Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.sdbot.gen


  • This topic is locked This topic is locked
34 replies to this topic

#1 SueInAtl

SueInAtl

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 10 May 2008 - 10:54 PM

When I restart computer in safe mode, the Earthlink Complete Protection Center finds the backdoor.sdbot.gen. I stop the tool, let it delete the sdbot.gen, then rerun the earthlink tool as well as other scans. I have not been able to remove this. I really would appreciate some help with this.
Thank you.

The scans from the steps in the tutorial are as follows:
Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 10, 2008 7:31:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/05/2008
Kaspersky Anti-Virus database records: 754681
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
D:\WINDOWS
D:\DOCUME~1\Suellen\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 24946
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:27:21

Infected Object Name / Virus Name / Last Action
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Internet Logs\ATH2000.ldb Object is locked skipped
D:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\mozy-1_8_2_3.exe/file06 Infected: not-a-virus:AdWare.Win32.WSearch.bl skipped
D:\WINDOWS\mozy-1_8_2_3.exe Inno: infected - 1 skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\Temp\ZLT0550b.TMP Object is locked skipped
D:\WINDOWS\Temp\ZLT0550e.TMP Object is locked skipped
D:\DOCUME~1\Suellen\LOCALS~1\Temp\~DF3991.tmp Object is locked skipped
D:\DOCUME~1\Suellen\LOCALS~1\Temp\~DF4A4C.tmp Object is locked skipped

Scan process completed.

From DSS:
Deckard's System Scanner v20071014.68
Run by Suellen on 2008-05-10 19:43:51
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...failed; computer is in safe mode.


Backed up registry hives.
Performed disk cleanup.

System Drive D: has 2.75 GiB (less than 15%) free.


-- HijackThis (run as Suellen.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:46:41 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\elnk_pcc2.exe
D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\Suellen\Desktop\dss.exe
D:\WINDOWS\explorer.exe
D:\PROGRA~1\HIJACK~1\Suellen.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG Internet Security\avgssie.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - D:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - D:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - D:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - D:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EarthLink Protection Control Center] "D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVGINT~1\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Secunia PSI (RC1).lnk = E:\Program Files\Secunia\PSI (RC1)\psi.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://D:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109036437076
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://fetch2.serveftp.com/cab/Live.cab
O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) - https://207.69.19.96/NGVPNTunnel.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCD1F9CC-0865-4AC0-A977-130C091BEC22}: NameServer = 207.69.188.187,207.69.188.186
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG Internet Security\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Adaware\aawservice.exe
O23 - Service: ADSService - EarthLink, Inc. - D:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVGINT~1\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVGINT~1\avgfws8.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - D:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe" EarthLinkSafeConnectAgent (file missing)
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (D:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080411-201144-932 O23 - Service: AuthFw - Authentium - D:\Program Files\Authentium\Firewall SDK\AuthFw.exe
backup-20080411-201858-276 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080411-201858-494 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080411-201858-502 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080411-201858-567 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080411-201858-630 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080411-201858-834 R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - D:\Program Files\EarthLink TotalAccess\ElnIE.dll
backup-20080411-201859-931 O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
backup-20080411-201904-144 O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20080411-201904-799 O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
backup-20080414-001529-140 O11 - Options group: [INTERNATIONAL] International*
backup-20080414-001714-427 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
backup-20080414-001714-795 O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
backup-20080414-001717-227 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
backup-20080414-001717-406 O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
backup-20080414-001717-913 O16 - DPF: IEPrint - http://www.visiontech.ltd.uk/software/download/IEPrint.CAB
backup-20080503-180654-496 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080503-180907-831 O16 - DPF: {11FAB11B-4792-4B59-85DF-23C6688B07B3} (XTSAC Control) - https://207.69.19.96/XTSAC.cab
backup-20080503-180949-152 O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
backup-20080503-182450-146 O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://207.69.19.106:1024/NetCamPlayerWeb11gv2.cab
backup-20080503-182450-796 O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - D:\Program Files\EarthLink\Toolbar\uninsttb.dll
backup-20080503-182450-835 O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVGINT~1\AVGTOO~1.DLL
backup-20080503-182706-183 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
backup-20080503-182833-194 O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
backup-20080503-182929-957 O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
backup-20080504-210654-451 O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVGINT~1\AVGTOO~1.DLL

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - D:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "D:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
.scr - DWGTrueViewScriptFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PenClass (Pen Class) - d:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R0 si3112r (Silicon Image SiI 3112 SATARaid Controller) - d:\windows\system32\drivers\si3112r.sys <Not Verified; Silicon Image, Inc; Medley>
R0 SiFilter (SATALink driver accelerator) - d:\windows\system32\drivers\siwinacc.sys <Not Verified; Silicon Image, Inc.; SATALink Windows Accelerator>
R0 SiWinAcc - d:\windows\system32\drivers\siwinacc.sys <Not Verified; Silicon Image, Inc.; SATALink Windows Accelerator>
R1 GhPciScan (GhostPciScanner) - d:\program files\norton systemworks\norton ghost\ghpciscan.sys <Not Verified; Symantec Corporation; Symantec Ghost PCI Scanner>
R3 Pfc (Padus ASPI Shell) - d:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S2 mrtRate - d:\windows\system32\drivers\mrtrate.sys <Not Verified; Marimba, Inc.; Rate Sensing Manager>
S2 SocketLock (Raw Socket Lock Driver) - d:\windows\system32\socketlock.sys
S3 fixustor - d:\windows\system32\drivers\fixustor.sys <Not Verified; Genesys Logic; USB storage patch driver>
S3 LMImirr - d:\windows\system32\drivers\lmimirr.sys (file missing)
S3 PSI - d:\windows\system32\drivers\psi_mf.sys <Not Verified; Secunia; Secunia Personal Software Inspector>
S3 WrKPoET2000 - d:\program files\winpoet broadband connection\wrkpoet2000.sys
S3 yukonx86 (NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter) - d:\windows\system32\drivers\yukonx86.sys <Not Verified; Marvell Semiconductor Inc.; Marvell Yukon Gigabit Ethernet Adapter>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 AdobeActiveFileMonitor (Adobe Active File Monitor) - d:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
S4 AuthFw - "d:\program files\authentium\firewall sdk\authfw.exe" <Not Verified; Authentium; Authentium Firewall SDK>
S4 GhostStartService - d:\progra~1\norton~1\norton~2\ghosts~2.exe <Not Verified; Symantec Corporation; Norton Ghost Start Service>
S4 GoToMyPC - "d:\program files\citrix\gotomypc\g2svc.exe" -service (file missing)
S4 Speed Disk service - d:\progra~1\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>
S4 TabletService - d:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>
S4 WinPPPoverEthernet - d:\program files\winpoet broadband connection\wros.exe <Not Verified; iVasion, a Routerware Company; WinRouter Operating System>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&3B1D9AB8&0&2040
Manufacturer: Marvell
Name: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45
PNP Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&3B1D9AB8&0&2040
Service: yukonx86


-- Scheduled Tasks -------------------------------------------------------------

2008-05-04 12:07:17 368 --a------ D:\WINDOWS\Tasks\Symantec NetDetect.job
2008-05-03 13:29:05 762 --a------ D:\WINDOWS\Tasks\Email_Recipes_etc.job
2008-05-02 21:22:36 822 --a------ D:\WINDOWS\Tasks\incr bkup.job
2008-04-28 15:40:41 868 --a------ D:\WINDOWS\Tasks\C_Admin_and_E_Ann.job
2008-04-28 15:16:02 788 --a------ D:\WINDOWS\Tasks\ath2000.job
2008-04-28 09:18:37 804 --a------ D:\WINDOWS\Tasks\Ath2000_SystemState.job
2008-04-16 19:47:13 838 --a------ D:\WINDOWS\Tasks\Jobsheet Backup.job
2008-04-14 22:04:01 882 --a------ D:\WINDOWS\Tasks\Daily_QSS.job
2008-04-12 10:05:39 860 --a------ D:\WINDOWS\Tasks\Ath2000-Email1.job
2008-04-01 12:30:11 848 --a------ D:\WINDOWS\Tasks\ATH2000_System_D.job
2007-07-06 22:13:32 220 --a------ D:\WINDOWS\Tasks\EVSdesktop_FullxQSS.job


-- Files created between 2008-04-10 and 2008-05-10 -----------------------------

2008-05-10 18:13:09 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-05-10 18:13:08 0 d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-05-10 18:13:06 0 d-------- D:\WINDOWS\LastGood
2008-04-28 01:16:18 835616 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-04-27 21:39:54 0 d-------- D:\Program Files\ZoneAlarmSB
2008-04-27 21:38:55 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-04-27 21:38:51 4212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2008-04-27 21:38:34 11264 --a------ D:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-04-27 21:38:14 0 d-------- D:\WINDOWS\system32\ZoneLabs
2008-04-27 21:37:25 0 d-------- D:\WINDOWS\Internet Logs
2008-04-27 13:41:54 0 d-------- D:\Documents and Settings\Suellen\Application Data\PC Tools
2008-04-14 15:15:04 0 d--h----- D:\$AVG8.VAULT$
2008-04-13 23:04:19 0 d-------- D:\WINDOWS\system32\drivers\Avg
2008-04-13 23:04:18 0 d-------- D:\Documents and Settings\Suellen\Application Data\AVGTOOLBAR
2008-04-13 23:02:56 0 d-------- D:\Program Files\AVG
2008-04-13 23:02:49 0 d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-04-11 10:08:52 0 d-------- D:\!KillBox
2008-04-10 14:41:03 3608576 --ah----- D:\AFCache.dat
2008-04-10 14:40:58 0 dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Favorites
2008-04-10 14:40:48 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Desktop
2008-04-10 14:33:36 0 d-------- D:\Documents and Settings\Suellen\Application Data\ScamBlocker
2008-04-10 14:30:04 0 d-------- D:\Program Files\Common Files\EarthLink
2008-04-10 14:28:59 0 d-------- D:\Program Files\Microsoft WSE
2008-04-10 14:28:51 152 --a------ D:\WINDOWS\system32\???????????????????????????????????????????g
2008-04-10 14:28:11 0 d-------- D:\Program Files\Authentium
2008-04-10 14:28:05 0 d-------- D:\Program Files\Common Files\Authentium
2008-04-10 14:27:54 0 d-------- D:\Program Files\Common Files\ADS
2008-04-10 14:27:27 0 d-------- D:\Program Files\EarthLink
2008-04-10 14:27:27 0 d-------- D:\Program Files\Common Files\EarthLink Protection Control Center
2008-04-10 14:26:49 0 d-------- D:\Documents and Settings\Suellen\Application Data\InstallShield


-- Find3M Report ---------------------------------------------------------------

2008-05-03 19:21:03 0 d-------- D:\Program Files\Ipswitch
2008-04-27 11:37:40 0 d-------- D:\Documents and Settings\Suellen\Application Data\Uniblue
2008-04-14 17:14:19 0 d-------- D:\Program Files\Common Files\Nereosoft
2008-04-14 17:07:37 0 d-------- D:\Program Files\Google
2008-04-14 17:04:48 0 d-------- D:\Program Files\EarthLink TotalAccess
2008-04-11 18:34:20 0 d-------- D:\Program Files\Mozy
2008-04-10 21:25:46 0 d-------- D:\Program Files\LogMeIn
2008-04-10 14:33:37 0 d-------- D:\Documents and Settings\Suellen\Application Data\Earthlink
2008-04-10 14:30:04 0 d-------- D:\Program Files\Common Files
2008-04-10 14:28:51 152 --a------ D:\WINDOWS\system32\???????????????????????????????????????????g
2008-04-10 14:27:25 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-03-13 18:57:53 0 d-------- D:\Program Files\Java
2008-03-11 20:51:43 0 d-------- D:\Documents and Settings\Suellen\Application Data\Help


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/27/2008 09:39 PM 262144 --a------ D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [04/27/2008 09:39 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [07/15/2004 03:42 PM]
"EarthLink Protection Control Center"="D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\elnk_pcc2.exe" [08/08/2007 11:14 AM]
"AVG8_TRAY"="E:\PROGRA~1\AVGINT~1\avgtray.exe" [04/13/2008 11:03 PM]
"ZoneAlarm Client"="C:\Program Files\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [04/04/2005 12:35 AM]

D:\Documents and Settings\Suellen\Start Menu\Programs\Startup\
Secunia PSI (RC1).lnk - E:\Program Files\Secunia\PSI (RC1)\psi.exe [2/22/2008 5:09:52 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk.disabled
backup=D:\WINDOWS\pss\Adobe Gamma Loader.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=D:\WINDOWS\pss\QuickBooks Update Agent.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Quicken Startup.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Quicken Startup.lnk.disabled
backup=D:\WINDOWS\pss\Quicken Startup.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Service Manager.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Service Manager.lnk.disabled
backup=D:\WINDOWS\pss\Service Manager.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk.disabled
backup=D:\WINDOWS\pss\WinZip Quick Pick.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^Suellen^Start Menu^Programs^Startup^TimeLeft.lnk.disabled]
path=D:\Documents and Settings\Suellen\Start Menu\Programs\Startup\TimeLeft.lnk.disabled
backup=D:\WINDOWS\pss\TimeLeft.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"WZCSVC"=2 (0x2)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"gusvc"=3 (0x3)
"GhostStartService"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"E6TaskPanel"="D:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
"WMPNSCFG"=D:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
"ISUSPM Startup"=D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"nForce Tray Options"=sstray.exe /r
"nwiz"=nwiz.exe /install
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" -atboottime
"REGSHAVE"=D:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"GhostStartTrayApp"=D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
"UMonit"=D:\WINDOWS\system32\umonit.exe
"GoToMyPC"=D:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
"Adobe Photo Downloader"="D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 acestats.com
127.0.0.1 www.acestats.com
127.0.0.1 www.activesearch.com #[Adware.ActiveSearch]
127.0.0.1 actualnames.com #[Parasite.ActualNames][Spyware.ActualNames]
127.0.0.1 www.actualnames.com
127.0.0.1 ad-up.com
127.0.0.1 www.ad-up.com
127.0.0.1 adatom.com
127.0.0.1 aesp.adatom.com
127.0.0.1 adbest.com #[IE-SpyAd]

11432 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-10 19:48:01 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2000+
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 767.48 MiB / 460.85 MiB
Pagefile Memory (total/avail): 1926.21 MiB / 1699.56 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.71 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.53 GiB total, 8.57 GiB free.
D: is Fixed (NTFS) - 19.53 GiB total, 2.75 GiB free.
E: is Fixed (NTFS) - 75.42 GiB total, 10.29 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6 Y120M0 SCSI Disk Device - 114.49 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 19.53 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 94.95 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Firewall v7.0.473.000 (Check Point, LTD.) Disabled
FW: EarthLink Firewall v3.212 (Authentium)
FW: AVG Firewall v8.0 (AVG Technologies CZ, s.r.o.) Disabled
AV: AVG Internet Security v8.0 (AVG Technologies)
AV: EarthLink Antivirus v3.93 (Authentium)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users.WINDOWS
APPDATA=D:\Documents and Settings\Suellen\Application Data
CLASSPATH=.;D:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=ATH2000
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\Suellen
LOGONSERVER=\\ATH2000
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;"D:\Program Files\Norton SystemWorks\Norton Ghost\";D:\Program Files\Microsoft SQL Server\80\Tools\Binn\;E:\Program Files\QuickTime\QTSystem\;C:\Program Files\Autodesk dwg viewer\;D:\Program Files\Common Files\ADS;D:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=D:\Program Files
PROMPT=$P$G
QTJAVA=D:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\Suellen\LOCALS~1\Temp
TMP=D:\DOCUME~1\Suellen\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=ATH2000
USERNAME=Suellen
USERPROFILE=D:\Documents and Settings\Suellen
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Suellen (admin)
Administrator.ATH2000 (admin)
Administrator.ATH2000 (admin)
bssgvi (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{5B782FFA-6A95-480D-8E0A-0954A14693D6}
--> MsiExec.exe /I{6975E810-C92F-45F0-0BFD-187B312F10E8}
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> MsiExec.exe /I{C8D79874-7F2B-4346-99F1-DAA8AABF9DCA}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
ACT! --> D:\WINDOWS\IsUninstAct.exe -f"D:\Program Files\ACT\Uninst6.isu" -c"D:\Program Files\ACT\UNINSTAL.DLL"
Ad-Aware 2007 --> MsiExec.exe /X{46AC899A-9ECB-43DC-85DE-272E0D116A1E}
Adobe Photoshop Elements 3.0 --> MsiExec.exe /I{851C67EF-068A-4060-9EF5-2E3DDCD68382}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AM-DeadLink 2.8.1 --> "E:\AM-DeadLink\unins000.exe"
Amazing Resume Creator v1.0 --> "C:\JOBS - TIPS - RESUMES\Amazing Resume Creator\unins000.exe"
Authentium AntiVirus SDK - 2 --> MsiExec.exe /I{EE5BD928-7934-4E7B-9FE0-0454931A7159}
AVG 8.0 --> E:\Program Files\AVG Internet Security\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\AVG Anti-Spyware 7.5\Uninstall.exe
Belarc Advisor 7.2 --> D:\PROGRA~1\Belarc\Advisor\Uninstall.exe D:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Blender (remove only) --> "D:\Program Files\Blender Foundation\Blender\uninstall.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
doPDF 5.0 printer --> "E:\Program Files\Softland\doPDF 5\unins000.exe"
DP Import --> MsiExec.exe /I{3B4E229C-37FE-4B7D-BB71-A27EC992B3DB}
DWG TrueView 2007 --> MsiExec.exe /I{2CD6BBA0-17C8-4789-9B9B-B36F7E815F6A}
EarthLink Protection Control Center --> D:\Program Files\InstallShield Installation Information\{7E026A05-69E6-40C5-8838-1256DE89650C}\setup.exe -runfromtemp -l0x0009 -removeonly
EPSON TWAIN 5 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{9A3EABC0-CA06-11D4-BF77-00104B130C19}\SETUP.EXE" -l0x9 UNINSTALL
FinePixViewer Ver.4.1 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE"
FUJIFILM USB Driver --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
G-Zapper v1.42 --> C:\G-Zapper\unins000.exe
GD Bloomberg Gadget --> MsiExec.exe /I{A52F74AD-B4CC-41B1-B09B-F68259772B56}
Generic color icon driver --> D:\WINDOWS\temp\fixustor\remove.exe
Genesys USB Mass Storage Device --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B4BF87C8-3EEC-4774-82A2-584F109187B1}\Setup.exe"
Google Desktop Plugin - Calendar --> MsiExec.exe /X{CE55B9C0-D0E6-42F5-8CCA-9A6B90359FAC}
Google Desktop Plugin - oCalendar --> MsiExec.exe /X{31127C19-C589-4C1A-AEB3-7DB8091F303C}
Google Desktop Plugin - Timer --> MsiExec.exe /X{53741493-7900-4A49-B994-914AC657A939}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "d:\program files\google\googletoolbar4.dll"
Heatsoft ADCS --> E:\PROGRA~1\ADCS\UNWISE.EXE E:\PROGRA~1\ADCS\INSTALL.LOG
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hijackthis 1.99.1 --> "D:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> D:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "D:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InfoFinder --> MsiExec.exe /I{9E7F6BFC-940C-457E-B4CC-62D20DC44841}
InterVideo DVDCopy --> "D:\Program Files\InstallShield Installation Information\{DD28F8FE-CC0B-47BD-A833-CBBC19D6A8E2}\setup.exe" --u:{DD28F8FE-CC0B-47BD-A833-CBBC19D6A8E2}
InterVideo WinDVD Creator 2 --> "D:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD Recorder 5 --> "D:\Program Files\InstallShield Installation Information\{0B168FED-B9EC-4DA8-AC17-9A41F284640B}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_15 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142150}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Juice 2.2 --> E:\Juice\uninst.exe
Kaspersky Online Scanner --> D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveReg (Symantec Corporation) --> D:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.6 (Symantec Corporation) --> D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
LogMeIn --> MsiExec.exe /I{7556CE8F-3B9D-4575-924E-72A5EC880D3C}
LogMeIn --> MsiExec.exe /I{DD3912D6-F9FF-4042-A062-65354D6D9024}
Macromedia Dreamweaver MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Fireworks MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia FreeHand 10 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{4D826618-59C6-11D4-976E-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Shockwave Player --> D:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE D:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Microsoft Baseline Security Analyzer 2.0.1 --> MsiExec.exe /I{7F231232-C309-4401-964A-2A002B6E1ED9}
Microsoft Compression Client Pack 1.0 for Windows XP --> "D:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Small Business Accounting 2006 --> MsiExec.exe /X{F413D795-B077-4A96-AE75-810BBA673A0E}
Microsoft Office Sounds --> MsiExec.exe /I{10CE1EA2-12E9-11D3-825E-00C04F6843FE}
Microsoft Producer for Microsoft Office PowerPoint 2003 --> MsiExec.exe /I{155FBB0D-0EE9-42D1-9E41-15E08F691033}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "D:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft WSE 2.0 SP3 Runtime --> MsiExec.exe /X{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
MSXMLFix --> MsiExec.exe /I{FD0C0BCE-7049-44D2-B5B3-19A5732CB459}
Nero OEM --> D:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Norton SystemWorks 2003 --> MsiExec.exe /I{43C3D832-AC96-463A-2003-1B8D1BFA2523}
NVIDIA Drivers --> D:\WINDOWS\System32\nvudisp.exe UninstallGUI
Pen Tablet --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5AFDA63F-D659-4991-81B1-57B4311E5C82} /l1033
QuickBooks Pro 2002 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{809987B2-F964-11D4-A1A5-00104BD190B1}\setup.exe" -addremove
QuickBooks Pro 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2007" ADDREMOVE=1
QuickBooks SDK 4.0 --> MsiExec.exe /I{CEF27C82-D1C0-4916-BDB2-F8BF32262604}
Quicken Home & Business 2000 --> D:\WINDOWS\IsUninst.exe -fe:\Quicken\Uninst.isu
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RAW FILE CONVERTER LE --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{D680C913-5955-469D-9D88-C1940F7506D6}\SETUP.EXE" -l0x9
RegoRobotVer4 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{6D9C83CB-07E8-11D5-B189-00E07D8B90C2}\setup.exe"
Secunia NSI (Public Beta 1) --> "e:\Program Files\Secunia\NSI (Public Beta 1)\uninstall.exe"
Secunia PSI (RC1) --> "E:\Program Files\Secunia\PSI (RC1)\uninstall.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Send To Toys v2.5 --> "D:\Program Files\Send To Toys\unins000.exe"
Spyware Doctor 5.5 --> E:\Program Files\Spyware Doctor\unins000.exe /LOG
Style Master 4 Demo --> MsiExec.exe /I{29EAEEAB-781B-4E9B-83F7-8D080393B096}
SyncToy --> MsiExec.exe /I{B5688129-7595-4E5B-9990-CEF981A31264}
TaxACT 2006 --> D:\PROGRA~1\2NDSTO~1\TAXACT~1\Unta06.exe D:\PROGRA~1\2NDSTO~1\TAXACT~1\Install.log
TaxACT Georgia 2006 --> D:\PROGRA~1\2NDSTO~1\TAXACT~1\Unst06.exe D:\PROGRA~1\2NDSTO~1\TAXACT~1\GA.log
The Greatest Computer Tips --> D:\WINDOWS\GPInstall.exe "/UNINST=D:\Program Files\The Kim Komando Show\UnInst.log" "/APPNAME=The Greatest Computer Tips"
The Greatest Computer Tips Volume 2 --> D:\WINDOWS\GPInstall.exe "/UNINST=D:\Program Files\KomandoTips2\UnInst.log" "/APPNAME=The Greatest Computer Tips Volume 2"
Virtual Garden --> D:\WINDOWS\unvise32.exe D:\Program Files\uninstal.log
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "D:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "D:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinPoET v4.0 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{9806BFBB-F566-4654-94DE-CB1F85B5CDDD}\Setup.exe" -l0x9
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
ZeroDay --> MsiExec.exe /I{4CB686B8-144D-4D8C-830F-0A0DA9A039DC}
ZoneAlarm --> C:\Program Files\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 D:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type3812 / Error
Event Submitted/Written: 05/10/2008 07:47:07 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type3811 / Error
Event Submitted/Written: 05/10/2008 07:47:07 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type3810 / Error
Event Submitted/Written: 05/10/2008 07:47:07 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type3809 / Error
Event Submitted/Written: 05/10/2008 07:47:07 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type3808 / Error
Event Submitted/Written: 05/10/2008 07:47:07 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27629 / Error
Event Submitted/Written: 05/10/2008 07:47:30 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type27625 / Error
Event Submitted/Written: 05/10/2008 07:40:24 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type27624 / Error
Event Submitted/Written: 05/10/2008 07:40:06 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type27623 / Error
Event Submitted/Written: 05/10/2008 07:39:58 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type27622 / Error
Event Submitted/Written: 05/10/2008 07:31:48 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2008-05-10 19:48:01 ------------

Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:03 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\explorer.exe
C:\Program Files\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG Internet Security\avgssie.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - D:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - D:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - D:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - D:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EarthLink Protection Control Center] "D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVGINT~1\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AutorunsDisabled
O4 - Startup: Secunia PSI (RC1).lnk = E:\Program Files\Secunia\PSI (RC1)\psi.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://D:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109036437076
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://fetch2.serveftp.com/cab/Live.cab
O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) - https://207.69.19.96/NGVPNTunnel.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCD1F9CC-0865-4AC0-A977-130C091BEC22}: NameServer = 207.69.188.187,207.69.188.186
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG Internet Security\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Adaware\aawservice.exe
O23 - Service: ADSService - EarthLink, Inc. - D:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVGINT~1\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVGINT~1\avgfws8.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - D:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7274 bytes

BC AdBot (Login to Remove)

 


#2 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 11 May 2008 - 09:44 AM

Do I need to run all of these tools in normal mode? I'm not very good on forums; I posted this once, got a reply that I needed to update my HiJack This tool and post as a reply, but couldn't find my post again.
I've been trying for a little over a month to clean up this computer.

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:21 AM

Posted 30 May 2008 - 09:52 AM

Hello,

You might want to save this page on your favorites, so you can find it again when you return.

Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to. If you have not resolved this issue and still need assistance, post a HJT log as your system may have changed since your original post.

Sorry for the delay. If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 02 June 2008 - 09:44 PM

Thank you for taking your time for this! Yes, I do still need help. I have done some more cleanup, and was able to get my tax info off in time, but it still shows and infection with backdoor.sdbot.gen which might be ctfmon. I'm not sure. I have run a hijackthis log. Is safe mode okay? There is a ctfmon.exe process that is 3000+k. If I keep deleting that in the Task Manager, I can keep running.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:20 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ZoneAlarm\zlclient.exe
D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\elnk_pcc2.exe
D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG Internet Security\avgssie.dll (file missing)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - D:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - D:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - D:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - D:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AutorunsDisabled
O4 - Startup: Secunia PSI (RC1).lnk = E:\Program Files\Secunia\PSI (RC1)\psi.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://D:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109036437076
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://fetch2.serveftp.com/cab/Live.cab
O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) - https://207.69.19.96/NGVPNTunnel.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCD1F9CC-0865-4AC0-A977-130C091BEC22}: NameServer = 207.69.188.187,207.69.188.186
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Adaware\aawservice.exe
O23 - Service: ADSService - EarthLink, Inc. - D:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - D:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7605 bytes

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:21 AM

Posted 03 June 2008 - 03:50 AM

Hi,

Please download the ComboFix from the links above and follow all instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • "If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!"
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer


Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 03 June 2008 - 04:27 PM

Ok. I downloaded ComboFix, and dragged the Windows XP Pro Recovery Console download over the ComboFix. It took off and showed that it was making a backup of the registry.... After about and hour, I heard a beep and went in to see a black screen. The computer is still running.
The last thing I saw on the screen was:

"Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double."
(cursor here)

It stayed at this screen for quite some time, then the screen went black.

Should I reboot?

#7 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 03 June 2008 - 04:35 PM

Oh, sorry! That was the black screen saver on that machine! I'm a little nervous after reading all the disclaimers about Combofix. It is still sitting there at the '".... scan times may easily double". There is no "stage 1", etc.

#8 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 03 June 2008 - 07:35 PM

It restarted the computer, so I took a chance and ran ComboFix again. This time it gave the expected results. (I think I had not killed all the processes for antivirus/antispyware before)

Here is the ComboFix log:
ComboFix 08-06-01.6 - Suellen 2008-06-03 20:16:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.410 [GMT -4:00]
Running from: D:\Documents and Settings\Suellen\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-05-27 15:05 . 2008-05-27 15:05 <DIR> d-------- D:\Documents and Settings\Bonita\Application Data\Symantec
2008-05-27 13:42 . 2008-05-27 13:42 <DIR> d-------- D:\Documents and Settings\Bonita\Application Data\SUPERAntiSpyware.com
2008-05-25 13:03 . 2008-05-25 13:03 <DIR> d-------- D:\Documents and Settings\Bonita\Application Data\Malwarebytes
2008-05-20 22:40 . 2008-05-20 22:40 <DIR> d-------- D:\Documents and Settings\Bonita\SecurityScans
2008-05-20 20:42 . 2008-05-20 20:42 <DIR> d-------- D:\Documents and Settings\Bonita\Application Data\EarthLink
2008-05-20 20:41 . 2008-05-20 20:41 <DIR> d-------- D:\Documents and Settings\Bonita\Application Data\Leadertech
2008-05-20 20:35 . 2008-05-20 20:35 <DIR> d-------- D:\Documents and Settings\Bonita\Application Data\ScamBlocker
2008-05-20 20:30 . 2008-06-02 19:59 <DIR> d-------- D:\Documents and Settings\Bonita
2008-05-19 22:31 . 2008-05-19 22:31 <DIR> d-------- D:\Documents and Settings\Suellen\Application Data\SUPERAntiSpyware.com
2008-05-19 22:31 . 2008-05-19 22:31 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- D:\Documents and Settings\Suellen\Application Data\Malwarebytes
2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-18 21:42 . 2008-05-05 20:46 27,048 --a------ D:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-18 21:42 . 2008-05-05 20:46 15,864 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 16:05 . 2008-05-12 16:05 <DIR> d-------- D:\Program Files\Common Files\PC Tools
2008-05-12 16:05 . 2008-05-12 16:05 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\PC Tools
2008-05-12 16:05 . 2008-05-12 16:05 159,112 --a------ D:\WINDOWS\system32\drivers\pctfw2.sys
2008-05-12 07:40 . 2007-08-14 08:12 5,760 --------- D:\WINDOWS\system32\1203.tmp
2008-05-11 20:34 . 2008-05-11 20:34 <DIR> d-------- D:\Program Files\SPYBOT~1
2008-05-10 23:45 . 2008-05-10 23:45 <DIR> d-------- D:\Program Files\Trend Micro
2008-05-10 19:39 . 2008-05-10 19:39 <DIR> d-------- D:\Deckard
2008-05-10 18:13 . 2008-05-10 18:13 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-05-10 18:13 . 2008-05-10 18:13 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 00:00 26,156 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-06-03 00:00 2,533,408 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 19:11 --------- d-----w D:\Program Files\Common Files\Symantec Shared
2008-05-27 19:03 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-05-27 19:03 --------- d-----w D:\Program Files\FinePixViewer
2008-05-27 17:39 2,343,330 ----a-w D:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-25 17:25 --------- d---a-w D:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-05-21 21:54 --------- d-----w D:\Program Files\Norton SystemWorks
2008-05-21 00:31 20,299,308 ----a-w D:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_20_20_20_41_full.dmp.zip
2008-05-21 00:19 --------- d-----w D:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-20 02:25 77,824 ----a-w D:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-20 02:07 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 14:41 104,448 ----a-w D:\WINDOWS\Internet Logs\xDB9.tmp
2008-05-12 20:11 1,405,440 ----a-w D:\WINDOWS\Internet Logs\xDB8.tmp
2008-05-12 20:07 179,200 ----a-w D:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-12 01:22 --------- d-----w D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-11 14:53 1,372,672 ----a-w D:\WINDOWS\Internet Logs\xDB6.tmp
2008-05-03 23:21 --------- d-----w D:\Program Files\Ipswitch
2008-05-03 22:43 28,320 ----a-w D:\WINDOWS\Internet Logs\zlclient_2nd_2008_05_03_18_42_39_small.dmp.zip
2008-05-03 19:24 1,332,736 ----a-w D:\WINDOWS\Internet Logs\xDB5.tmp
2008-05-03 19:20 128,000 ----a-w D:\WINDOWS\Internet Logs\xDB4.tmp
2008-05-03 01:14 1,328,640 ----a-w D:\WINDOWS\Internet Logs\xDB3.tmp
2008-04-28 19:16 42,496 ----a-w D:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-28 05:19 45,568 ----a-w D:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-28 01:39 --------- d-----w D:\Program Files\ZoneAlarmSB
2008-04-28 01:38 --------- d-----w D:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-04-27 17:41 --------- d-----w D:\Documents and Settings\Suellen\Application Data\PC Tools
2008-04-27 15:37 --------- d-----w D:\Documents and Settings\Suellen\Application Data\Uniblue
2008-04-26 01:00 --------- d-----w D:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-04-14 21:14 --------- d-----w D:\Program Files\Common Files\Nereosoft
2008-04-14 21:07 --------- d-----w D:\Program Files\Google
2008-04-14 21:04 --------- d-----w D:\Program Files\EarthLink TotalAccess
2008-04-14 19:15 --------- d-----w D:\Documents and Settings\Suellen\Application Data\AVGTOOLBAR
2008-04-11 22:34 --------- d-----w D:\Program Files\Mozy
2008-04-10 18:41 4,444,160 ---ha-w D:\AFCache.dat
2008-04-10 18:41 --------- d-----w D:\Program Files\Common Files\ADS
2008-04-10 18:33 --------- d-----w D:\Documents and Settings\Suellen\Application Data\ScamBlocker
2008-04-10 18:33 --------- d-----w D:\Documents and Settings\Suellen\Application Data\Earthlink
2008-04-10 18:30 --------- d-----w D:\Program Files\Common Files\EarthLink
2008-04-10 18:29 --------- d-----w D:\Program Files\EarthLink
2008-04-10 18:28 --------- d-----w D:\Program Files\Microsoft WSE
2008-04-10 18:28 --------- d-----w D:\Program Files\Common Files\Authentium
2008-04-10 18:28 --------- d-----w D:\Program Files\Authentium
2008-04-10 18:27 --------- d-----w D:\Program Files\Common Files\EarthLink Protection Control Center
2008-04-10 18:26 --------- d-----w D:\Documents and Settings\Suellen\Application Data\InstallShield
2008-04-03 01:07 75,248 ----a-w D:\WINDOWS\zllsputility.exe
2008-04-03 01:07 1,086,952 ----a-w D:\WINDOWS\system32\zpeng24.dll
2008-03-18 02:44 83,288 ----a-w D:\WINDOWS\system32\LMIRfsClientNP.dll
2008-03-18 02:44 10,040 ----a-w D:\WINDOWS\system32\LMImirr2.dll
2007-02-05 22:23 1,522 ----a-w D:\Program Files\Notepad.lnk
2005-12-27 22:28 56 --sh--r D:\WINDOWS\system32\71BB04EEFF.sys
2005-12-27 22:28 3,766 -csh--w D:\WINDOWS\system32\KGyGaAvL.sys
2008-02-04 17:57 32,768 --sha-w D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-27 21:39 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2004-07-15 15:42 4112384]
"ZoneAlarm Client"="C:\Program Files\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 19:19 79224]

D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Server Management.lnk - D:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe [2003-09-10 19:44:18 22528]

D:\Documents and Settings\Suellen\Start Menu\Programs\Startup\
Secunia PSI (RC1).lnk - E:\Program Files\Secunia\PSI (RC1)\psi.exe [2008-02-22 05:09:52 626688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"VIDC.MPG4"= D:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= D:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= D:\WINDOWS\mpg4c32.dll
"vidc.GEOX"= D:\WINDOWS\GeoCodec.dll

[HKLM\~\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk.disabled
backup=D:\WINDOWS\pss\Adobe Gamma Loader.lnk.disabledCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled
backup=D:\WINDOWS\pss\QuickBooks Update Agent.lnk.disabledCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Quicken Startup.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Quicken Startup.lnk.disabled
backup=D:\WINDOWS\pss\Quicken Startup.lnk.disabledCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Service Manager.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Service Manager.lnk.disabled
backup=D:\WINDOWS\pss\Service Manager.lnk.disabledCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk.disabled]
path=D:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinZip Quick Pick.lnk.disabled
backup=D:\WINDOWS\pss\WinZip Quick Pick.lnk.disabledCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^Suellen^Start Menu^Programs^Startup^TimeLeft.lnk.disabled]
path=D:\Documents and Settings\Suellen\Start Menu\Programs\Startup\TimeLeft.lnk.disabled
backup=D:\WINDOWS\pss\TimeLeft.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 E:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"WZCSVC"=2 (0x2)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"gusvc"=3 (0x3)
"GhostStartService"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"E6TaskPanel"="D:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
"WMPNSCFG"=D:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
"ISUSPM Startup"=D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"nForce Tray Options"=sstray.exe /r
"nwiz"=nwiz.exe /install
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" -atboottime
"REGSHAVE"=D:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"GhostStartTrayApp"=D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
"UMonit"=D:\WINDOWS\system32\umonit.exe
"GoToMyPC"=D:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
"Adobe Photo Downloader"="D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 GRFILTER;CS NDIS Driver;D:\WINDOWS\system32\drivers\GRFILTER.sys [2007-04-11 10:35]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2003-05-08 22:55]
R0 SiWinAcc;SiWinAcc;D:\WINDOWS\system32\drivers\SiWinAcc.sys [2003-02-11 19:37]
R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R1 pctfw2;pctfw2;D:\WINDOWS\system32\drivers\pctfw2.sys [2008-05-12 16:05]
R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R2 GRTdiMon;GR TDI Mon;D:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-04-11 10:35]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;D:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55]
R2 mrtRate;mrtRate;D:\WINDOWS\system32\drivers\mrtRate.sys [1999-11-05 19:43]
R2 SocketLock;Raw Socket Lock Driver;D:\WINDOWS\system32\socketlock.sys [2006-10-10 11:12]
R3 ADSFilter;ADSFilter - (EarthLink Filter Driver);D:\WINDOWS\system32\drivers\ADSFilter.sys [2007-08-03 07:35]
R3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);D:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 07:35]
R3 NGSSLDrv;VPN Tunnel NGSSLDrv Adapter;D:\WINDOWS\system32\DRIVERS\NGSSLDrv.sys [2007-05-10 14:54]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;D:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [2007-04-26 10:57]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;D:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [2007-04-26 10:57]
S3 fixustor;fixustor;D:\WINDOWS\system32\drivers\fixustor.sys [2003-08-21 11:49]
S3 MEMSWEEP2;MEMSWEEP2;D:\WINDOWS\system32\1.tmp []
S3 PSI;PSI;D:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-02-19 04:24]
S3 Slnt7554;USB Soft Modem Driver;D:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-04 01:41]
S3 WrKPoET2000;WrKPoET2000;D:\Program Files\WinPoET Broadband Connection\WrKPoET2000.sys [2000-10-30 19:11]
S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;D:\WINDOWS\system32\DRIVERS\yukonx86.sys [2003-10-16 18:27]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
S4 AuthFw;AuthFw;"D:\Program Files\Authentium\Firewall SDK\AuthFw.exe" [2007-04-05 14:02]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 14:05:39 D:\WINDOWS\Tasks\Ath2000-Email1.job"
- D:\WINDOWS\system32\ntbackup.exelbackup
"2008-05-28 18:40:16 D:\WINDOWS\Tasks\ath2000.job"
- D:\WINDOWS\system32\ntbackup.exeAbackup
"2008-05-28 13:15:51 D:\WINDOWS\Tasks\Ath2000_SystemState.job"
- D:\WINDOWS\system32\ntbackup.exeGbackup
"2008-04-01 16:30:11 D:\WINDOWS\Tasks\ATH2000_System_D.job"
- D:\WINDOWS\system32\ntbackup.exe?backup
"2008-04-28 19:40:41 D:\WINDOWS\Tasks\C_Admin_and_E_Ann.job"
- D:\WINDOWS\system32\ntbackup.exelbackup
"2008-04-15 02:04:01 D:\WINDOWS\Tasks\Daily_QSS.job"
- D:\WINDOWS\system32\ntbackup.exe?backup
"2008-05-28 17:27:10 D:\WINDOWS\Tasks\Email_Recipes_etc.job"
- D:\WINDOWS\system32\ntbackup.execbackup
"2007-07-07 02:13:32 D:\WINDOWS\Tasks\EVSdesktop_FullxQSS.job"
- c:\EVSdesktop_FullxQSS.bat
"2008-05-29 01:17:38 D:\WINDOWS\Tasks\incr bkup.job"
- D:\WINDOWS\system32\ntbackup.exeebackup
"2008-06-03 23:47:15 D:\WINDOWS\Tasks\Jobsheet Backup.job"
- D:\WINDOWS\system32\ntbackup.exe?backup
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 20:20:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\D:\WINDOWS\system32\1.tmp"
.
Completion time: 2008-06-03 20:22:55
ComboFix-quarantined-files.txt 2008-06-04 00:22:44
ComboFix2.txt 2006-10-13 13:50:24

Pre-Run: 2,844,872,704 bytes free
Post-Run: 2,891,853,824 bytes free

235 --- E O F --- 2007-06-17 02:26:11


And here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:42 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\fxssvc.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\explorer.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG Internet Security\avgssie.dll (file missing)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - D:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - D:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - D:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - D:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: AutorunsDisabled
O4 - Startup: Secunia PSI (RC1).lnk = E:\Program Files\Secunia\PSI (RC1)\psi.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://D:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109036437076
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://fetch2.serveftp.com/cab/Live.cab
O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) - https://207.69.19.96/NGVPNTunnel.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCD1F9CC-0865-4AC0-A977-130C091BEC22}: NameServer = 207.69.188.187,207.69.188.186
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Adaware\aawservice.exe
O23 - Service: ADSService - EarthLink, Inc. - D:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - D:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7988 bytes

#9 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:21 AM

Posted 04 June 2008 - 04:40 AM

Hi,

# Step 1 #

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.


Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.


# Step 2 #

Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
  • ZoneAlarmSB
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer


# Step 3 #

Go to Start » Run » type: regedit » OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File » Exit.
# Step 4 #

Go to Start » Run » type: Notepad » OK.
Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the code box below (starting with REGEDIT4) to Notepad. (Be sure to use Notepad, not Wordpad, otherwise it won't work).

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"=-

[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it Fixme.reg and save it on your desktop.
  • Double click Fixme.reg. It will ask you if you want to merge it to the registry, click Yes.

# Step 5 #

Please set your system to show all files.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

# Step 6 #

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files and Folders, "if present":

D:\Program Files\ZoneAlarmSB <- this folder

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



# Step 7 #

Reconfigure Windows XP to hide hidden files:
  • Click Start. Open My Computer.
  • Select the Tools menu and click Folder Options. Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Check the "Hide file extensions for known file types" option.
  • Click Yes to confirm. Click OK.

# Step 8 #

Finally, reboot your computer and please post a new HijackThis log, and a description of any remaining problems.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#10 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 04 June 2008 - 10:25 AM

Thank you again! I will do this as soon as I get home again.
I do want to tell you, though. I had gone through the steps to install the recovery console, but noted on the logs that it was not installed.

Last night I tried again to install the recovery console. I dragged the Windows Setup icon over ComboFix. However, when it showed me the Eula, I declined because I thought it had passed the point of setting up the recovery console. That wiped out the ComboFix icon. I think I need to remove ComboFix now and download again. True? Sorry I messed up.

I will also download the Windows Setup disk again. For some reason the Windows XP Pro install cd has a different license # than the one I have installed, so it will not install from there.

#11 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:21 AM

Posted 04 June 2008 - 10:56 AM

I think I need to remove ComboFix now and download again. True? Sorry I messed up.


Its better. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#12 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 04 June 2008 - 11:11 AM

Ok. It will be tonight. Thanks.

#13 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 04 June 2008 - 06:55 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:05 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\fxssvc.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Common Files\ADS\ADSService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ZoneAlarm\zlclient.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Secunia\PSI (RC1)\psi.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - D:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG Internet Security\avgssie.dll (file missing)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - D:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - D:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - D:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - D:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AutorunsDisabled
O4 - Startup: Secunia PSI (RC1).lnk = E:\Program Files\Secunia\PSI (RC1)\psi.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://D:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109036437076
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://fetch2.serveftp.com/cab/Live.cab
O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) - https://207.69.19.96/NGVPNTunnel.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCD1F9CC-0865-4AC0-A977-130C091BEC22}: NameServer = 207.69.188.187,207.69.188.186
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Adaware\aawservice.exe
O23 - Service: ADSService - EarthLink, Inc. - D:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - D:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - D:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8143 bytes

#14 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 04 June 2008 - 06:58 PM

The CF-RC.txt file:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#15 SueInAtl

SueInAtl
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta, GA
  • Local time:05:21 AM

Posted 04 June 2008 - 09:33 PM

Yikes! Now I have 3 trojans. I just went into safe mode and ran the Earthlink Protection Center (the only one that trapped backdoor.sdbot.gen before). It found backdoor.sdbot.gen, CDN, and BZub. and a Tacoda cookie as well.

I had tried to run Excel and had to shutdown because it was hanging.

Should I have been running in safe mode before? Should I have run ComboFix again? I stopped after it installed the recovery console.

Is there still hope?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users