Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Problems After Running All My Anti-spywares


  • This topic is locked This topic is locked
6 replies to this topic

#1 Judi-chan

Judi-chan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:06 AM

Posted 04 May 2008 - 01:12 AM

Just remembered I had zlob too so edited post to add this info...
I bought this pc secondhand in Dec '06. So I don't know what may have been on it before I bought it...I hadn't had any problems (that I couldn't take care of with my anti tools) until Apr. 28th of this year...
First clue I had a problem was a little red circle with an x in it in the system tray; when clicked, there was a message that said 'virus activity found' u need to run antivirus software. Then I got a dialog box saying that a virus had been found on my pc, name was like nethunter or something, 'please run recommended antispyware software'. Then I noticed 3 new icons on desktop, one for an 'error protector', a second for 'spyware defender' & a third which I think was for an antivirus...Then I got 3 popup windows for 'system-defender.com' & 2 others (I deleted them from history so I think they were 'free-pc-scanner.com' & 'spywarewarrior.com'). My homepage got hijacked; it was changed to 'system-defender.com'. Also, machine got slower & slower; I couldn't access task manager or internet options from tool menu inside browser window...Figuring I had an infection, & not having run any of my tools in 3 months, I ran Ad-aware (discovered it was out of date, downloaded new one & ran it), updated spyware guard, updated & ran spyware blaster, spybot s&d, crapcleaner & hijack this...I 'fixed' everything they found; including a few suspicious reg entries with hjt (probly should've waited...). Also, after noticing that one of the things found was smitfraud; downloaded & ran smitfraudfix from a french site, siri.urz.free.fr. 2 days later started getting popups again. this time spybot's tea timer would let me delete one of the reg entries (asking do u wanna allow this change)but would then ask me if I wanna allow the new value...when I would ck deny, it would ask me again...
Then, I went to spywareinfoforum, followed their directions & posted kaspersky, trend micro & hjt scans, asking for help...
Now I can't get to their site I get the following error message:
Forbidden You don't have permission to access /index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
--------------------------------------------------------------------------------
Apache/2 Server at www.spywareinfoforum.com Port 80
This is driving me crazy!!! :thumbsup:

Here are my dss & kaspersky scans:

Deckard's System Scanner v20071014.68
Run by Judi Ames on 2008-05-04 01:00:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
87: 2008-05-04 05:00:35 UTC - RP448 - Deckard's System Scanner Restore Point
86: 2008-05-03 04:54:27 UTC - RP447 - System Checkpoint
85: 2008-05-02 04:31:41 UTC - RP446 - Installed Ad-Aware 2007
84: 2008-05-02 04:26:23 UTC - RP445 - Removed Ad-Aware SE Personal
83: 2008-05-01 18:26:29 UTC - RP444 - System Checkpoint


-- First Restore Point --
1: 2008-02-04 17:44:06 UTC - RP362 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Judi Ames.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:09 AM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\All Users\Application Data\bgnmxabo\fqjyrmnk.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Judi Ames\Desktop\dss.exe
c:\PROGRA~1\mcafee\mpf\mc\mpfalert.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Judi Ames.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/?uid=6639670A35633C71
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Judi's IE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [tqs47z4SkB] C:\Documents and Settings\All Users\Application Data\bgnmxabo\fqjyrmnk.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1191698413636
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1191698401439
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O21 - SSODL: qadovnel - {3A85CD2B-886C-41FA-827B-F7608F1D75F1} - C:\WINDOWS\qadovnel.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9888 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 ousbehci (OrangeWare USB Enhanced Host Controller Service) - c:\windows\system32\drivers\ousbehci.sys <Not Verified; OrangeWare Corporation; USB 2.0 Enhanced Host Controller Driver>
R3 ousb2hub (OrangeWare USB 2.0 Root Hub Support) - c:\windows\system32\drivers\ousb2hub.sys <Not Verified; OrangeWare Corporation; USB 2.0 Hub Driver>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 iscFlash - c:\windows\system32\drivers\iscflash.sys (file missing)
S3 NTACCESS - d:\ntaccess.sys (file missing)
S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - c:\windows\system32\pcampr5.sys (file missing)
S3 SetupNTGLM7X - d:\ntglm7x.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 PictureTaker - c:\windows\system32\pctkrnt.sys <Not Verified; LANovation; PictureTaker Software Family>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&3A2C8C4B&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&3A2C8C4B&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-05-02 01:20:45 348 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-05-01 01:00:13 340 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-04-04 and 2008-05-04 -----------------------------

2008-05-03 14:42:14 0 dr-h----- C:\Documents and Settings\Judi Ames\Recent
2008-05-02 12:37:13 0 d-------- C:\WINDOWS\BDOSCAN8
2008-05-02 11:33:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 11:33:54 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-02 10:19:57 0 d-------- C:\Program Files\Trend Micro
2008-05-02 00:31:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 00:28:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 00:42:10 0 dr-h----- C:\Documents and Settings\Jeanette Ames\Recent
2008-04-28 03:51:41 1626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-28 03:07:05 0 d-------- C:\Program Files\Enigma Software Group
2008-04-27 21:19:34 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-27 21:19:34 2551 --a------ C:\WINDOWS\unins000.dat
2008-04-27 20:10:38 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 20:10:19 0 d-------- C:\Program Files\EULAlyzer
2008-04-27 12:36:29 0 d-------- C:\Documents and Settings\Judi Ames\Application Data\TmpRecentIcons
2008-04-27 01:22:45 0 d-------- C:\Documents and Settings\All Users\Application Data\bgnmxabo
2008-04-27 01:22:19 102400 --a------ C:\WINDOWS\xbaqktfv.exe
2008-04-27 01:22:19 94208 --a------ C:\WINDOWS\spwoqbmv.exe
2008-04-27 01:22:19 262144 --a------ C:\WINDOWS\qadovnel.dll
2008-04-13 00:14:41 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-11 19:44:15 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-04 23:17:00 0 d-------- C:\Program Files\CCleaner


-- Find3M Report ---------------------------------------------------------------

2008-05-02 13:42:51 0 d-------- C:\Program Files\iWin Games
2008-05-02 09:41:59 0 d-------- C:\Program Files\SpywareGuard
2008-05-02 06:36:35 0 d-------- C:\Program Files\SpywareBlaster
2008-05-02 00:31:44 0 d-------- C:\Program Files\Lavasoft
2008-05-02 00:28:14 0 d-------- C:\Program Files\Common Files
2008-04-15 06:31:29 90040 --a------ C:\Documents and Settings\Judi Ames\Application Data\GDIPFONTCACHEV1.DAT
2008-04-13 00:14:27 0 d-------- C:\Program Files\Common Files\Real
2008-04-11 20:29:27 0 d-------- C:\Documents and Settings\Judi Ames\Application Data\Adobe
2008-04-02 01:53:48 0 d-------- C:\Program Files\Slingo Quest Hawaii
2008-04-02 01:44:06 0 d-------- C:\Program Files\iWin.com
2008-04-01 07:53:43 0 d-------- C:\Program Files\InterActual
2008-03-27 19:14:31 0 d-------- C:\Program Files\Microsoft Games
2008-03-22 02:36:34 0 d-------- C:\Documents and Settings\Judi Ames\Application Data\Real
2008-03-12 20:27:33 0 d-------- C:\Program Files\Slingo Quest
2008-03-11 19:13:40 0 d-------- C:\Documents and Settings\Judi Ames\Application Data\funkitron
2008-03-09 19:26:45 0 d-------- C:\Documents and Settings\Judi Ames\Application Data\iWinArcade


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [12/04/2001 01:07 PM C:\WINDOWS\GWMDMMSG.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/17/2001 12:41 AM]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [12/09/2003 02:02 PM]
"Run StartupMonitor"="StartupMonitor.exe" [05/20/2000 05:23 PM C:\WINDOWS\StartupMonitor.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [04/07/2006 03:02 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [12/17/2007 06:13 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Judi Ames\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [8/7/2001 7:06:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"tqs47z4SkB"=C:\Documents and Settings\All Users\Application Data\bgnmxabo\fqjyrmnk.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qadovnel"= {3A85CD2B-886C-41FA-827B-F7608F1D75F1} - C:\WINDOWS\qadovnel.dll [04/26/2008 09:17 AM 262144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"RemoteControl"=C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=C:\WINDOWS\Updreg.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8298 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-04 01:04:20 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.80GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 511.3 MiB / 189.55 MiB
Pagefile Memory (total/avail): 1250.22 MiB / 941.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.8 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 50.9 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 111.79 GiB total, 111.72 GiB free.

\\.\PHYSICALDRIVE1 - WDC WD1200JB-00GVA0 - 111.79 GiB - 1 partition
\PARTITION0 - Installable File System - 111.79 GiB - F:

\\.\PHYSICALDRIVE0 - WDC WD800BB-53CCB0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Common Files\\AOL\\1176202674\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1176202674\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iWin Games\\iWinGames.exe"="C:\\Program Files\\iWin Games\\iWinGames.exe:*:Enabled:iWin Games application."
"C:\\Program Files\\iWin Games\\WebUpdater.exe"="C:\\Program Files\\iWin Games\\WebUpdater.exe:*:Enabled:iWin Games updater."


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Judi Ames\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MAINCOMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Judi Ames
LOGONSERVER=\\MAINCOMPUTER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JUDIAM~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JUDIAM~1\LOCALS~1\Temp
USERDOMAIN=MAINCOMPUTER
USERNAME=Judi Ames
USERPROFILE=C:\Documents and Settings\Judi Ames
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

me (admin)
Judi Ames (admin)
Jeanette Ames (admin)
Natalie Ames (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\PlayCenter\Player.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Recorder\Recorder.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Midi.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Restore.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SBLiveXP.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SoundFont.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Wstudio.isu"
--> C:\WINDOWS\ServicePackFiles\i386\pchealth.inf
2Wire Wireless Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\Setup.exe" -l0x9 -L0x9
ActiveTime --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{712A1559-0C39-42C7-9126-8DD86BF3B50F}\Setup.exe" -l0x9
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
AIM 6 --> C:\Program Files\AIM6\uninst.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Data Lifeguard Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}\Setup.exe"
Delicious Deluxe --> C:\PROGRA~1\YAHOO!~1\DELICI~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!~1\DELICI~1\INSTALL.LOG
Diner Dash - Flo on the Go (remove only) --> "C:\Program Files\Yahoo! Games\Diner Dash - Flo on the Go\Uninstall.exe"
Do More --> MsiExec.exe /I{75C023EC-64A0-44F7-9D99-C6F6E21EB6F0}
EULAlyzer v1.2 --> "C:\Program Files\EULAlyzer\unins000.exe"
Gateway Internet Links --> "C:\Program Files\SIFXINST\SIFXINST.EXE" /UnapplyFile 99A393E0-1F86-4AB7-9FE3-ACEC7E10098F /Prompt
Gateway Power Management --> c:\cabs\Winxp\Utility\Power\PrGreenstar.exe UNINSTALL
GTW V.92 Voice Modem --> C:\WINDOWS\GWMDMU.exe verbose
HelpSpot --> MsiExec.exe /I{8DE73C0C-34EA-4888-86DB-EEDB9B69DB94}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iWin Games (remove only) --> "C:\Program Files\iWin Games\Uninstall.exe"
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Jasc Paint Shop Pro 9 --> MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Jasc Paint Shop Pro 9.01 - (9.0.1.1) --> C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Keynote Connector --> C:\WINDOWS\DOWNLO~1\CONNEC~1.EXE /Uninstall
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Age of Empires Gold --> "C:\Program Files\Microsoft Games\Age of Empires\UNINSTAL.EXE" /runtemp
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Age of Empires II: The Conquerors Expansion --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTALX.EXE" /runtemp /addremove
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Encarta Encyclopedia Standard 2002 --> MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169}
Microsoft Money 2002 --> MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft Money 2002 System Pack --> MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Picture It! Photo 2002 --> MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Streets and Trips 2002 --> MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mobipocket Reader 6.0 --> MsiExec.exe /I{ED386A62-2BA2-4544-A723-5DFFDC283F6A}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PC-Doctor for Windows --> C:\WINDOWS\UNWISE32.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
PlexTools Professional V2.17 --> MsiExec.exe /X{10651499-F215-41EA-A32D-B09AAAAB138F}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Roxio DVDMax Player --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA0CA1B4-5491-11D7-97BC-00055D0CA761}\setup.exe" -uninstall
Roxio Easy Media Creator 7 Basic DVD Edition --> MsiExec.exe /I{747D1B34-A1FC-4EF3-A6AE-E86F39CEFDE5}
SBC Yahoo! Applications --> C:\PROGRA~1\Yahoo!\common\uninstall.exe
ShortKeys Lite --> C:\PROGRA~1\SHORTK~1\UNWISE.EXE C:\PROGRA~1\SHORTK~1\INSTALL.LOG
Slingo Quest (remove only) --> "C:\Program Files\Slingo Quest\Uninstall.exe"
Slingo Quest Hawaii (remove only) --> "C:\Program Files\Slingo Quest Hawaii\Uninstall.exe"
Smilebox --> "C:\Documents and Settings\Judi Ames\Application Data\Smilebox\uninstall.exe"
Sound Blaster Live! Value --> C:\Program Files\Creative\SBLive\PROGRAM\CTUNINST.EXE
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
StartupMonitor --> MsiExec.exe /I{76EFAC4F-1712-401F-B2AE-590B170C9BCE}
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type7260 / Warning
Event Submitted/Written: 05/02/2008 09:19:06 AM
Event ID/Source: 4354 / EventSystem
Event Description:
The COM+ Event System failed to fire the ConnectionMade method on subscription {97446C88-31FE-4951-A994-A5F1AC2B495C}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The subscriber returned HRESULT 80010105.

Event Record #/Type7208 / Success
Event Submitted/Written: 04/30/2008 06:08:26 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type7179 / Success
Event Submitted/Written: 04/29/2008 11:25:36 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type7072 / Success
Event Submitted/Written: 04/27/2008 05:01:23 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type7046 / Warning
Event Submitted/Written: 04/26/2008 02:34:26 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{F843C6A3-224D-4615-94F8-3C461BD9AEA0}', feature 'PaintShopPro' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18825 / Error
Event Submitted/Written: 05/04/2008 00:07:40 AM / 05/04/2008 00:08:10 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type18811 / Error
Event Submitted/Written: 05/03/2008 11:24:54 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type18810 / Error
Event Submitted/Written: 05/03/2008 10:59:23 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type18803 / Warning
Event Submitted/Written: 05/02/2008 11:21:50 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type18768 / Error
Event Submitted/Written: 05/02/2008 09:41:27 AM / 05/02/2008 09:41:57 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type



-- End of Deckard's System Scanner: finished at 2008-05-04 01:04:20 ------------

KASPERSKY ONLINE SCANNER REPORT
Friday, May 02, 2008 12:34:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/05/2008
Kaspersky Anti-Virus database records: 735468


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\JUDIAM~1\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 19304
Number of viruses found 3
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:20:39

Infected Object Name Virus Name Last Action
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\qadovnel.dll Infected: Trojan.Win32.Vapsup.ejn skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\spwoqbmv.exe Infected: Trojan.Win32.Vapsup.ejr skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_GjFrE7XzqHxCZ0B Object is locked skipped

C:\WINDOWS\Temp\mcafee_sEzJumy10F4WmGp Object is locked skipped

C:\WINDOWS\Temp\mcmsc_CgG3bCbdRNVM4bz Object is locked skipped

C:\WINDOWS\Temp\mcmsc_DNIqFzpd5f97NtO Object is locked skipped

C:\WINDOWS\Temp\mcmsc_gRuO7PaGFjqm4cL Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\xbaqktfv.exe Infected: Trojan.Win32.Vapsup.ejo skipped

C:\DOCUME~1\JUDIAM~1\LOCALS~1\Temp\hsperfdata_Judi Ames\2032 Object is locked skipped

C:\DOCUME~1\JUDIAM~1\LOCALS~1\Temp\Perflib_Perfdata_7fc.dat Object is locked skipped

C:\DOCUME~1\JUDIAM~1\LOCALS~1\Temp\~DF44B5.tmp Object is locked skipped

C:\DOCUME~1\JUDIAM~1\LOCALS~1\Temp\~DF6BC9.tmp Object is locked skipped

C:\DOCUME~1\JUDIAM~1\LOCALS~1\Temp\~DFE612.tmp Object is locked skipped

C:\DOCUME~1\JUDIAM~1\LOCALS~1\Temp\~DFE627.tmp Object is locked skipped

Scan process completed.

Thank you in advance for any help you may be able to give me...
Judi A.

Edited by Judi-chan, 04 May 2008 - 01:33 AM.

Judi-chan

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 04 May 2008 - 12:45 PM

Hi,

SpywareInfo is temporary offline..

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Also uninstall WeatherBug

Then reboot.

After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Judi-chan

Judi-chan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:06 AM

Posted 07 May 2008 - 03:55 PM

:thumbsup: Um I'm having problems...My pc is second hand & is a Gateway...the Gateway windows cd when I tried to install the recovery console said that the version of Windows on the machine was newer than what was on the cd & it would cause probs to install over it...
& feeling even dumber after that, when I tried to get combo fix to install the recovery console, it started running the disinfect...& when I panicked & clicked cancel it disappeared!
Ok I've re-downloaded ComboFix; still got the file from microsoft on desktop...
Now feeling like a total idiot: Is there somewhere here to find out what to do to get from step 3 under "if u use Windows XP & do not have the Windows CD" to the step where we start Combo Fix?

Edited by Judi-chan, 07 May 2008 - 03:57 PM.

Judi-chan

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 07 May 2008 - 04:16 PM

Hi,

Yes, while installing the Recovery Console with Combofix, Combofix will indeed already scan as well.
So just use Combofix again to install the recovery console and let it finish. Then post the logs.

Also, please use the default forum font, because your post makes it hard to read, especially if you want to post the logs afterwards - it will be stretched if you dont use the default forum font.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Judi-chan

Judi-chan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:06 AM

Posted 07 May 2008 - 05:08 PM

Ty for your time miekiemoes...I followed instructions & deleted the Viewpoint Media Player, certainly don't need it...However, instead of uninstalling my paid copy of Weatherbug Plus (minibug done away with back in mists of time), I just followed the recommendation in the StartUp portion of forum & told it to only start when I ask it to do so (the way I always ran the free version). Hope that doesn't prevent any fix from working but I paid for that! :thumbsup:
Anyway here are the requested logs:

ComboFix 08-05-01.3 - Judi Ames 2008-05-07 17:39:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -4:00]
Running from: C:\Documents and Settings\Judi Ames\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Judi Ames\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\qadovnel.dll
C:\WINDOWS\spwoqbmv.exe
C:\WINDOWS\xbaqktfv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWSAPAGENT
-------\Service_NwSapAgent


((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-05 07:42 . 2003-09-24 09:43 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-05-05 07:42 . 2003-09-24 09:43 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-05-05 07:42 . 2003-09-24 09:43 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-05-04 15:59 . 2008-05-04 15:59 82,380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-05-04 15:55 . 2008-05-04 15:55 <DIR> d-------- C:\Program Files\HP
2008-05-04 15:55 . 2008-05-04 15:59 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-04 15:54 . 2008-05-04 16:00 160,525 --a------ C:\WINDOWS\hpdj5100.his
2008-05-04 15:54 . 2008-05-04 16:00 7,589 --a------ C:\WINDOWS\hpdj5100.ini
2008-05-04 15:53 . 2008-05-04 15:54 3,492 --a------ C:\WINDOWS\hpbvspst.his
2008-05-04 15:53 . 2008-05-04 15:54 478 --a------ C:\WINDOWS\hpbvspst.ini
2008-05-04 15:49 . 2004-08-04 02:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-04 15:49 . 2004-08-04 02:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-04 00:57 . 2008-05-04 00:57 <DIR> d-------- C:\Deckard
2008-05-02 12:37 . 2008-05-02 14:24 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-05-02 11:33 . 2008-05-02 11:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-02 11:33 . 2008-05-02 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 10:19 . 2008-05-02 10:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-02 00:31 . 2008-05-02 00:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 00:28 . 2008-05-02 00:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 03:51 . 2008-05-02 09:32 1,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-28 03:07 . 2008-04-28 03:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-27 21:19 . 2008-04-27 21:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-27 21:19 . 2008-04-27 21:19 2,551 --a------ C:\WINDOWS\unins000.dat
2008-04-27 20:10 . 2008-04-27 20:21 <DIR> d-------- C:\Program Files\EULAlyzer
2008-04-27 20:10 . 2008-05-04 12:46 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 12:36 . 2008-04-27 12:36 <DIR> d-------- C:\Documents and Settings\Judi Ames\Application Data\TmpRecentIcons
2008-04-27 01:22 . 2008-04-27 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\bgnmxabo
2008-04-13 00:14 . 2008-04-13 00:14 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-11 19:44 . 2008-04-12 15:38 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 19:19 --------- d-----w C:\Program Files\Viewpoint
2008-05-07 19:19 --------- d-----w C:\Documents and Settings\Judi Ames\Application Data\Viewpoint
2008-05-02 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 17:42 --------- d-----w C:\Program Files\iWin Games
2008-05-02 13:41 --------- d-----w C:\Program Files\SpywareGuard
2008-05-02 10:36 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-02 04:31 --------- d-----w C:\Program Files\Lavasoft
2008-05-01 04:41 --------- d-----w C:\Documents and Settings\Jeanette Ames\Application Data\yoclient
2008-04-30 03:25 --------- d-----w C:\Documents and Settings\Jeanette Ames\Application Data\WeatherBug
2008-04-28 01:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-15 10:31 90,040 ----a-w C:\Documents and Settings\Judi Ames\Application Data\GDIPFONTCACHEV1.DAT
2008-04-13 04:14 --------- d-----w C:\Program Files\Common Files\Real
2008-04-07 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-05 03:17 --------- d-----w C:\Program Files\CCleaner
2008-04-02 05:53 --------- d-----w C:\Program Files\Slingo Quest Hawaii
2008-04-02 05:44 --------- d-----w C:\Program Files\iWin.com
2008-04-01 11:53 --------- d-----w C:\Program Files\InterActual
2008-03-27 23:14 --------- d-----w C:\Program Files\Microsoft Games
2008-03-22 06:19 --------- d-----w C:\Documents and Settings\Jeanette Ames\Application Data\Jasc Software Inc
2008-03-13 00:27 --------- d-----w C:\Program Files\Slingo Quest
2008-03-11 23:13 --------- d-----w C:\Documents and Settings\Judi Ames\Application Data\funkitron
2008-03-09 23:26 --------- d-----w C:\Documents and Settings\Judi Ames\Application Data\iWinArcade
2008-03-09 23:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2007-12-15 23:05 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 18:13 3810544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" [2001-12-04 13:07 101615 C:\WINDOWS\GWMDMMSG.exe]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02 57344]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 17:23 86016 C:\WINDOWS\StartupMonitor.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 00:41 28738]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 10:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]

C:\Documents and Settings\Judi Ames\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 19:06:54 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"RemoteControl"=C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iWin Games\\iWinGames.exe"=
"C:\\Program Files\\iWin Games\\WebUpdater.exe"=

R2 iWinGamesInstaller;iWinGamesInstaller;C:\Program Files\iWin Games\iWinGamesInstaller.exe [2008-03-05 08:49]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2003-12-01 11:11]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 01:31]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2003-12-01 11:11]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 05:20:45 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 05:00:13 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 17:46:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-07 17:52:40 - machine was rebooted [Judi Ames]
ComboFix-quarantined-files.txt 2008-05-07 21:52:31

Pre-Run: 54,181,588,992 bytes free
Post-Run: 54,761,705,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /noguiboot
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
189
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:49 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/?uid=6639670A35633C71
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1191698413636
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1191698401439
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
--
End of file - 9545 bytes

Oops now my manners are showing TIA, Judi A.

Edited by Judi-chan, 07 May 2008 - 05:12 PM.

Judi-chan

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 07 May 2008 - 05:16 PM

Hi,

This looks OK again. :thumbsup:

Navigate to and delete the following folder:

C:\Documents and Settings\All Users\Application Data\bgnmxabo

Then,

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now...

Edited by miekiemoes, 07 May 2008 - 05:18 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:06 AM

Posted 16 May 2008 - 07:51 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users