Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Bug! I Can't Get Rid Of This Pesky Bug.


  • This topic is locked This topic is locked
28 replies to this topic

#1 ladebac

ladebac

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 11 May 2008 - 11:04 AM

This is my first post to this column. I have used CounterSpy, Webroot Spysweeper, McAfee antivirus, and TrendMicro house call to get rid of the Virumonde bug. None of them have completely removed it. I have also removed some files manually myself after doing a little research. I'm no expert so I hope I haven't deleted anything important. The bug seemed to be in the explorer.exe file. Webroot Spysweeeper kept notifying of this file trying to install weird named BHOs. I deleted a couple of them. Here is my HijackThis logfile. Please analyze this and let me know what you find. Your help would be greatly appreciated. :thumbsup:





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:58 AM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C060FE2-B3CA-47DD-B68E-BD1A6E297226} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SBCSTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BMcf82201e] Rundll32.exe "C:\WINDOWS\system32\lvhjmonk.dll",s
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [DelayShred] "c:\PROGRA~1\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\19OQQQ03\SUNBEL~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\V2CRUZZJ\FF2_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\V2CRUZZJ\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0W5PTJXD\FF2_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\19OQQQ03\BANNER~1.SH!
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\steve\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\MN20KVDK\HEADER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TDV0W38L\LEFT_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\RIGHT_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0ZOY3XNB\FOOTER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\COMMON~1.SH! C:\DOCUME~1\ALLUSE~1\DOCUME~1\AOLDOW~1\HSPERF~1\3252.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TG648X0P\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\W8R3AV8N\669065~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WMS45VUQ\IM_BRA~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\AR_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~4.SH!
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab72888.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v50/chess/chess.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: geBrOHXO - geBrOHXO.dll (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 14546 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:33 PM

Posted 12 May 2008 - 04:25 PM

Hello ladebac,

I have also removed some files manually myself after doing a little research. I'm no expert so I hope I haven't deleted anything important.


You should not be removing files yourself if you do not know what you are doing!
That will only make it more difficult for me to help you.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

***********************


We need to create a Deckard's System Scanner (DSS) Log.

Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop.
Primary Mirror
Secondary Mirror

DSS will do the following:
1. Create a new System Restore point in Windows XP and Vista.
2. Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
3. Check some important areas of your system and produce a report for an analyst to review.
4. Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.

Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner.

1. Close all applications and windows.
2. Double-click on dss.exe to run it and follow the prompts.

3. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
4. When the scan is complete, two text files will open in Notepad:
main.txt <-- Will be maximized
extra.txt <-- Will be minimized
5. If not, they both can be found in the C:\Deckard\System Scanner folder.
6. Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply.

Note: When running DSS, some firewalls may warn that DSS is trying to access the Internet; especially if you are asked to download the most current version of HijackThis. Please ensure that DSS is given permission to access the internet.
Note: If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

In your next reply, I need to see the following reports:
DSS Main.txt
DSS Extra.txt

Edited by SifuMike, 12 May 2008 - 04:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ladebac

ladebac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 14 May 2008 - 09:26 AM

I did as you asked and did the scan. I have attached the main.txt and the extra.txt. Let me know what you find out. Thanks for all your help. :thumbsup:



Deckard's System Scanner v20071014.68
Run by steve on 2008-05-14 06:41:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as steve.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-14 06:53:54
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\SERVICES.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\SYSTEM32\igfxpers.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\SYSTEM32\CISVC.EXE
C:\WINDOWS\SYSTEM32\CTFMON.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Dantz\Retrospect\wdsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\FXSSVC.EXE
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\Documents and Settings\steve\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\steve.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C060FE2-B3CA-47DD-B68E-BD1A6E297226} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SBCSTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BMcf82201e] Rundll32.exe "C:\WINDOWS\system32\lvhjmonk.dll",s
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [DelayShred] "c:\PROGRA~1\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\19OQQQ03\SUNBEL~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\V2CRUZZJ\FF2_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\V2CRUZZJ\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0W5PTJXD\FF2_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\19OQQQ03\BANNER~1.SH!
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\steve\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\MN20KVDK\HEADER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TDV0W38L\LEFT_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\RIGHT_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0ZOY3XNB\FOOTER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\COMMON~1.SH! C:\DOCUME~1\ALLUSE~1\DOCUME~1\AOLDOW~1\HSPERF~1\3252.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TG648X0P\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\W8R3AV8N\669065~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WMS45VUQ\IM_BRA~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\AR_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~4.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DWNAX09L\AOL_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\64YH0AMN\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~3.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\64YH0AMN\EBAYIS~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\64YH0AMN\EBAY_1~1.SH! C:\RECYCLER\S-1-5-~1\Dc1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\FF2_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\UTORRE~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\GET_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\GET_2_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\CLICK_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\_{MINI~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\A9QC958Z\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\MYSPAC~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\ADS_2_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\A9QC958Z\SH_TOP~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\A9QC958Z\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\A9QC958Z\POINTR~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\MINISU~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\LOGINM~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\MAIN_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\FEATUR~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\SPI_LO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\MCLOGO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\LOGIN_~3.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\373910~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DA6U21MA\383955~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\IZT46CJC\UA_WEB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\PG856LR4\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KYRE9IMY\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\NN9EW1XK\72701_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\Y2R867Y7\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\XF50UP32\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZYUG8988\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\5BJRN1XA\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\5BJRN1XA\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DG6F3VUI\CLICK_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\P9X4F17W\BANNER~3.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DG6F3VUI\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\5BJRN1XA\ADS_2_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\8PDW6HRW\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DG6F3VUI\LOX_-_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\P9X4F17W\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DG6F3VUI\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\8PDW6HRW\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\5BJRN1XA\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\RL1GTGVO\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\RL1GTGVO\LOGOUT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\2ZTT6YJR\GGG_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KVMU1Q9J\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\OKRN5EOM\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\OKRN5EOM\ADS_2_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KW4A269X\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\POZ7GIRJ\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GVMBVX2X\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\POZ7GIRJ\LOGOUT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\B9FHMCKX\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GWWL5U3Q\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\B9FHMCKX\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GWWL5U3Q\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GWWL5U3Q\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GWWL5U3Q\415548~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\XE217HCE\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\XE217HCE\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JBNLY8PB\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\Y8N2ERZP\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\XE217HCE\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\N0BTE5ID\LOGOUT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JBNLY8PB\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\N0BTE5ID\FAYAR_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\X55E9PMI\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\70YC3UA0\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\70YC3UA0\GETMSG~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DXXN5DGX\LOGOUT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\X55E9PMI\GGG_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\X55E9PMI\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ESJATYZM\URCHIN~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ESJATYZM\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ESJATYZM\O-DEMO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DXXN5DGX\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\70YC3UA0\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\Temp\IMAGED~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ESJATYZM\GETMSG~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\OE1GXFIX\MINISU~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\FFKPNZAY\MAIN_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\FFKPNZAY\FEATUR~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\FFKPNZAY\B_ABOU~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\OE1GXFIX\SCFRNT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ODEMXJSY\L_HEAD~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KOZGDM10\FAYAR_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\FFKPNZAY\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KOZGDM10\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4SGP4UYW\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\X7JUYYOU\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WAFT754D\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\RUHUZLEY\MINISU~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\8VA59D6Q\MAIN_2~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DHASDDQW\LOGINM~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DHASDDQW\LOGIN_~3.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZCXLFU1T\CLADOG~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\1NZW80C5\INDEX_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\1NZW80C5\__ORD_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EB4JH6LW\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\QQ1C4WGX\TRACE_~1.SH!
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab72888.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v50/chess/chess.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: geBrOHXO - C:\WINDOWS\system32\geBrOHXO.dll (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\wdsvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


--
End of file - 22924 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080511-102749-780 O2 - BHO: (no name) - {C1BD4D50-E566-4688-9486-E459F0F187DD} - C:\WINDOWS\system32\vtUkkhEV.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)

S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - c:\windows\system32\pcampr5.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>
R2 RetroWDSvc (Retrospect WD Service) - c:\progra~1\dantz\retros~1\wdsvc.exe <Not Verified; Dantz Development Corporation; Retrospect>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-01 01:00:37 332 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-04-15 02:59:56 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-14 06:29:54 0 d-------- C:\Program Files\Sun
2008-05-14 06:25:22 0 d-------- C:\WINDOWS\LastGood
2008-05-14 06:12:29 0 d-------- C:\Program Files\Common Files\Java
2008-05-12 08:16:30 0 d-------- C:\WINDOWS\twain_32
2008-05-11 09:34:41 0 d-------- C:\VundoFix Backups
2008-05-10 15:02:35 91712 --a------ C:\WINDOWS\system32\faeotode.dll
2008-05-10 14:52:15 100416 --a------ C:\WINDOWS\system32\lvhjmonk.dll
2008-05-09 10:14:59 98368 --a------ C:\WINDOWS\system32\tpykpiwo.dll
2008-05-08 09:50:54 106048 --a------ C:\WINDOWS\system32\sjptyhjo.dll
2008-05-08 09:38:59 97856 --a------ C:\WINDOWS\system32\olosgqnb.dll
2008-05-07 05:24:10 106560 --a------ C:\WINDOWS\system32\yuicgioe.dll
2008-05-07 05:16:20 105024 --a------ C:\WINDOWS\system32\scysrmfs.dll
2008-05-05 22:42:42 107584 --a------ C:\WINDOWS\system32\clsilqmf.dll
2008-05-05 22:33:26 104000 --a------ C:\WINDOWS\system32\xtltqavo.dll
2008-05-04 22:36:53 0 d-------- C:\Program Files\Trend Micro
2008-05-04 20:25:05 108096 --a------ C:\WINDOWS\system32\okyhbssn.dll
2008-05-02 12:25:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-05-02 11:19:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2008-04-30 00:22:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-04-30 00:20:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-30 00:20:45 0 d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-30 00:20:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-30 00:20:44 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-30 00:20:43 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-30 00:20:43 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-30 00:20:43 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-30 00:20:43 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-30 00:20:43 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-30 00:20:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-30 00:20:42 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-30 00:20:42 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-30 00:20:42 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-30 00:20:42 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-30 00:20:42 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-30 00:20:42 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-30 00:20:42 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-30 00:20:42 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-29 09:43:57 1039301 --ahs---- C:\WINDOWS\system32\VEhkkUtv.ini2
2008-04-29 09:39:12 45568 --a------ C:\WINDOWS\system32\rqRJBRjK.dll
2008-04-16 21:30:26 0 d-------- C:\Documents and Settings\violet\Application Data\Sunbelt Software
2008-04-16 21:30:08 0 d-------- C:\Documents and Settings\violet\Application Data\Share-to-Web Upload Folder
2008-04-15 09:51:26 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot


-- Find3M Report ---------------------------------------------------------------

2008-05-14 06:28:36 0 d-------- C:\Program Files\Java
2008-05-14 06:12:29 0 d-------- C:\Program Files\Common Files
2008-05-12 10:35:57 0 d-------- C:\Documents and Settings\steve\Application Data\uTorrent
2008-05-11 09:29:33 131019 --a------ C:\WINDOWS\hpoins12.dat
2008-05-08 03:30:06 0 d-------- C:\Program Files\McAfee
2008-05-07 10:31:44 86219 --a------ C:\logfile
2008-04-08 00:05:12 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-06 22:00:24 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-04-06 22:00:24 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-04-06 21:48:56 0 d-------- C:\Documents and Settings\steve\Application Data\Sunbelt Software
2008-04-06 21:41:35 0 d-------- C:\Program Files\Sunbelt Software
2008-04-05 00:54:12 0 d-------- C:\Program Files\Windows Live Safety Center
2008-04-03 15:21:13 0 d-------- C:\Documents and Settings\steve\Application Data\Image Zone Express


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [07/21/2006 05:19 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 01:01 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 02:42 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/30/2006 09:40 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 08:12 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 10:35 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 10:36 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 10:32 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 01:02 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 01:05 AM]
"WD Button Manager"="WDBtnMgr.exe" [05/15/2007 07:05 AM C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [03/30/2007 10:42 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 09:52 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [08/27/2001 11:52 AM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [07/03/2001 10:11 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [11/30/2007 05:42 AM]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [01/08/2007 12:22 PM]
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [11/28/2007 12:57 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/11/2007 08:42 PM]
"BMcf82201e"="C:\WINDOWS\system32\lvhjmonk.dll" [05/10/2008 02:52 PM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 09:56 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [07/19/2004 07:51 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.exe" [12/04/2007 01:32 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\steve\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\MN20KVDK\HEADER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TDV0W38L\LEFT_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\RIGHT_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0ZOY3XNB\FOOTER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\COMMON~1.SH! C:\DOCUME~1\ALLUSE~1\DOCUME~1\AOLDOW~1\HSPERF~1\3252.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TG648X0P\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\W8R3AV8N\669065~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WMS45VUQ\IM_BRA~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\AR_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~4.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DWNAX09L\AOL_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\64YH0AMN\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~3.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\64YH0AMN\EBAYIS~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\64YH0AMN\EBAY_1~1.SH! C:\RECYCLER\S-1-5-~1\Dc1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\FF2_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\UTORRE~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\GET_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\GET_2_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\CLICK_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\_{MINI~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\A9QC958Z\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\MYSPAC~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\ADS_2_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\A9QC958Z\SH_TOP~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\A9QC958Z\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\A9QC958Z\POINTR~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\MINISU~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\LOGINM~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\MAIN_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\FEATUR~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4U6XGS7Z\SPI_LO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EUNODJ22\MCLOGO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\LOGIN_~3.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZSKLFBHW\373910~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DA6U21MA\383955~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\IZT46CJC\UA_WEB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\PG856LR4\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KYRE9IMY\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\NN9EW1XK\72701_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\Y2R867Y7\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\XF50UP32\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZYUG8988\WEBLIB~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\5BJRN1XA\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\5BJRN1XA\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DG6F3VUI\CLICK_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\P9X4F17W\BANNER~3.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DG6F3VUI\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\5BJRN1XA\ADS_2_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\8PDW6HRW\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DG6F3VUI\LOX_-_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\P9X4F17W\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DG6F3VUI\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\8PDW6HRW\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\5BJRN1XA\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\RL1GTGVO\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\RL1GTGVO\LOGOUT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\2ZTT6YJR\GGG_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KVMU1Q9J\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\OKRN5EOM\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\OKRN5EOM\ADS_2_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KW4A269X\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\POZ7GIRJ\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GVMBVX2X\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\POZ7GIRJ\LOGOUT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\B9FHMCKX\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GWWL5U3Q\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\B9FHMCKX\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GWWL5U3Q\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GWWL5U3Q\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\GWWL5U3Q\415548~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\XE217HCE\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\XE217HCE\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JBNLY8PB\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\Y8N2ERZP\AUCTIO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\XE217HCE\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\N0BTE5ID\LOGOUT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JBNLY8PB\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\N0BTE5ID\FAYAR_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\X55E9PMI\BANNER~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\70YC3UA0\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\70YC3UA0\GETMSG~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DXXN5DGX\LOGOUT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\X55E9PMI\GGG_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\X55E9PMI\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ESJATYZM\URCHIN~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ESJATYZM\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ESJATYZM\O-DEMO~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DXXN5DGX\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\70YC3UA0\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\Temp\IMAGED~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ESJATYZM\GETMSG~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\OE1GXFIX\MINISU~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\FFKPNZAY\MAIN_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\FFKPNZAY\FEATUR~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\FFKPNZAY\B_ABOU~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\OE1GXFIX\SCFRNT~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ODEMXJSY\L_HEAD~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KOZGDM10\FAYAR_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\FFKPNZAY\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\KOZGDM10\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\4SGP4UYW\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\X7JUYYOU\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WAFT754D\ADS_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\RUHUZLEY\MINISU~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\8VA59D6Q\MAIN_2~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DHASDDQW\LOGINM~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\DHASDDQW\LOGIN_~3.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\ZCXLFU1T\CLADOG~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\1NZW80C5\INDEX_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\1NZW80C5\__ORD_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\EB4JH6LW\HREF%3~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\QQ1C4WGX\TRACE_~1.SH!

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\steve\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 1:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 1:04:12 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 9:40:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBrOHXO]
geBrOHXO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUkkhEV

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

*Newly Created Service* - SBAPIFS



-- End of Deckard's System Scanner: finished at 2008-05-14 07:06:50 ------------








Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 509.98 MiB / 189.56 MiB
Pagefile Memory (total/avail): 1247.19 MiB / 777.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.61 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 71.2 GiB total, 44.14 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 71.2 GiB - C:
\PARTITION2 - Unknown - 3.26 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:΅Torrent"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"="C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe:*:Enabled:Yahoo! Browser"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\steve\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BLACK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\steve
LOGONSERVER=\\BLACK
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\steve\LOCALS~1\Temp
TMP=C:\DOCUME~1\steve\LOCALS~1\Temp
USERDOMAIN=BLACK
USERNAME=steve
USERPROFILE=C:\Documents and Settings\steve
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

steve (admin)
violet (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
ACDSee --> C:\PROGRA~1\ACDSYS~1\ACDSee\UNWISE.EXE C:\PROGRA~1\ACDSYS~1\ACDSee\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B755EF7-F860-4F72-9A2D-5216CB48BA7C}\setup.exe" -l0x9
ArcSoft VideoImpression 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66E0EB37-6024-4872-897A-8E83AF1C87CA}\setup.exe" -l0x9
AT&T Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
Bonjour --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E0A96F36-D546-4A2A-BDAA-2A2A578B2C0D} /l1033
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
Dell Support 5.0.0 (630) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
DellConnect --> MsiExec.exe /X{52D56C42-8C69-4882-A661-39695537C9CF}
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Customer Participation Program 8.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet All-In-One Software 8.0 --> C:\Program Files\HP\Digital Imaging\{24557DC0-0839-496f-82F9-C4EB72EFE4FA}\setup\hpzscr01.exe -datfile hposcr12.dat
HP Imaging Device Functions 8.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photo Imaging Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\hpiunCX.dll
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Printing\hpiunPC.dll
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Share-to-Web --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\Setup.exe" --MAIN -l9
HP Solution Center 8.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
HPSSupply --> MsiExec.exe /X{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Development Kit 6 Update 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160060}
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0002_992e0c\Setup.exe /APR-REMOVE
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
Polaroid Digital Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0697A326-25B4-4CF7-8D72-29609E828367}\Setup.exe"
Qualxserve Service Agreement --> MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA}
QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Retrospect 6.5 --> MsiExec.exe /I{73B69C5C-87D6-471E-B695-0BD736C4B644}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
skin0001 --> MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Photos Easy Upload Tool --> C:\Program Files\Yahoo!\Common\ydropper_uninst.exe /ylog=C:\PROGRA~1\Yahoo!\Photos\Uploader\install.log
Yahoo! Photos Print-at-Home Tool --> C:\WINDOWS\unins000.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type15943 / Error
Event Submitted/Written: 05/14/2008 06:32:23 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 686628912.

Event Record #/Type15942 / Error
Event Submitted/Written: 05/14/2008 06:32:15 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type15917 / Error
Event Submitted/Written: 05/13/2008 09:42:50 AM / 05/13/2008 09:42:51 AM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process C:\Program Files\McAfee\VirusScan\McShield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 3612 (0xe1c)

Thread address : 0x120E2344

Thread message :

Build VSCORE.14.0.0.349 / 5200.2160
Object being scanned = \Device\HarddiskVolume2\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
by C:\WINDOWS\system32\svchost.exe
4(125)(0)
4(125)(0)
7200(125)(0)
7595(125)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Event Record #/Type15902 / Error
Event Submitted/Written: 05/12/2008 10:33:14 AM / 05/12/2008 10:33:15 AM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process C:\Program Files\McAfee\VirusScan\McShield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2556 (0x9fc)

Thread address : 0x120DBCCE

Thread message :

Build VSCORE.14.0.0.349 / 5200.2160
Object being scanned = \Device\HarddiskVolume2\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
by C:\WINDOWS\system32\svchost.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Event Record #/Type15901 / Warning
Event Submitted/Written: 05/12/2008 09:14:28 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{4192EAC0-6B36-4723-B216-D0E86E7757AC}', feature 'PaintShopPhotoAlbum' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type25170 / Error
Event Submitted/Written: 05/14/2008 06:06:00 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053

Event Record #/Type25169 / Error
Event Submitted/Written: 05/14/2008 06:06:00 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Event Record #/Type25158 / Error
Event Submitted/Written: 05/14/2008 06:05:19 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The Bonjour Service service hung on starting.

Event Record #/Type25157 / Error
Event Submitted/Written: 05/14/2008 06:05:01 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.

Event Record #/Type25156 / Error
Event Submitted/Written: 05/14/2008 06:04:20 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-05-14 07:06:50 ------------

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:33 PM

Posted 14 May 2008 - 02:34 PM

Hello ladebac,

This computer is quite infected, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your McAfee Antivirus, CounterSpy Spyware Doctor and Spy Sweeper before running ComboFix, as they will prevent it from running.

To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.

To disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.

To disable CounterSpy
Right-click the running icon of CounterSpy in the system tray.
With your mouse, hover over Active Protection Status (This should be enabled).
A menu will slide out and then you need to right click on "Disable Active Protection".


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. Do not post a Hijackthis log.

Edited by SifuMike, 14 May 2008 - 02:37 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ladebac

ladebac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 14 May 2008 - 04:31 PM

Here is the ComboFix log. Let me know if you find other bugs that I might have. Once again thanks. :thumbsup:



ComboFix 08-05-12.1 - steve 2008-05-14 15:49:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.216 [GMT -5:00]
Running from: C:\Documents and Settings\steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\steve\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\bgikiqrj.ini
C:\WINDOWS\SYSTEM32\bnqgsolo.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\clsilqmf.dll
C:\WINDOWS\SYSTEM32\edotoeaf.ini
C:\WINDOWS\system32\faeotode.dll
C:\WINDOWS\SYSTEM32\jjhiirmj.ini
C:\WINDOWS\system32\kexqsfti.ini
C:\WINDOWS\SYSTEM32\kxodpibl.ini
C:\WINDOWS\system32\lvhjmonk.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\okyhbssn.dll
C:\WINDOWS\system32\olosgqnb.dll
C:\WINDOWS\system32\oorflyuh.ini
C:\WINDOWS\system32\qbvxqbkm.ini
C:\WINDOWS\system32\rqRJBRjK.dll
C:\WINDOWS\system32\scysrmfs.dll
C:\WINDOWS\SYSTEM32\sgqbrsej.ini
C:\WINDOWS\system32\sjptyhjo.dll
C:\WINDOWS\system32\tpykpiwo.dll
C:\WINDOWS\SYSTEM32\VEhkkUtv.ini
C:\WINDOWS\SYSTEM32\VEhkkUtv.ini2
C:\WINDOWS\system32\vvogbitg.ini
C:\WINDOWS\system32\xtltqavo.dll
C:\WINDOWS\system32\yuicgioe.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 06:40 . 2008-05-14 06:40 <DIR> d-------- C:\Deckard
2008-05-14 06:29 . 2008-05-14 06:29 <DIR> d-------- C:\Program Files\Sun
2008-05-14 06:29 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-14 06:12 . 2008-05-14 06:12 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-12 08:16 . 2008-05-12 08:16 <DIR> d-------- C:\WINDOWS\twain_32
2008-05-11 09:34 . 2008-05-11 09:34 <DIR> d-------- C:\VundoFix Backups
2008-05-04 22:36 . 2008-05-04 22:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-03 03:53 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-05-02 12:25 . 2008-05-02 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-05-02 11:19 . 2008-05-02 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2008-04-30 00:22 . 2008-04-30 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-04-30 00:20 . 2005-04-22 19:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-30 00:20 . 2005-04-22 19:43 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-30 00:20 . 2008-04-30 00:20 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 00:20 . 2008-05-14 15:48 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 21:48 . 2008-05-13 18:58 109,778 --a------ C:\WINDOWS\BMcf82201e.xml
2008-04-16 21:30 . 2008-04-16 21:30 <DIR> d-------- C:\Documents and Settings\violet\Application Data\Sunbelt Software
2008-04-16 21:30 . 2008-04-16 21:30 <DIR> d-------- C:\Documents and Settings\violet\Application Data\Share-to-Web Upload Folder
2008-04-15 09:51 . 2008-04-15 09:51 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 15:20 --------- d-----w C:\Documents and Settings\steve\Application Data\uTorrent
2008-05-14 11:28 --------- d-----w C:\Program Files\Java
2008-05-08 08:30 --------- d-----w C:\Program Files\McAfee
2008-04-30 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Retrospect
2008-04-08 05:05 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-07 02:49 15,544 ----a-w C:\WINDOWS\system32\drivers\sbhr.sys
2008-04-07 02:48 --------- d-----w C:\Documents and Settings\steve\Application Data\Sunbelt Software
2008-04-07 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-04-07 02:41 --------- d-----w C:\Program Files\Sunbelt Software
2008-04-06 19:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-05 05:54 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-03 20:21 --------- d-----w C:\Documents and Settings\steve\Application Data\Image Zone Express
2007-01-02 22:27 12,288 -csh--w C:\WINDOWS\Twunk_16.dll
2007-01-02 22:27 12,288 -csh--w C:\WINDOWS\Twunk_32.dll
2007-03-22 16:20 848 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2007-12-04 18:38 550,912 --sha-w C:\WINDOWS\SYSTEM32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51 306688]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.exe" [2007-12-04 13:32 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-30 21:40 155648]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"WD Button Manager"="WDBtnMgr.exe" [2007-05-15 07:05 335872 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 10:42 36904]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 11:52 45056]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 10:11 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 12:22 20480]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-11-28 12:57 698864]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-11 20:42 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"combofix"="C:\WINDOWS\system32\CF6215.exe" [2004-08-04 05:00 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBrOHXO]
geBrOHXO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-04-06 21:49]
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 07:59:56 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 06:00:37 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 16:03:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Dantz\Retrospect\wdsvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\FXSSVC.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-05-14 16:13:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 21:13:51

Pre-Run: 47,084,036,096 bytes free
Post-Run: 47,500,181,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

195 --- E O F --- 2008-05-14 15:27:42

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:33 PM

Posted 14 May 2008 - 05:03 PM

Hi ladebac,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBrOHXO]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ladebac

ladebac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 14 May 2008 - 08:10 PM

I've done what you've asked. First I attached the ComboFix log and then the HijackThis one. Let me know what to do next. :thumbsup:


ComboFix 08-05-12.1 - steve 2008-05-14 19:34:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.276 [GMT -5:00]
Running from: C:\Documents and Settings\steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\steve\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-14 06:40 . 2008-05-14 06:40 <DIR> d-------- C:\Deckard
2008-05-14 06:29 . 2008-05-14 06:29 <DIR> d-------- C:\Program Files\Sun
2008-05-14 06:29 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-14 06:12 . 2008-05-14 06:12 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-12 08:16 . 2008-05-12 08:16 <DIR> d-------- C:\WINDOWS\twain_32
2008-05-04 22:36 . 2008-05-04 22:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-03 03:53 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-05-02 12:25 . 2008-05-02 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-05-02 11:19 . 2008-05-02 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2008-04-30 00:22 . 2008-04-30 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-04-30 00:20 . 2005-04-22 19:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-30 00:20 . 2005-04-22 19:43 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-30 00:20 . 2008-04-30 00:20 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 00:20 . 2008-05-14 15:48 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 21:48 . 2008-05-13 18:58 109,778 --a------ C:\WINDOWS\BMcf82201e.xml
2008-04-16 21:30 . 2008-04-16 21:30 <DIR> d-------- C:\Documents and Settings\violet\Application Data\Sunbelt Software
2008-04-16 21:30 . 2008-04-16 21:30 <DIR> d-------- C:\Documents and Settings\violet\Application Data\Share-to-Web Upload Folder
2008-04-15 09:51 . 2008-04-15 09:51 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 15:20 --------- d-----w C:\Documents and Settings\steve\Application Data\uTorrent
2008-05-14 11:28 --------- d-----w C:\Program Files\Java
2008-05-08 08:30 --------- d-----w C:\Program Files\McAfee
2008-04-30 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Retrospect
2008-04-08 05:05 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-07 02:48 --------- d-----w C:\Documents and Settings\steve\Application Data\Sunbelt Software
2008-04-07 02:41 --------- d-----w C:\Program Files\Sunbelt Software
2008-04-06 19:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-05 05:54 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-03 20:21 --------- d-----w C:\Documents and Settings\steve\Application Data\Image Zone Express
2007-01-02 22:27 12,288 -csh--w C:\WINDOWS\Twunk_16.dll
2007-01-02 22:27 12,288 -csh--w C:\WINDOWS\Twunk_32.dll
2007-03-22 16:20 848 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2007-12-04 18:38 550,912 --sha-w C:\WINDOWS\SYSTEM32\oleaut32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-14_16.13.31.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 20:58:28 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-15 00:41:21 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2006-06-20 20:44:04 379,704 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
+ 2006-06-20 20:44:02 117,560 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-us.dll
- 2008-05-14 19:50:14 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-05-15 00:26:11 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-05-14 19:50:14 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-15 00:26:11 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51 306688]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.exe" [2007-12-04 13:32 111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-30 21:40 155648]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"WD Button Manager"="WDBtnMgr.exe" [2007-05-15 07:05 335872 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 10:42 36904]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 21:52 49152]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 11:52 45056]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 10:11 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 12:22 20480]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-11 20:42 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 07:59:56 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 06:00:37 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 19:42:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\steve\LOCALS~1\Temp\tzkC.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Dantz\Retrospect\wdsvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\FXSSVC.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-14 19:57:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 00:57:01
ComboFix2.txt 2008-05-14 21:13:59

Pre-Run: 47,654,363,136 bytes free
Post-Run: 47,670,562,816 bytes free

165 --- E O F --- 2008-05-14 15:27:42




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:09 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\steve\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\MN20KVDK\HEADER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TDV0W38L\LEFT_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\RIGHT_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0ZOY3XNB\FOOTER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\COMMON~1.SH! C:\DOCUME~1\ALLUSE~1\DOCUME~1\AOLDOW~1\HSPERF~1\3252.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TG648X0P\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\W8R3AV8N\669065~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WMS45VUQ\IM_BRA~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\AR_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~4.SH!
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab72888.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v50/chess/chess.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12529 bytes

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:33 PM

Posted 14 May 2008 - 10:34 PM

Hi ladebac,

Your log is looking much better. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Disable SpySweeper, CounterSpy and Spyware Doctor before running Hijackthis. If they are running they will prevent Hijackthis from working.

To disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.

To disable CounterSpy
Right-click the running icon of CounterSpy in the system tray.
With your mouse, hover over Active Protection Status (This should be enabled).
A menu will slide out and then you need to right click on "Disable Active Protection".


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer.


Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases


then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:

Posted Image

Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan, a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ladebac

ladebac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 16 May 2008 - 09:41 AM

My computer is running a whole lot better than it was. I haven't had a pop up in a while. There are still instances where my computer slows to a crawl, though. Maybe the steps I've followed took care of that. It's too soon to tell. Well anyway, here are the two logs you wanted posted. Let me know what you think. :thumbsup:


gfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:43 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\steve\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\MN20KVDK\HEADER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TDV0W38L\LEFT_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\RIGHT_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0ZOY3XNB\FOOTER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\COMMON~1.SH! C:\DOCUME~1\ALLUSE~1\DOCUME~1\AOLDOW~1\HSPERF~1\3252.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TG648X0P\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\W8R3AV8N\669065~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WMS45VUQ\IM_BRA~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\AR_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~4.SH!
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab72888.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v50/chess/chess.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: McAfee Application Installer Cleanup (0180081210932090) (0180081210932090mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\018008~1.EXE (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 13445 bytes



------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 16, 2008 9:10:53 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/05/2008
Kaspersky Anti-Virus database records: 778009
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 89593
Number of viruses found: 11
Number of infected objects: 53
Number of suspicious objects: 0
Duration of the scan process: 02:12:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{60BECFBC-89A4-4C31-B63B-097CA6861599}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{9E493B3F-F048-4EC3-9426-11610839F0D4}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR11.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS05D6C01C-0FE4-4D31-B33B-59E7197D7D69.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS05F5F524-4039-4A03-84C4-4F0DFD1BB702.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0656F951-F6AB-4691-9FF2-EC00D85906B1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0750C6B3-D5DE-4E39-9BC9-AAB13FA7D12B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0F51929B-0D4C-4A5D-9554-9687F550E927.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS13A73E50-4993-4ADE-9DBA-2A1C46E9F27F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1D6AB83E-756E-4599-A3A3-3E29AE6842BF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1DBE5FD2-D6BC-44B8-902E-9BD39FCB94BF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2060A76F-0990-44FA-BE18-F2FDD49F4B90.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS206EA1DF-742D-4EE8-AA92-8CC605594B34.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS20BF25A4-8A1F-475A-822D-E9D5200C54B5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS21BF0D34-0CD8-491D-AC05-C9AD96C80183.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2DA8400B-301A-487D-9FC1-2859EB6C4AC0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS31C5BFAC-05A8-42A5-8A14-61DE40005059.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS33B9B28F-7E8D-436C-A1CD-6B4A66DA9300.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS38FC15B6-C93F-40B9-80E2-BA5F68E6D95F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3B997648-A3A8-4B8D-929D-29F380304568.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3D41AE86-14D9-40A1-A125-49314123606C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3F69255C-93D2-4CF1-9CE1-C3F7AF927031.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS427CA6B3-3D75-4417-AF1E-3E5AC31B5FB5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS42A8ACDB-122D-4442-9C78-6D1567FBA92E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS43A6540A-DB31-4486-8F57-E9B6741A73C8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS44D1DD84-BF5E-4479-B20E-4A699B56934C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS456B2760-5E24-4FA4-8BD8-E8BD5A797578.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4959A6E9-D84C-459A-9007-DB1E2803FB33.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS49E39499-554A-4A56-874E-D5983462DA96.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4D6C2673-787C-4C66-8F60-F4ED9BA570F5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS527AFEE6-D013-4F36-BE4B-13E6A2C8AB3C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS53F66727-5547-4973-AD17-4B79648EEE26.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5CF91C7C-EF9C-435E-9AF8-640A52EA2074.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5EC7F5F5-2632-4519-85CB-1186C2794A80.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS670C846A-19EC-4AC4-B296-CADFF944C48C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS676FAA12-5C44-4441-9A1E-F10EEA6B0A40.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6813C7A0-21A6-46DA-9A35-23108208D2C3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6E3D4980-4137-4A73-A12D-0E9317E4D039.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS72764CA9-D379-4A19-AD85-2341BD52A01A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS73870FAC-5C5C-4DA1-BB72-C383660E852D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7911E13E-A46C-43AA-8C13-7EBCE0459954.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7A10941E-712D-41F8-8106-6603B980B9EB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7FAE923E-08D8-4183-97D7-96EBA64B4B30.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS849DBD29-318A-4DCC-AD29-585614378DCD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS84C7D52B-67A6-494E-BB4F-1D5D70FE212D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS86CD7267-4908-410C-8653-B21829610B30.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS87994677-BAF6-431E-B7C1-859B358A10B7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS89BBEBCD-8E7A-4223-941E-0D95CA564273.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS89EE5809-AFB9-479F-988F-667DC6FA8D46.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS92B5615E-55E5-4AD0-8035-9B633E504443.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS97765AC9-B562-42E8-946D-5C9E27664D48.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS98D41503-09E5-4F7A-A703-AC09CC8A55DD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS995BBC2A-FFA3-4F53-8010-1D74E0F11D2C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9C210A58-2EA0-4D2D-A8B1-722733D1C099.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9D8C4CBF-727E-472E-8604-5BD4D91BE25B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9E247337-1303-4F60-9FA0-911FB7AD543E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9F293AF6-93FC-4E43-ABC0-0CEC045BD37A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA51CC7A0-1084-46D5-83FF-CCA07D738261.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA5809F6A-0CEC-494F-AB36-0FC2A8A797C4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA5BECA49-A1FA-4502-8A56-A480B531F2FD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA70F14B3-3AD4-47E6-9CB4-59AE48E5634D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA9B79474-C84E-4F44-B31D-D59252B8C73B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAB583408-DC3A-4886-992B-BB8E99E40324.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSADAB10A2-5E33-4BDE-AAC1-A00B9935012A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAE2B51F0-1A08-4AEB-92B8-4CFCC4692617.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB3E30A6C-C62C-42BA-9794-7745E149643E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB732D0C1-0B05-42B9-AF08-DEBD5C461AB1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB7BDF0CE-9EF1-4A88-9B1F-D1987D773EF0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBA60C258-511C-4FF2-B42A-591CBDD4DC64.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBA6CC2EC-19A8-4575-B9DF-5D56768BA3DB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBDB5158E-CF48-416D-9C5D-EA75C0BE98E4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCEDB1C21-DB94-4BEE-B599-B4162932878B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD1B8CB76-70A9-4D8F-B333-7B9DD43E08F6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD2039F03-2A53-4AC9-9CF8-CA407AE41172.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDB42102A-5080-410C-A906-55F6273E1821.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE0B58DC9-A99D-44A1-8799-E8490B6BB943.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE33A92C5-422C-4FE7-8A04-A7D43447E88A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE356524A-6BA4-4BB0-988B-782CC0C98B84.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE46EF911-1CF6-419D-9E94-70BB9F21A247.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE4CF3433-FB13-41A2-A8F7-50147D8CDA5D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE7EB293A-77B1-4AB6-87B6-4717D5447240.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEB320983-40AE-4E9A-88CD-33D95D8F8769.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSECF2B2DB-3FA3-45B0-8BA0-155BE64D9426.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSED98EDC3-4283-438E-8A2E-55FF8C51745D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF2C0D1AD-4DEF-4756-952F-81341DA71434.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF3F2B54B-7CA8-41E7-8527-E9B52F4170D2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF8670782-BD95-4E87-9AC6-577B6DE3CC55.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF8E7554E-5322-4335-9F76-330DC375DB6A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF98FA1DD-1440-4493-ADF3-59B3C174FEAD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFE37DCAE-3DA0-49E8-A327-9BBEDDFBB73B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFF4E1242-C9B2-4E63-9D85-1857A8EB4247.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFFDD6B6A-07F9-4A2A-90A3-C79B83AC89EB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\fgvyijfe.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\fmgeytib.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\fnidyvnh.dll.bac_a00548 Infected: Trojan.Win32.Monder.an skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\jmriihjj.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\jwcelmkk.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\lbipdoxk.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\lpjeiypf.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\ohjaaxvx.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\vbwvscvj.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\vtUkkhEV.dll.bac_a00548 Infected: not-a-virus:AdWare.Win32.Virtumonde.quh skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\wttqhqva.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\steve\Application Data\Webroot\Spy Sweeper\Logs\080516063848.ses Object is locked skipped
C:\Documents and Settings\steve\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\steve\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\temp\~DF2262.tmp Object is locked skipped
C:\Documents and Settings\steve\Local Settings\temp\~DFAAB.tmp Object is locked skipped
C:\Documents and Settings\steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.m3u.exe/m3u.exe/is201737.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.m3u.exe/m3u.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.m3u.exe/is201737.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.m3u.exe CAB: infected - 3 skipped
C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.nfo.exe/is201737.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.nfo.exe CAB: infected - 1 skipped
C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.sfv.exe/is201737.exe Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.sfv.exe CAB: infected - 1 skipped
C:\Documents and Settings\steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\steve\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\faeotode.dll.vir Infected: Trojan.Win32.Monder.dm skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lvhjmonk.dll.vir Infected: Trojan.Win32.Monder.dl skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\okyhbssn.dll.vir Infected: Trojan.Win32.Monder.da skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\olosgqnb.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqRJBRjK.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\scysrmfs.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sjptyhjo.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tpykpiwo.dll.vir Infected: Trojan.Win32.Monder.de skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yuicgioe.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0095961.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP394\A0105166.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP396\A0107306.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107402.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107403.dll Infected: Trojan.Win32.Monder.an skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107405.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107406.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107407.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400\A0109498.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400\A0109580.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401\A0111642.dll Infected: Trojan.Win32.Monder.db skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401\A0112773.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP405\A0113854.dll Infected: Trojan.Win32.Monder.cz skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP405\A0113860.dll Infected: Trojan.Win32.Monder.df skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP405\A0113892.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.quh skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP406\A0113992.dll Infected: Trojan.Win32.Monder.cz skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116109.dll Infected: Trojan.Win32.Monder.dm skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116110.dll Infected: Trojan.Win32.Monder.dl skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116111.dll Infected: Trojan.Win32.Monder.da skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116112.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116113.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116114.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116115.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116116.dll Infected: Trojan.Win32.Monder.de skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116118.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP422\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel® 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{56612B15-04C9-4A38-96EF-1A297C56D2AF}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_7nbsIpLWPBeTF7C Object is locked skipped
C:\WINDOWS\Temp\mcmsc_4ftfRTPgQ3e2Wgc Object is locked skipped
C:\WINDOWS\Temp\mcmsc_atTaldb9bApglSe Object is locked skipped
C:\WINDOWS\Temp\mcmsc_fqU6zFqN0pIb5oI Object is locked skipped
C:\WINDOWS\Temp\mcmsc_oRDA9CoOmPfop5U Object is locked skipped
C:\WINDOWS\Temp\mcmsc_wMlzE5Nh3bRxmYk Object is locked skipped
C:\WINDOWS\Temp\sqlite_NqttcxtTDhx2pHc Object is locked skipped
C:\WINDOWS\Temp\sqlite_WYqnC1l6qxLyYes Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:33 PM

Posted 16 May 2008 - 01:26 PM

Hi ladebac,

Looks like the Hijackthis fixes did not work. :thumbsup:

The normal reason the fixes do not work is that you have left a spyware tool enabled or did not close the browser/explorer windons.

Are you sure you disabled SpySweeper, CounterSpy and Spyware Doctor?
Did you close browser/explorer windows before using Hijackthis?

Disable SpySweeper, CounterSpy and Spyware Doctor before running Hijackthis. If they are running they will prevent Hijackthis from working.

To disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.

To disable CounterSpy
Right-click the running icon of CounterSpy in the system tray.
With your mouse, hover over Active Protection Status (This should be enabled).
A menu will slide out and then you need to right click on "Disable Active Protection".


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com



*******************************************



Please download the
OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.m3u.exe
    C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.nfo.exe
    C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.sfv.exe


  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


*******************************************


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

*******************************************

Reboot your computer, post a new Hijackthis log, and OTMoveIt2 log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 ladebac

ladebac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 19 May 2008 - 04:02 PM

First off, I do not have spyware doctor on my system anymore. The subscription expired months ago. Also, I no longer have counterspy on there. I deleted those files with hijackthis. When I restarted the computer they were in the logfile again. Here are the logs you requested.



ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:10 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\steve\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\MN20KVDK\HEADER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TDV0W38L\LEFT_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\RIGHT_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0ZOY3XNB\FOOTER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\COMMON~1.SH! C:\DOCUME~1\ALLUSE~1\DOCUME~1\AOLDOW~1\HSPERF~1\3252.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TG648X0P\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\W8R3AV8N\669065~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WMS45VUQ\IM_BRA~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\AR_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~4.SH!
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab72888.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v50/chess/chess.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 13302 bytes


File/Folder C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.m3u.exe not found.
File/Folder C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.nfo.exe not found.
File/Folder C:\Documents and Settings\steve\My Documents\My Music\The_Roots-Rising_Down-CD-2008-RACEME\00-the_roots-rising_down-cd-2008.sfv.exe not found

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:33 PM

Posted 19 May 2008 - 05:06 PM

Hi ladebac,

First off, I do not have spyware doctor on my system anymore. The subscription expired months ago. Also, I no longer have counterspy on there. I deleted those files with hijackthis.


Deleting the files will hijackthis will not do the trick. :thumbsup: You have to uninstall them to get rid to them.


The only reason the fixes did not work because either you have SpySweeper enabled, or you did not (close browser/explorer windows) when using Hijackthis. :)


Let try again.

To disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com



*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

Reboot your computer.


Run Kaskpersky Webscan (see instructions in previous post), post the Kaspersky log and a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 ladebac

ladebac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 25 May 2008 - 04:22 PM

Sorry if you misunderstood my last response. Let me word this one better. First off, I did uninstall all those anti-spyware programs using the control panel. I did as you asked with Webroot Spysweeper and every time I rebooted the computer, the files came back. I even shut down all my Mcafee protection before running Hijackthis and got the same result. I still occasionally get the pop-ups. Now though, no website is displayed. The pop-up states that internet explorer can't display the web page. As soon as I completely shut down my Yahoo web browser, the pop-ups disappear. I have attached the logs you needed. Let me know the next step. :thumbsup:


------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 25, 2008 3:55:41 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/05/2008
Kaspersky Anti-Virus database records: 800225
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 89934
Number of viruses found: 11
Number of infected objects: 45
Number of suspicious objects: 0
Duration of the scan process: 02:14:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{9E493B3F-F048-4EC3-9426-11610839F0D4}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFRBE.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS00E75BFC-1E92-4DCE-AE23-C6A421AD9281.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS022EB674-AA3A-49E5-B223-AE29FE9A8CCA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS05977094-FA7B-4777-AEA3-DBD4D30728CC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0686D624-B1F2-4C0F-87C2-7B2DB931B41E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS081DD63E-5EBC-4BE9-9EE0-57F873129DC0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1712854B-675A-42D6-A22D-E8593B2DA525.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS17CA1E86-CDEF-4324-8911-54FA779F98BF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1F4BCE95-7381-4B98-8F04-8B19EF0F6DFE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS20CED792-5E7A-4C1D-8530-91705DCFC490.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS22E9D4D7-71BE-485A-8E17-910F46AFB4A1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS23ABBAE4-5F8D-4890-979F-69C52CF783B1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2BED6074-70FA-49D4-8984-25EFC3D2F628.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2F351523-3871-4057-B8C5-F76EDEA5E00F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2F503A35-1240-4B38-86DC-E48EBCC6DD89.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3225AA00-0C67-4419-9F55-9519135DFFE6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS35B7A9F6-8039-4F9A-B715-3C40CC10DC61.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3608AE6E-FBBA-4E15-B3F5-C0D1DF61FF67.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS360B8468-39F7-4616-995B-96BF99801D7C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3BD43316-13B2-4D75-868D-0CD57498029A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS41FC7981-7C5E-4DB7-BFF5-41B68367CCCD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS45656D53-83C0-4963-8BA6-3CEE87DD2EDC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS48601ADB-7553-457D-9AFB-C740917C9ADA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4A0648BF-238A-4A39-8959-E371ABD5D036.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4A6A1440-1156-4ED6-8A38-66D15512FCDF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4B8CF215-9F05-445A-84CC-7187977B234E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4BEBA41B-B05E-4EF6-B4A4-371ED095619F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4C26F844-8800-430C-8F8B-7B48F3BC2A6E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4E99E152-B0C9-4EA6-91FF-70FBA0C19C3F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS53038D61-E754-46BD-819F-B1269A12BD23.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS56A1D643-3EF5-4357-BAA3-ED96DEB4F49E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5CF9BEA4-F287-40DE-BFCA-96FCA1BCED48.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5EDAC598-D7F4-4B99-B972-376BB057DE17.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS62364B22-3D00-4A4D-81DB-5097873C2C50.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS62FA682F-88C5-48E1-8BAD-CC37F94B9054.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS64BDFFCE-7A99-431A-890E-532C7F9D895E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS67A0CBE1-911C-4299-9D52-9CC0D87C8DF6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6807A92C-499F-4951-8E6C-54258D4BF3C1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6826D5CF-FB9F-44D3-9D6F-81EC722AB226.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS687263BD-7A8D-4987-9897-4920D2578BDB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS737979DB-6742-424A-B628-BEBFCA075B07.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS760F452B-BBE6-4918-87ED-E375B96AF712.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7679CF7E-E23F-42D0-9D1F-09DEE4914284.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS79DAF052-15A6-420D-A648-54F1B56911CA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7B452A3A-EC64-4ABF-BFB0-14334C066C48.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7DA16DC6-F932-4AAA-835A-D97A0F9D107E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS82E9BF3F-8CC7-4D3C-9D8A-FB33B158ADFE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS84B6BAA4-4B8E-4917-B384-09568945B647.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS84E4CA2F-53C4-4CB6-B754-EFDC84F68FBC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS863232C2-DB9B-4DF4-9C6A-E4D64369AEB3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8C0D4500-9CE4-47E0-B89B-7AB9FCEB910B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8E46CD26-48D9-4DE1-A9CD-D40A10769417.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS90831418-9E05-4706-B1F4-541A95255B7D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS93CBF011-BCE6-47B8-A93B-C0DEBCA00C12.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA527E153-03D2-46C6-8284-DCA43E60DDDE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA62BD738-9EA0-49DE-ADA9-83A6005DB675.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA6B6DD7D-80E3-4279-AB02-AB82CF21B974.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA7D13BE9-C7EC-428D-B8AE-96F57E92840E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAAC83687-9FE4-4D6A-808D-944F76BBB0AA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAB30D930-22E9-4FF8-ABCF-D41F374E09F7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAF5797A0-EDC7-49F7-A64D-50E56D9ADC83.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB33BAE39-4D75-4F6D-AB66-DAAA5DCC6503.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB39567B3-3FCE-4978-BE2D-A32F76C0FC59.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB81A28B4-8E46-46A4-A17B-144E9ECAB77B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBAAD166A-431D-4090-A8C3-A6BAC7837FE6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBAB2D609-B1D0-4487-8410-1FBC2FE3F448.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBC3DB02D-F7BA-4E6F-AC8F-456AFB7FFFE2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBD5F6F28-28E2-43DF-80D5-B2916FC01114.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBE922001-280D-4D1F-BC35-E5AEA0C3B207.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC0957F55-1F17-46F8-BB39-BB84B96A964D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC89B824F-88F2-4D8A-8D60-159E70D5F6F0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCB5582B8-99D2-4585-8A3C-6E8263345891.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCB5DCD48-B14A-4B41-A7D9-3DE8BF0D413A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCEADCDC9-F777-491B-B7D8-BC42865EF1CC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD291E4FF-2815-48ED-A074-D6B7ED055CC7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD3AEC9AD-E94E-4928-BC26-F09FB4EBCD21.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD6E458FC-DD6B-47BA-A44D-14B2B8804FC7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD6FC3143-35C6-40BE-AB3E-B0DA28C20375.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDB37BEA3-3E5F-4C61-9B4F-B28DE11D3E3A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDBE2016C-E63E-4FE8-A740-023659CEF9A6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDC461135-EBBD-4AE5-A066-21556D1B7435.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDC6CB09D-1B44-4F74-A29E-553E8FC13F0D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE0B46A0D-1F7A-467D-822D-A8C9EFB9FE4B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE176641C-FFC1-440E-83F5-805CCC0ED11C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEA9D0597-8E13-40F7-9B3E-E277BE8FEEF7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEE0C1EC5-DE6E-4B90-8B7F-A5C999802330.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEE4E7809-1B45-47FE-8DC7-FD7C9824C320.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFBB88236-103E-4E43-8AB7-EE2092D4C944.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFC762204-8CB3-4B1C-B581-76630270FFB8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFDA75992-B2EE-42EF-A481-C092CA01E1A0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\fgvyijfe.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\fmgeytib.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\fnidyvnh.dll.bac_a00548 Infected: Trojan.Win32.Monder.an skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\jmriihjj.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\jwcelmkk.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\lbipdoxk.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\lpjeiypf.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\ohjaaxvx.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\vbwvscvj.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\vtUkkhEV.dll.bac_a00548 Infected: not-a-virus:AdWare.Win32.Virtumonde.quh skipped
C:\Documents and Settings\steve\.housecall6.6\Quarantine\wttqhqva.dll.bac_a00548 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\steve\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\steve\Application Data\Webroot\Spy Sweeper\Logs\080525132252.ses Object is locked skipped
C:\Documents and Settings\steve\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\steve\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\History\History.IE5\MSHist012008052520080526\index.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\temp\~DF4F40.tmp Object is locked skipped
C:\Documents and Settings\steve\Local Settings\temp\~DF7E53.tmp Object is locked skipped
C:\Documents and Settings\steve\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\steve\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqRJBRjK.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0095961.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP394\A0105166.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP396\A0107306.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107402.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107403.dll Infected: Trojan.Win32.Monder.an skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107405.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107406.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0107407.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400\A0109498.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400\A0109580.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401\A0111642.dll Infected: Trojan.Win32.Monder.db skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP401\A0112773.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP405\A0113854.dll Infected: Trojan.Win32.Monder.cz skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP405\A0113860.dll Infected: Trojan.Win32.Monder.df skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP405\A0113892.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.quh skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP406\A0113992.dll Infected: Trojan.Win32.Monder.cz skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116109.dll Infected: Trojan.Win32.Monder.dm skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116110.dll Infected: Trojan.Win32.Monder.dl skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116111.dll Infected: Trojan.Win32.Monder.da skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116112.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116113.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116114.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116115.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116116.dll Infected: Trojan.Win32.Monder.de skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0116118.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP423\A0117507.exe/is201737.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP423\A0117507.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP423\A0117508.exe/is201737.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP423\A0117508.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP423\A0117509.exe/m3u.exe/is201737.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP423\A0117509.exe/m3u.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP423\A0117509.exe/is201737.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP423\A0117509.exe CAB: infected - 3 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP428\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel® 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{820D863D-96EE-4EFD-ABA6-91DBD44ACDA9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_3NbL29dJiuVLtq7 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ez2L4nzBBTesR71 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_M2flSEhyiFfKep3 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_sseAG0cdx9cwNml Object is locked skipped
C:\WINDOWS\Temp\sqlite_LQJHNPJ2rJ7K9Tf Object is locked skipped
C:\WINDOWS\Temp\sqlite_Yr9LYOzvAkbtEIc Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:50 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\msiexec.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\steve\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\MN20KVDK\HEADER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TDV0W38L\LEFT_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\RIGHT_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0ZOY3XNB\FOOTER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\COMMON~1.SH! C:\DOCUME~1\ALLUSE~1\DOCUME~1\AOLDOW~1\HSPERF~1\3252.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TG648X0P\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\W8R3AV8N\669065~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WMS45VUQ\IM_BRA~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\AR_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~4.SH!
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab72888.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v50/chess/chess.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12990 bytes

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:33 PM

Posted 25 May 2008 - 06:31 PM

Hi ladebac,

The Kaspersky log looks clean. :thumbsup: Everything it found were in viruses quarantined by other scanners and viruses in the System Restore folder. We will be deleting the ComboFix log and System Restore folder later.


The pop-up states that internet explorer can't display the web page. As soon as I completely shut down my Yahoo web browser, the pop-ups disappear

.

That sounds like it is the Red Sheriff infection.

Something is preventing those items from being deleted, so lets try the Safe Mode.


How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and run HijackThis and click "Scan."
Place checks next to the following entries, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com



These are optional fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
(Description: Apple's QuickTime Tray Icon which enables you to start QuickTime from the System Tray (from version 5 onward). Given the extremely simple functionality of this Tray icon, it is in our view an unreasonable resource hog - it has been measured to use as much as 1.5Mb of memory at times in earlier versions, and in version 7 it uses as much as 3.4Mb of memory on our test systems. Yet, on Windows PCs hardly anyone starts QuickTime manually, whether from the System Tray or otherwise - what usually happens is that the end-user opens a QuickTime movie file or email attachment and Windows then automatically opens QuickTime to enable the end-user to view the movie or video. There is therefore almost never a need for the end-user to start QuickTime manually from the System Tray. )


Close all browsers and other windows except for HijackThis, and click "Fix checked"


*******************************************


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

*******************************************

Reboot your computer, post the a fresh Hijackthis log and let me know how things are working.

Edited by SifuMike, 25 May 2008 - 06:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 ladebac

ladebac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 25 May 2008 - 09:31 PM

So far my computer has been running a whole lot better. But the Safe mode Hijackthis did not remove the problem. Here is a copy of the log. Let me know what's next. :thumbsup:


ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:02 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [MBkLogOnHook] "C:\Program Files\McAfee\MBK\LogOnHook.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P2 /q C:\DOCUME~1\steve\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\MN20KVDK\HEADER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TDV0W38L\LEFT_1~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\RIGHT_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\0ZOY3XNB\FOOTER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\LXUN56MD\COMMON~1.SH! C:\DOCUME~1\ALLUSE~1\DOCUME~1\AOLDOW~1\HSPERF~1\3252.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\TG648X0P\BANNER~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\W8R3AV8N\669065~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\INDEX_~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\WMS45VUQ\IM_BRA~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\J5B2SBCI\AR_1_~1.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~2.SH! C:\DOCUME~1\steve\LOCALS~1\TEMPOR~1\Content.IE5\JF7OK7M6\VISITO~4.SH!
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab72888.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinner.com/games/v50/chess/chess.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/famil.../familyfeud.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12365 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users