:03:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-28 19:03:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-25 18:25:36 0 d-------- C:\Program Files\Trend Micro
2008-04-25 16:18:01 0 d-------- C:\Program Files\Lavasoft
2008-04-25 16:17:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-25 16:02:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 15:58:47 0 d-------- C:\Documents and Settings\Administrator.LOUISELT\Application Data\Macromedia
2008-04-25 15:58:47 0 d-------- C:\Documents and Settings\Administrator.LOUISELT\Application Data\Adobe
2008-04-25 15:56:11 0 d-------- C:\Documents and Settings\Administrator.LOUISELT\Application Data\Mozilla
2008-04-25 15:55:19 0 dr-h----- C:\Documents and Settings\Administrator.LOUISELT\SendTo
2008-04-25 15:55:19 0 d--h----- C:\Documents and Settings\Administrator.LOUISELT\Recent
2008-04-25 15:55:19 0 d--h----- C:\Documents and Settings\Administrator.LOUISELT\PrintHood
2008-04-25 15:55:19 0 d--h----- C:\Documents and Settings\Administrator.LOUISELT\NetHood
2008-04-25 15:55:19 0 d-------- C:\Documents and Settings\Administrator.LOUISELT\My Documents
2008-04-25 15:55:19 0 d-------- C:\Documents and Settings\Administrator.LOUISELT\Favorites
2008-04-25 15:55:19 0 d-------- C:\Documents and Settings\Administrator.LOUISELT\Desktop
2008-04-25 15:55:19 0 d--hs---- C:\Documents and Settings\Administrator.LOUISELT\Cookies
2008-04-25 15:55:19 0 dr-h----- C:\Documents and Settings\Administrator.LOUISELT\Application Data
2008-04-25 15:55:19 0 d---s---- C:\Documents and Settings\Administrator.LOUISELT\Application Data\Microsoft
2008-04-25 15:55:18 0 d--h----- C:\Documents and Settings\Administrator.LOUISELT\Templates
2008-04-25 15:55:18 0 dr------- C:\Documents and Settings\Administrator.LOUISELT\Start Menu
2008-04-25 15:55:18 0 d--h----- C:\Documents and Settings\Administrator.LOUISELT\Local Settings
2008-04-25 15:55:17 524288 --ah----- C:\Documents and Settings\Administrator.LOUISELT\NTUSER.DAT
2008-04-25 15:55:10 0 d--hs---- C:\WINDOWS\CSC
2008-04-23 18:03:04 0 d--hs---- C:\FOUND.006
2008-04-23 15:42:27 0 d-------- C:\Documents and Settings\Louise\Application Data\LEGO Company
2008-04-22 16:26:49 39424 -r-hs---- C:\WINDOWS\livemessenger.com


-- Find3M Report ---------------------------------------------------------------

2008-04-25 14:03:38 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-19 14:42:58 0 d-------- C:\Program Files\Spyware Doctor
2008-03-19 14:42:58 0 d-------- C:\Documents and Settings\Louise\Application Data\PC Tools
2008-03-19 12:36:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-19 12:36:22 0 d-------- C:\Documents and Settings\Louise\Application Data\Mozilla
2008-03-19 10:27:22 0 d-------- C:\Program Files\Ashampoo
2008-03-19 06:56:12 125111 --a------ C:\logfile
2008-03-13 18:55:04 0 d-------- C:\Program Files\The Learning Company


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e637b526-b711-4808-80c9-8ce691d8c058}]
C:\WINDOWS\system32\yxgsxlqm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [05/08/2005 13:56]
"LaunchApp"="" []
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [14/04/2006 22:35]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [11/05/2005 17:15]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [31/03/2006 16:39]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [10/05/2006 11:12]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [30/05/2006 12:11]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [15/03/2006 22:12]
"RTHDCPL"="RTHDCPL.EXE" [27/06/2006 23:54 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 03:04 C:\WINDOWS\SkyTel.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/03/2006 13:07]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [01/06/2006 14:40]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [15/04/2008 13:22]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]
"BM4185c49b"="C:\WINDOWS\system32\varnjfnt.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="~C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"worfosa"="c:\windows\system32\worfosa.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 20:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Update"=livemessenger.com

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistrytools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime




-- End of Deckard's System Scanner: finished at 2008-04-29 07:53:43 ------------

DSS Extra Report:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology MK-36
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 894.1 MiB / 333 MiB
Pagefile Memory (total/avail): 2166.39 MiB / 1524.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.52 MiB

C: is Fixed (FAT32) - 53.2 GiB total, 33.99 GiB free.
D: is Fixed (FAT32) - 53.69 GiB total, 53.4 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Hitachi HTS541212H9AT00 - 111.79 GiB - 3 partitions
\PARTITION0 - Unknown - 4.88 GiB
\PARTITION1 (bootable) - Unknown - 53.21 GiB - C:
\PARTITION2 - Unknown - 53.7 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.470.000 (Check Point, LTD.)
AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Louise\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LOUISELT
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA18
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Louise
LOGONSERVER=\\LOUISELT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE;C:\Program Files\QuickTime\QTSystem;C:\Program;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 76 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Louise\LOCALS~1\Temp
TMP=C:\DOCUME~1\Louise\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=LOUISELT
USERNAME=Louise
USERPROFILE=C:\Documents and Settings\Louise
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Louise (admin)
Administrator.LOUISELT (new local, admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer Empowering Technology --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer ePerformance Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7057702F-6D71-4F30-8000-9E72BC771887}\setup.exe" -l0x9 -removeonly
Acer ePower Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x9
Acer ePresentation Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\Setup.exe" -l0x9
Acer eSettings Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F2C8256-2773-46C7-9ABA-3E39C24ABB51}\setup.exe" -l0x9 -removeonly
Acer GridVista --> C:\WINDOWS\UnInst32.exe GridV.UNI
Acer OrbiCam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4A57592C-FF92-4083-97A9-92783BD5AFB4}\Setup.EXE" -l0x9
Acer Screensaver --> MsiExec.exe /I{D458BBDC-0363-42E0-8FF9-4736E3CB3CA2}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Ashampoo WinOptimizer 4.35 --> "C:\Program Files\Ashampoo\Ashampoo WinOptimizer 4\unins000.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{14C8B4D9-E917-4319-83E0-5A42EC6CBB7D}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
ATI Parental Control & Encoder --> MsiExec.exe /I{8D70145A-3BD3-4DBF-9CBF-223EF4A43257}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BAMZOOKi v3.1 (build 115.158) --> "C:\Program Files\BAMZOOKi\unins000.exe"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
fflink --> MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_190001_11e4bf\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
LEGO Digital Designer --> C:\Documents and Settings\Louise\My Documents\hamish's folder\LEGO Digital Designer\Uninstall.exe
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.EXE" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.exe" -l0x9 -removeonly
SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile USB Modem ^^ --> C:\WINDOWS\system32\Samsung_USB_Drivers\4\SSVDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
Samsung PC Studio 3 USB Driver Installer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
SMSC IrCC V5.1.3600.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}\setup.exe" -l0x9 UNINSTALL
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2BFA&SUBSYS_1025009F\HXFSETUP.EXE -U -IAcrS09Fp.inf
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sony Ericsson PC Suite --> MsiExec.exe /I{FC906D5C-91F9-4DA4-A765-6DCBB669F317}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The Powerpuff Girls - Princess Snorebucks --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\The Powerpuff Girls - Princess Snorebucks\Uninstall.xml"
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VideoEgg Publisher --> C:\Program Files\VideoEgg\Uninstall.exe
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
What's Her Face!™ CD-ROM --> C:\Program Files\Common Files\VUG\Uninstall\WHFaceUn.exe
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPINST.EXE /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_9EA6D2FA46FEFFB7011ED0B6015B626D07F1EEF7\amdk8.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar --> MsiExec.exe /X{DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows XP Media Center Edition 2005 KB912067 --> "C:\WINDOWS\$NtUninstallKB912067$\spuninst\spuninst.exe"
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type10999 / Error
Event Submitted/Written: 04/28/2008 07:51:41 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type10985 / Error
Event Submitted/Written: 04/28/2008 07:24:44 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type10976 / Error
Event Submitted/Written: 04/28/2008 06:50:39 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type10973 / Error
Event Submitted/Written: 04/28/2008 06:50:22 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type10968 / Error
Event Submitted/Written: 04/28/2008 06:46:13 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rundll32.exe, version 5.1.2600.2180, faulting module varnjfnt.dll, version 0.0.0.0, fault address 0x00001ca6.
Processing media-specific event for [rundll32.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18118 / Error
Event Submitted/Written: 04/28/2008 07:52:07 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The eLock2FSCTLDriver service failed to start due to the following error:
%%2

Event Record #/Type18117 / Error
Event Submitted/Written: 04/28/2008 07:52:07 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The eLock2BurnerLockDriver service failed to start due to the following error:
%%2

Event Record #/Type18116 / Warning
Event Submitted/Written: 04/28/2008 07:51:09 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0016CF5177AE. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type18077 / Error
Event Submitted/Written: 04/28/2008 07:25:27 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The eLock2FSCTLDriver service failed to start due to the following error:
%%2

Event Record #/Type18076 / Error
Event Submitted/Written: 04/28/2008 07:25:26 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The eLock2BurnerLockDriver service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-04-29 07:53:43 ------------

BC AdBot (Login to Remove)

 


#2 fairyglass

fairyglass
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 30 April 2008 - 09:54 AM

While waiting for help I've been working on this and now have a clean scan from Kapersky, plus no pop-ups appearing, and significantly faster performance. Hopefully it's sorted, but I'd appreciate someone taking a scan over my new logs (posted below) and letting me know if I need to clear anything else. I understand this may get pushed back as it looks like I've bumped it, but I hope I've saved someone time by working on the problem rather than just sitting back and waiting. I appreciate any help that may be given!
Logs:
Kapersky is clear ("no malware found") so I've not included it.
DSS:
ComboFix 08-04-29.3 - Louise 2008-04-30 15:21:19.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.433 [GMT 1:00]
Running from: C:\Documents and Settings\Louise\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 15:15 . 2008-04-30 15:15 <DIR> d-------- C:\Deckard
2008-04-28 19:55 . 2008-04-28 19:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 19:55 . 2008-04-28 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 18:25 . 2008-04-25 18:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 16:18 . 2008-04-25 16:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-25 16:17 . 2008-04-25 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-25 16:02 . 2008-04-25 16:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 15:55 . 2008-04-25 15:55 <DIR> d-------- C:\Documents and Settings\Administrator.LOUISELT
2008-04-25 15:55 . 2008-04-30 15:20 1,024 --ah----- C:\Documents and Settings\Administrator.LOUISELT\NTUSER.DAT.LOG
2008-04-25 13:59 . 2008-03-13 23:11 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-24 09:16 . 2008-04-28 14:46 109,734 --a------ C:\WINDOWS\BM4185c49b.xml
2008-04-23 18:03 . 2008-04-23 18:03 <DIR> d--hs---- C:\FOUND.006
2008-04-23 15:42 . 2008-04-23 15:42 <DIR> d-------- C:\Documents and Settings\Louise\Application Data\LEGO Company
2008-04-22 16:26 . 2008-04-22 16:25 39,424 -r-hs---- C:\WINDOWS\livemessenger.com
2008-03-20 13:44 . 2008-03-20 13:44 <DIR> d-------- C:\kav
2008-03-19 14:43 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-19 14:43 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-19 14:43 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-19 14:43 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-19 14:42 . 2008-03-19 14:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-19 14:42 . 2008-03-19 14:42 <DIR> d-------- C:\Documents and Settings\Louise\Application Data\PC Tools
2008-03-19 12:49 . 2008-03-01 14:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-19 12:49 . 2007-07-01 03:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-19 12:49 . 2007-07-01 03:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-19 12:49 . 2008-03-01 14:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-19 12:49 . 2008-03-01 14:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-19 12:49 . 2008-03-01 14:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-19 12:49 . 2008-03-01 14:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-19 12:49 . 2008-03-01 14:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-19 12:49 . 2008-02-22 11:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-19 12:36 . 2008-03-19 12:36 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-19 10:27 . 2008-03-19 10:27 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-18 21:44 . 2008-04-30 15:27 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-18 21:44 . 2008-04-30 15:27 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-18 21:39 . 2008-03-18 21:41 263 --a------ C:\WINDOWS\wininit.ini
2008-03-18 21:01 . 2008-03-18 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-13 18:55 . 2008-03-13 18:55 <DIR> d-------- C:\Program Files\The Learning Company
2008-03-13 18:55 . 2008-03-13 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\The Learning Company
2008-03-13 18:55 . 2002-06-13 07:09 274,432 --a------ C:\WINDOWS\TLCUninstall.exe
2008-03-13 18:52 . 2008-03-13 18:52 0 --a------ C:\WINDOWS\Setup32.INI
2008-03-13 18:51 . 2008-03-14 17:23 36 --a------ C:\WINDOWS\Tiny_Run.ini
2008-03-03 18:00 . 2008-03-03 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 22:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-01 17:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-05-16 18:03 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2007-05-16 16:44 40,738,456 ----a-w C:\Program Files\zlsSetup_70_337_000_en.exe
2006-03-20 19:24 786,713 ----a-w C:\Program Files\carolyn hillyer.rm
2006-03-20 13:36 3,420 ----a-w C:\Documents and Settings\Louise\Application Data\wklnhst.dat
2006-03-18 02:34 19,968 ----a-w C:\Program Files\cJEZZY nUT SPELLING Z.doc
2006-03-16 21:39 21,407,888 ----a-w C:\Program Files\avg75free_467a1008.exe
2006-03-15 20:25 34,304 ----a-w C:\Program Files\T1Wk2 prefixes.doc
2006-03-13 20:45 659,529 ----a-w C:\Program Files\cauldronofcrows.rm
2006-03-11 05:34 152 ----a-w C:\Program Files\1239_16x9_nb.ram
2006-03-11 03:01 18,040,176 ----a-w C:\Program Files\Install_Messenger_nous.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e637b526-b711-4808-80c9-8ce691d8c058}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="~C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"LaunchApp"="" []
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 22:35 53248]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15 45056]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 16:39 204800]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 12:11 421888]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12 579584]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-27 23:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07 761946]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 14:40 413696]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 13:22 579584]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update"="livemessenger.com" [2008-04-22 16:25 39424 C:\WINDOWS\livemessenger.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-15 07:33 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-14 19:05 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 14:35:32 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 15:30:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\ACER\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\WINDOWS\EHOME\EHRECVR.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
C:\WINDOWS\EHOME\EHMSAS.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\eHome\ehRec.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CLI.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CLI.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-30 15:38:09 - machine was rebooted
ComboFix2.txt 2008-04-28 18:31:08
ComboFix-quarantined-files.txt 2008-04-30 14:37:26

Pre-Run: 39,458,537,472 bytes free
Post-Run: 39,432,847,360 bytes free

182 --- E O F --- 2008-04-10 08:36:13

#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:11:39 PM

Posted 20 May 2008 - 08:46 PM

Hello fairyglass

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.

fairyglass, by replying to your own post you removed yourself from the Zero replies catagory that we look for to work logs and it looked like you where being helped.

Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#4 fairyglass

fairyglass
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 21 May 2008 - 01:47 AM

Thanks Ken,
I think it's solved- no reoccurrences, no sign. If things change I'll be back!
Cheers
Ben

#5 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:11:39 PM

Posted 21 May 2008 - 04:18 AM

Your welcome Ben



Safe Surfn
Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#6 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:11:39 PM

Posted 02 June 2008 - 04:57 PM

Since this issue appears to be resolved this thread will now be closed. Thank you for using Bleeping Computer.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users